Announcement Announcement Module
No announcement yet.
HttpInvoker and Autorization Page Title Module
Move Remove Collapse
This topic is closed
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • HttpInvoker and Autorization

    Hello, I need some guidelines on how to use authorization with Spring´s HttpInvoker.
    I have configured in my web.xml the HTTP BASIC Authorization Filter and Acegi Security System for Spring Auto Integration Filter. In my application context, I have put a MethodSecurityInterceptor and a AutoProxyCreator that refers to my business bean using the security interceptor.
    The bean is then exported using httpInvoker, and when a remote client tries to use it, the following error appears:

    [java]net.sf.acegisecurity.AuthenticationCredentialsNotF oundException: A valid SecureContext was not provided in the RequestContext

    The client uses Jakarta Commons HttpClient (CommonsHttpInvokerRequestExecutor). How can I change my client code so it can pass the credentials and other security info as needed ?


  • #2

    In the client, I use the org.acegisecurity.context.httpinvoker.Authenticati onSimpleHttpInvokerRequestExecutor
    instead of the CommonsHttpInvokerRequestExecutor. This will search the credentials in the client's Security Context (you have to put an Authorization object there at some point) and adds the authentication information to the HTTP request. The AuthenticationSimpleHttpInvokerRequestExecutor extends Spring's SimpleHttpInvokerRequestExecutor, therefore, you loose some of the advanced functionality provided by Commons HTTP Client.

    Acegi does not provide a class to add authentication to commons HTTP client. If you learn how to do so, please let me know.


    • #3
      The extension to CommonsHttpInvokerRequestExecutor to include credentials taken from SecurityContext is actually very simple:

      public class AuthenticatedCommonsHttpInvokerRequestExecutor extends CommonsHttpInvokerRequestExecutor {
      	protected void setRequestBody(HttpInvokerClientConfiguration config, PostMethod postMethod, ByteArrayOutputStream baos) throws IOException {
      		super.setRequestBody(config, postMethod, baos);
      		Authentication auth = SecurityContextHolder.getContext().getAuthentication();
      		if(auth != null){
      			String username = auth.getCredentials().toString();
      			String password = auth.getPrincipal().toString();
      			Credentials credentials = new UsernamePasswordCredentials(username, password);
      			getHttpClient().getState().setCredentials(AuthScope.ANY, credentials);
      This works for commons HttpClient 3.0.