SecurityContext Question - Standalone security module

[pkrasko]

Hi,

I'm in the process of developing a central security application using spring security.
It will be exposing an authentication entry point through a remote ejb interface for other applications to access.

My question is related to the the SecurityContext. During successful authentication, at what point in time is the UsernamePasswordToken placed into the Security context? I'm currently using the DaoAuthenticationProvider.

Looking through the docs, api, and some source code it appears for webapps the AbstractProcessingFilter calls the authenticate method, and once a successful Authentication object is returned it sets it on the SecurityContext and in the httpsession.

In my scenario I will have multiple users accessing services by passing in a "token string". It seems that maybe instead of using the SecurityContext that I should create a Map<String, Authentication> where the key = the token being passed by the remote calls.

In this case when a user calls the authenticate service, on success it will set the Authentication object in my Map associated to the token string.

If my map is placed in a static singleton it would be available throughout my module. I'm not sure if this is the best way to go or not, but looking for suggestions.

Any ideas or suggestions from the spring security experts? I don't want to work against the framework...

Thanks!

phil


Edit:
Maybe another idea is to create an interceptor for my ejbs that takes the token and places the Authentication in the SecurityContext at that time. If this is the case, what mode strategy should be utilized?