Announcement Announcement Module
Collapse
No announcement yet.
Customize Authentication Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Customize Authentication

    Hello, I have an application that does not have a login screen. We take the userid from the users network login and use it to look up authentication infromation in our database. I am trying to learn how to create my own Acegi objects to call our own authentication objects without displaying the login screen.

    I currently have a working Acegi implementation as explained in the example application.

    Regards

  • #2
    Is this for a webapp or rich client? Is there a need for the application to communicate with a separate server, passing credentials along as well (ie proxy the credentials)?

    Your goal is to populate the ContextHolder with an Authentication representing the user. I can offer some more specific suggestions when I understand your requirements.

    Comment


    • #3
      Customize Authentication

      I'll be happy to tell you as much as I can. What I have is a web application running under Tomcat fronted by IIS. Challenge response authentication is being used by IIS and our web application uses the getRemoteUser() to determine what the user's userid is. Therefore, if the user is not logged into our Windows network then we assume they are not allowed any access to our application.

      Once a user's id is determined we query data in an Oracle database to determine the users credentials. If a users session has timed out we would like to repeat this process without ever having to display a login screen.

      I will provide any additional details that you need to better understand my situation.

      Regards

      Comment


      • #4
        You'll need something like the following class (adapted from BasicProcessingFilter), and use it with HttpSessionIntegrationFilter:

        Code:
        /* Copyright 2004, 2005 Acegi Technology Pty Limited
         *
         * Licensed under the Apache License, Version 2.0 (the "License");
         * you may not use this file except in compliance with the License.
         * You may obtain a copy of the License at
         *
         *     http://www.apache.org/licenses/LICENSE-2.0
         *
         * Unless required by applicable law or agreed to in writing, software
         * distributed under the License is distributed on an "AS IS" BASIS,
         * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
         * See the License for the specific language governing permissions and
         * limitations under the License.
         */
        
        package net.sf.acegisecurity.ui.basicauth;
        
        import net.sf.acegisecurity.Authentication;
        import net.sf.acegisecurity.AuthenticationException;
        import net.sf.acegisecurity.AuthenticationManager;
        import net.sf.acegisecurity.intercept.web.AuthenticationEntryPoint;
        import net.sf.acegisecurity.providers.UsernamePasswordAuthenticationToken;
        import net.sf.acegisecurity.ui.webapp.AuthenticationProcessingFilterEntryPoint;
        import net.sf.acegisecurity.ui.webapp.HttpSessionIntegrationFilter;
        
        import org.apache.commons.logging.Log;
        import org.apache.commons.logging.LogFactory;
        
        import org.springframework.beans.factory.InitializingBean;
        
        import java.io.IOException;
        
        import javax.servlet.Filter;
        import javax.servlet.FilterChain;
        import javax.servlet.FilterConfig;
        import javax.servlet.ServletException;
        import javax.servlet.ServletRequest;
        import javax.servlet.ServletResponse;
        import javax.servlet.http.HttpServletRequest;
        import javax.servlet.http.HttpServletResponse;
        
        
        /**
         * Expects the <code>getRemoteUser&#40;&#41;</code> to provide a <code>String</code>
         * representation of the currently logged on user. The username is expected to
         * the be usable for authentication by the <code>AuthenticationManager</code>.
         * 
         * <p>
         * NB&#58; The container is expected to know when and how to authenticate the user.
         * As such if this filter is called, the principal should already be
         * authenticated.
         * </p>
         * 
         * <P>
         * If authentication is successful, the resulting &#123;@link Authentication&#125; object
         * will be placed into the <code>HttpSession</code> with the attribute defined
         * by &#123;@link HttpSessionIntegrationFilter#ACEGI_SECURITY_AUTHENTICATION_KEY&#125;.
         * </p>
         * 
         * <p>
         * If authentication fails, an &#123;@link AuthenticationEntryPoint&#125; implementation
         * is called. This might be &#123;@link AuthenticationProcessingFilterEntryPoint&#125;,
         * which will redirect the user to an appropriate page to perform
         * authentication. Alternatively, a custom entry point might send an access
         * denied error or similar.
         * </p>
         * 
         * <P>
         * <B>Do not use this class directly.</B> Instead configure
         * <code>web.xml</code> to use the &#123;@link
         * net.sf.acegisecurity.util.FilterToBeanProxy&#125;.
         * </p>
         *
         * @author Ben Alex
         * @version $Id$
         */
        public class ExternalContainerProcessingFilter implements Filter,
            InitializingBean &#123;
            //~ Static fields/initializers =============================================
        
            private static final Log logger = LogFactory.getLog&#40;ExternalContainerProcessingFilter.class&#41;;
        
            //~ Instance fields ========================================================
        
            private AuthenticationEntryPoint authenticationEntryPoint;
            private AuthenticationManager authenticationManager;
            private String password = "";
        
            //~ Methods ================================================================
        
            public void setAuthenticationEntryPoint&#40;
                AuthenticationEntryPoint authenticationEntryPoint&#41; &#123;
                this.authenticationEntryPoint = authenticationEntryPoint;
            &#125;
        
            public AuthenticationEntryPoint getAuthenticationEntryPoint&#40;&#41; &#123;
                return authenticationEntryPoint;
            &#125;
        
            public void setAuthenticationManager&#40;
                AuthenticationManager authenticationManager&#41; &#123;
                this.authenticationManager = authenticationManager;
            &#125;
        
            public AuthenticationManager getAuthenticationManager&#40;&#41; &#123;
                return authenticationManager;
            &#125;
        
            public void afterPropertiesSet&#40;&#41; throws Exception &#123;
                if &#40;this.authenticationManager == null&#41; &#123;
                    throw new IllegalArgumentException&#40;
                        "An AuthenticationManager is required"&#41;;
                &#125;
        
                if &#40;this.authenticationEntryPoint == null&#41; &#123;
                    throw new IllegalArgumentException&#40;
                        "An AuthenticationEntryPoint is required"&#41;;
                &#125;
            &#125;
        
            public void destroy&#40;&#41; &#123;&#125;
        
            public void doFilter&#40;ServletRequest request, ServletResponse response,
                FilterChain chain&#41; throws IOException, ServletException &#123;
                if &#40;!&#40;request instanceof HttpServletRequest&#41;&#41; &#123;
                    throw new ServletException&#40;"Can only process HttpServletRequest"&#41;;
                &#125;
        
                if &#40;!&#40;response instanceof HttpServletResponse&#41;&#41; &#123;
                    throw new ServletException&#40;"Can only process HttpServletResponse"&#41;;
                &#125;
        
                HttpServletRequest httpRequest = &#40;HttpServletRequest&#41; request;
                HttpServletResponse httpResponse = &#40;HttpServletResponse&#41; response;
        
                String username = httpRequest.getRemoteUser&#40;&#41;;
        
                if &#40;logger.isDebugEnabled&#40;&#41;&#41; &#123;
                    logger.debug&#40;"Remote user from HTTP request&#58; " + username&#41;;
                &#125;
        
                if &#40;username != null&#41; &#123;
                    // no password is passed in
                    UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken&#40;username,
                            password&#41;;
                    authRequest.setDetails&#40;httpRequest.getRemoteAddr&#40;&#41;&#41;;
        
                    Authentication authResult;
        
                    try &#123;
                        authResult = authenticationManager.authenticate&#40;authRequest&#41;;
                    &#125; catch &#40;AuthenticationException failed&#41; &#123;
                        // Authentication failed
                        if &#40;logger.isDebugEnabled&#40;&#41;&#41; &#123;
                            logger.debug&#40;"Authentication request for user&#58; " + username
                                + " failed&#58; " + failed.toString&#40;&#41;&#41;;
                        &#125;
        
                        authenticationEntryPoint.commence&#40;request, response&#41;;
        
                        return;
                    &#125;
        
                    // Authentication success
                    if &#40;logger.isDebugEnabled&#40;&#41;&#41; &#123;
                        logger.debug&#40;"Authentication success&#58; " + authResult.toString&#40;&#41;&#41;;
                    &#125;
        
                    httpRequest.getSession&#40;&#41;.setAttribute&#40;HttpSessionIntegrationFilter.ACEGI_SECURITY_AUTHENTICATION_KEY,
                        authResult&#41;;
                &#125;
        
                chain.doFilter&#40;request, response&#41;;
            &#125;
        
            public void init&#40;FilterConfig arg0&#41; throws ServletException &#123;&#125;
        &#125;

        Comment


        • #5
          Customize Authentication: coming from network

          Originally posted by Ben Alex
          You'll need something like the following class (adapted from BasicProcessingFilter), and use it with HttpSessionIntegrationFilter:
          Hello,

          I have a similar situation in my current project. I would like to try the above mentioned solution, but I don't understand well how to use that class.

          Can you please explain more in detail how to use the indicated class and where to insert it in the XML configuration files ?

          Best regards,
          Pino

          Comment


          • #6
            You'd use it wherever you would have otherwise used an AuthenticationProcessingFilter.

            Comment


            • #7
              I tried to use this class. It works mostly well, except that I cant get it to display an error page. Is that possible ?

              Or even better, would it be possible to use a form authenticaiton (via org.acegisecurity.ui.webapp.AuthenticationProcessi ngFilter) as a fall-back mechanism ?

              Thanks for the help !

              Comment


              • #8
                With the latest acegi, I did the following: will it work?

                Original
                httpRequest.getSession().setAttribute(HttpSessionI ntegrationFilter.ACEGI_SECURITY_AUTHENTICATION_KEY , authResult);

                New
                httpRequest.getSession().setAttribute(HttpSessionC ontextIntegrationFilter.ACEGI_SECURITY_CONTEXT_KEY , authResult);
                Thanks,
                Doug

                Comment

                Working...
                X