Announcement Announcement Module
No announcement yet.
Can we skip Authentication? Page Title Module
Move Remove Collapse
This topic is closed
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Can we skip Authentication?

    I am having user-resource mapping in my database and I want to allow user based on mapping without authenticating that user. How can we achieve this using acegi.

  • #2
    Can you explain what your trying to do in a little more detail, its hard to understand what your getting at. If you don't want to secure a resource, dont.


    • #3
      One part of my application already does the job of authentication and returns me the name of valid user so can we use acegi just for Authorization?


      • #4
        Originally posted by Kavita View Post
        One part of my application already does the job of authentication and returns me the name of valid user so can we use acegi just for Authorization?
        Yes you could, it should be quite easy. If you check this forum, I'm sure there are already examples of this.

        You can (and many users do) write their own filters or MVC controllers to provide interoperability with authentication systems that are not based on Acegi Security. For example, you might be using Container Managed Authentication which makes the current user available from a ThreadLocal or JNDI location. Or you might work for a company that has a legacy proprietary authentication system, which is a corporate "standard" over which you have little control. In such situations it's quite easy to get Acegi Security to work, and still provide authorization capabilities. All you need to do is write a filter (or equivalent) that reads the third-party user information from a location, build an Acegi Security-specific Authentication object, and put it onto the
        SecurityContextHolder. It's quite easy to do this, and a fully-supported integration approach.


        • #5
          Bypassing authentication

          Hi karldmoore,
          I am also in same situation and referred so many post related with it, but not really getting what exactly to be done.
          Where exactly I have to write a code which will put authentication object in SecurityContextHolder.
          Please if you can explain it further.



          • #6
            skip Authentication

            Originally posted by Kavita View Post
            One part of my application already does the job of authentication and returns me the name of valid user so can we use acegi just for Authorization?
            Can u post the exact thread.


            • #7
              If you have a look at the Acegi code and follow it through from AuthenticationProcessingFilter, it should be quite easy to understand whats going on. The code below, brings together snippets of what should be required.

              User user = null; // this would have to be created from your legacy data
              Object principalToReturn = user;
              if (forcePrincipalAsString) {
                  principalToReturn = user.getUsername();
              UsernamePasswordAuthenticationToken result = new UsernamePasswordAuthenticationToken(principal, "thisIsThePassword", user.getAuthorities());
              BTW, for your reference. AbstractProcessingFilter sets the authentication context when using Acegi properly.


              • #8
                Although that answered your question, I'm having second thoughts. If you were trying to integrate a legacy security framework, I wouldn't actually implement it like that. It all depends really on how much of the existing framework you can touch and what hooks you have into it.

                If all you want to do is set the Acegi context, then the previous example would do it for you. Personally I would try and look at leveraging as much of Acegi as possible whilst maintaining the Authentication piece. I would look at the example that ships with Acegi and use that as a base. I would then update my authentication class to implement AuthenticationProvider. This can plug straight into the example and I'm sure would cut down on lots of hard work.


                • #9
                  Best Authentication impl?

                  This thread seems to have answered all but one of my questions. Which Acegi Authentication implementation should I (or can I) use? I'm already using container managed authentication for my web app, so I simply would like to use Acegi for my service and domain layer security.

                  I would also like to store my own UserDetails implementation in the Authentication. Do I need to create a custom Authentication implementation, or will one of the Acegi Authentication implementations work, and which one might that be?

                  Thanks in advance,


                  • #10
                    I'd have a read of the reference manual for container managed authentication, there's a discussion in there.

                    If you want to write your own UserDetails implementation, that should be easy enough. I'd have a look at User first and maybe extend that instead.


                    • #11
                      Thank you for the reply. I've read the documentation; however, I don't think any of the container adapters will work for me - I'm using Glassfish. I assumed I would have create my own Authentication object (or use an existing Acegi Authentication implementation), and place it into the SecurityContextHolder as follows:

                      Authentication result = <my new Authentication implementation>;
                      SecurityContextHolder.getContext().setAuthenticati on(result);

                      When the user logged out, I would set the Authentication and SecurityContextHolder to null.

                      Is that correct, or am I missing something else that would be provided by a container adapter? Do I have to create a custom adapter for Glassfish?

                      Thanks again,


                      • #12
                        I'm sorry that's as far as my container authentication knowledge stretches, I've not had to use it. If you are programmatically authenticating your users however what you've described is the correct way to do it. I would have a look at the existing Authentication implementations however, one of those might be suitable for you.


                        • #13
                          Great idea. Sorry, I should have thought about looking at one of the existing implementations. That should get me where I'm going. ;-)