Hello,
We are designing an application that utilizes a thick client that communicates with a service tier via spring remoting. I have a requirement where I need to authenticate a user the first time he/she logs into the client. I use spring security to set up an authentication provider via LDAP.
Code:
<ldap-server root="dc=springframework,dc=org"/>
    <ldap-authentication-provider user-dn-pattern="uid={0},ou=people" />
 
    <authentication-manager alias="authenticationManager" />
My strategy was to create an authentication service that has the authentication manager injected into it where I do the authentication and then try to put it into the security context:

Code:
Authentication auth = authenticationManager.authenticate(new UsernamePasswordAuthenticationToken(userid, password));
SecurityContext sc = SecurityContextHolder.getContext();
sc.setAuthentication(auth);
I have read forums and documentation. Am I correct in assuming that the security context is maintained and instantiated by the container? I am not using any kind of filtering at my web.xml because I don't want every request authenticated, just the first time and then maintain if for the entire session. How do I maintain the security context when I am using spring remoting. I would appreciate some input on my strategy.

Thanks folks,