Announcement Announcement Module
Collapse
No announcement yet.
HttpInvoker Basic Authentication and SecurityContextHolder Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • HttpInvoker Basic Authentication and SecurityContextHolder

    Hi,

    I use HttpInvoker for the remoting of my application. Authentication is done with the AuthenticationSimpleHttpInvokerRequestExecutor.

    The Dispatcher Servlet is secured whit Tomcat Security:

    <security-constraint>
    <web-resource-collection>
    <web-resource-name>zld</web-resource-name>
    <description></description>
    <url-pattern>/remote/*</url-pattern>
    <http-method>GET</http-method>
    <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
    <description></description>
    <role-name>zld</role-name>
    </auth-constraint>
    </security-constraint>

    <login-config>
    <auth-method>BASIC</auth-method>
    </login-config>

    <security-role>
    <description></description>
    <role-name>zld</role-name>
    </security-role>

    On the server I like to get the username of this request and try to use SecurityContextHolder.getContext().getAuthenticati on()

    But authentication is NULL!

    How do I tell Acegi to set user of the HTTP request to the SecurityContext?
    Do I have to use a filter?

    Thanks a lot.

    Kind Regards, Simon

  • #2
    Originally posted by simas View Post
    How do I tell Acegi to set user of the HTTP request to the SecurityContext?
    Do I have to use a filter?
    Yes. See here for reference.

    I use this chain:

    Code:
    	<bean id="security.filterChainProxy" class="org.acegisecurity.util.FilterChainProxy">
          <property name="filterInvocationDefinitionSource">
             <value>
    		    CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
    		    PATTERN_TYPE_APACHE_ANT
                /remoting/**=httpSessionContextIntegrationFilter,basicProcessingFilter
             </value>
          </property>
        </bean>
    Regards,
    Andreas

    Comment


    • #3
      Hi Andreas,

      Thanks for your answer.

      I tried only with httpSessionContextIntegrationFilter. But it didn't work.

      I understand httpSessionContextIntegrationFilter but what do you do in basicProcessingFilter?

      Thanks, Simon

      Comment


      • #4
        I did it!
        I wrote a BasicAndDigestProcessingFilter that is taking the username from the http header.

        Simon

        Comment


        • #5
          Why did you write your own? I used the already existing one:
          Code:
              <bean id="httpSessionContextIntegrationFilter" class="org.acegisecurity.context.HttpSessionContextIntegrationFilter">
              	<property name="allowSessionCreation" value="false"/>
              </bean>
          
          
          	<bean id="basicProcessingFilter" class="org.acegisecurity.ui.basicauth.BasicProcessingFilter">
            		<property name="authenticationManager"><ref bean="authenticationManager"/></property>
          		<property name="authenticationEntryPoint"><ref bean="authenticationEntryPoint"/></property>
            		<property name="ignoreFailure" value="true"/>
          	</bean>
          
          	<bean id="authenticationEntryPoint" class="org.acegisecurity.ui.basicauth.BasicProcessingFilterEntryPoint">
            		<property name="realmName"><value>Foo</value></property>
          	</bean>
          To answer your former question: The BasicProcessingFilter is the one that actually does the work. The HttpSessionContextIntegrationFilter is mostly necessary for cleaning up things.

          Regards,
          Andreas

          Comment


          • #6
            Yes I know that there is an existing one.
            But I only want to get the username of the authenticated user. The authentication is done with J2EE Security and not with Acegi.

            if ((header != null) && header.startsWith("Basic ")) {
            String base64Token = header.substring(6);
            String token = new String(Base64.decodeBase64(base64Token.getBytes()) );

            int delim = token.indexOf(":");

            if (delim != -1) {
            username = token.substring(0, delim);
            }
            }
            Authentication existingAuth = SecurityContextHolder.getContext()
            .getAuthentication();

            if ((existingAuth == null) || !existingAuth.getName().equals(username)) {
            UsernamePasswordAuthenticationToken auth = new UsernamePasswordAuthenticationToken(
            username, null);

            SecurityContextHolder.getContext().setAuthenticati on(auth);
            }

            Comment


            • #7
              If tomcat is authenticating the user then you can probably access the username directly from the HttpServletRequest object (getRemoteUser()).

              Comment


              • #8
                Hey Luke,

                Stupid me! Thanks for your hint.

                Regards, Simon

                Comment

                Working...
                X