Announcement Announcement Module
Collapse
No announcement yet.
TokenBasedRememberMeServices and UserDetails Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • TokenBasedRememberMeServices and UserDetails

    Hello,

    I'm using acegi 1.0.4.
    I have a question about TokenBasedRememberMeServices.

    The userDetails object is created from the injected userDetailsService in line 165
    Code:
    userDetails = this.userDetailsService.loadUserByUsername(cookieTokens[0]);
    In line 205-207
    Code:
    RememberMeAuthenticationToken auth = new RememberMeAuthenticationToken(this.key, userDetails,
                                  userDetails.getAuthorities());
    auth.setDetails(authenticationDetailsSource.buildDetails((HttpServletRequest) request));
    this userDetails object is used in the constructor of RememberMeAuthenticationToken. But in the next line it is overwritten by authenticationDetailsSource.buildDetails.
    Why ?

    The Problem for me is, that I have a special userDetailsService which create my UserDetails objects. Why do I have to inject also a special authenticationDetailsSource ? Wouldn't it be enough to use the userDetails from the userDetailsService ?

    Thanks!

  • #2
    DataAccessException

    Hi again,
    I have made my own TokenBasedRememberMeServices as a workarround for me. I had to copy the autoLogin Method with this modifications:
    Code:
    RememberMeAuthenticationToken auth = new RememberMeAuthenticationToken(getKey(), userDetails,
    userDetails.getAuthorities());
    //auth.setDetails(authenticationDetailsSource.buildDetails((HttpServletRequest) request));
    auth.setDetails(userDetails);
    I've come up with some other points:
    * line 165 should catch a DataAccessException
    * These points makes extension hard:
    ** access to private members with this, instead of getters
    ** cancelCookie is private
    ** constant ACEGI_SECURITY_HASHED_REMEMBER_ME_COOKIE_KEY is private

    Is anybody reading this ?
    Should I post to the dev mailing list ?
    Or make Jira entries ?
    Acegi is a great product !
    I just want to help !

    Comment


    • #3
      The 'authenticationDetailsSource' is something different then the 'userDetailsService'... So I don't see the comparison you make.

      The UserDetailsService implementation returns a UserDetail instance. The AuthenticationDetailsSource adds some additional information to the RememberMeAuthenticationToken to enable for instance ConcurrentSessionFilter to work (it adds the current sessionId etc.). But is doesn't override the already set UserDetails object...

      The UserDetails object is available with the getPrincipal method and not the getDetails method! Also the details object isn't even being set in the initial constructor.

      Code:
          public RememberMeAuthenticationToken(String key, Object principal, GrantedAuthority[] authorities) {
              super(authorities);
      
              if ((key == null) || ("".equals(key)) || (principal == null) || "".equals(principal)) {
                  throw new IllegalArgumentException("Cannot pass null or empty values to constructor");
              }
      
              this.keyHash = key.hashCode();
              this.principal = principal;
              setAuthenticated(true);
          }
      Code:
          public void setDetails(Object details) {
              this.details = details;
          }
      the set details method only sets the details property nothing more nothing less. It doesn't do anything with the principal object (which isn't even accesible!).

      Comment


      • #4
        Hello,
        it finally sunk in !
        I wanted to use the <authz:authentication> Tag an noticed that it displays the principal.
        I made an update to acegi 1.0.5 and there the Javadoc of Authentication is much clearer.
        I always thought getDetails() should return a UserDetails object. But actually getPrincipal() should. Now everything makes much more sense.

        A late thanks !

        PS: It was a bit like: What are they talking about, one guy driving against the traffic ? Hundreds !

        Comment


        • #5
          There are a few problems with the existing remember me services implementation and it almost certainly have some alterations made for the 2.0 release. I've also written another implementation of RememberMeServices based on the discussion here

          http://jaspan.com/improved_persisten..._best_practice

          which you might want to take a look at. This also involves refactoring TokenBasedRememberMeServices to use the abstract base class that's been introduced.

          http://opensource.atlassian.com/proj...browse/SEC-588

          Comment

          Working...
          X