Announcement Announcement Module
No announcement yet.
how do i login without using the provided filter? Page Title Module
Move Remove Collapse
This topic is closed
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • how do i login without using the provided filter?

    im using the quick-start but I would rather login using a servlet rather than the filter provided, what do I need to do in the servlet to login a user?

  • #2
    You simply need to have the Servlet obtain the username and password from the HttpRequest, check it's valid by calling the AuthenticationManager, and if so, storing the returned Authentication object in the "well known location". This is usually the HttpSession attribute with the key obtained from HttpSessionIntegrationFilter.ACEGI_SECURITY_AUTHEN TICATION_KEY.


    • #3
      do I need to setup ContextHolder with a Context or SecureContext object at all?

      in the quick-start there is a debug.jsp that gets the Authentication object from SecureContext but the Authentication object is also placed in the session


      • #4
        The AbstractSecurityInterceptor is the class which "reads" what should be a valid Authentication object off the ContextHolder. Whilst AbstractSecurityInterceptor still confirms it is valid by presenting it to the AuthenticationManager again, typically applications will validate the username/password when the user first presents them (so it can provide user-friendly feedback, give them a chance to retry etc).

        The net.sf.acegisecurity.ui packages are devoted to getting a valid Authentication onto the ContextHolder. You can use as much or as little of these packages as you like. You can write anything you wish as long as a valid Authentication ends up on the ContextHolder by the time the AbstractSecurityInterceptor gets called.

        You don't need to use HttpSession if you don't wish. But it is a convenient place to hold the valid Authentication object, thus enabling the HttpSessionIntegrationFilter to place a copy on the ContextHolder at the beginning of each web request, and remove it at the end of each web request. If you go with this approach, your Servlet code will not work with ContextHolder at all (leave it to HttpSessionIntegrationFilter, which takes care of threading concerns).

        I hope this clarifies what is going on.


        • #5

          I,ve tried this approach and tried to use auth.isAuthenticated(), later i saw that this method had the following decription :
              classes should not rely on this value as being valid unless it has been
              set by a trusted <code>AbstractSecurityInterceptor</code>.
          What other form to verify this exist?



          • #6
            This is just a reminder that any code can set Authentication.setAuthenticated(true). If your classes use the Authentication object, you must ensure a subclass of AbstractSecurityInterceptor has been called sometime beforehand, as it will delegate validation of the Authentication object to an AuthenticationManager.