Announcement Announcement Module
No announcement yet.
Acegi only for Authorization Page Title Module
Move Remove Collapse
This topic is closed
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Acegi only for Authorization

    I have a situation where I am required to use ACEGI only for Authorization. X509s are used for Authentication on Oracle Application Server. After authentication, the server populates the HTTP headers with the details of the principal. I have to grab that principal and pass it on to another API which will return me a list of roles (GrantedAuthorities) for the given principal . I want to use the HttpRequestIntegrationFilter because it grabs the Principal from the request using the request.getUserPrincipal() method. But I saw the source code of HttpRequestIntegrationFilter and I found this line in the doFilter() method.

    if ((principal != null) && principal instanceof Authentication) {
    SecurityContextHolder.getContext().setAuthenticati on((Authentication) principal);

    Does this mean that the principal must an instanceof an Authentication?
    Am I using the correct filter? I looked at HttpSessionContextIntegrationFilter and I dont think I can use it.


  • #2
    HttpRequestIntegrationFilter is meant for use with a container adapter.

    If the X.509 certificate is available from the container, you may be able to use acegi's X509 authentication integration. Otherwise, if you really need to use the OAS container security, you would have to write a container adapter for OAS.


    • #3
      Ah, I was just reading about Container Adapters. I was hoping that I wouldnt need to code one on my own. I was disappointed to learn that there are no prewritten adapters for OAS.


      • #4
        I saw in one of the posts that Ben is discouraging the use of container adapters.

        Is there no other way of creating Authentication objects by using the contents of the HTTP Request? I have the user name already populated in the REMOTE_USER by OAS.

        If I dont want to write adapters and if the X509 is not available from the container, am I pretty much in the dark?
        Last edited by GMur; Jun 19th, 2006, 04:28 PM.


        • #5
          It looks like OAS can populate the request with a object. Can ACEGI extract the details from this object to populate the Authentication object?


          • #6
            Ok, I looked at the source code of org.acegisecurity.ui.x509.X509ProcessingFilter and it does look like the extractClientCertificate(HttpServletRequest) does a request.getAttribute("javax.servlet.request.X509Ce rtificate") which is exactly what I want.


            • #7
              how 'j_acegi_security_check' Action work with database