The httpinvoker way of remoting uses a http client, by default it wil use a plain HttpURLConnection
from the JDK. Which way of connecting is used is determined by the imlementation of HttpInvokerRequestExecutor
which by default is the SimpleHttpInvokerRequestExecutor
.
Now you could switch to use one of the other implementations which use Apache Commons HttpClient under the hood. You could then use BASIC authentication (or digest) to pass the username/password to the service layer (instead of the Authentication
object.
Spring Security already supplies this custom implementation for you, so basically the only thing you need to do (client side) is to reconfigure your HttpInvokerProxyFactoryBean
.
<bean id="yourServiceProxy" class="org.springframework.remoting.httpinvoker.HttpInvokerProxyFactoryBean">
<property name="httpInvokerRequestExecutor" ref="requestExecutor" />
</bean>
<bean id="requestExecutor" class="org.springframework.security.remoting.httpinvoker.AuthenticationSimpleHttpInvokerRequestExecutor"/>
See also the javadoc and the Spring Security Reference Guide. This class can be found in the spring-security-remoting
dependency. Next to this dependency you need to configure your business layer to use basic authentication.