Announcement Announcement Module
Collapse
No announcement yet.
Proxy auth remote access by apache HttpClient Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Proxy auth remote access by apache HttpClient

    Hello,

    I'm trying to use proxy tickets to access from a web-app(FOO) to another web-app(BAR) by apache HttpClient.
    But I coudn't figure out how to use proxy ticket or to access BAR.

    I have two web applications(FOO & BAR) both are using CAS single sign on with acegi.
    After logging in to CAS, goto one of the FOO's webpage, and submit a form. In this action, I'd like to call a http access to BAR using HttpClient.
    Since this http access happens from FOO to BAR, it needs proxy authentication.

    So, I set up FOO with proxy callback and able to get proxy ticket by this:

    SecurityContext context = (SecurityContext) session.getAttribute("ACEGI_SECURITY_CONTEXT");
    CasAuthenticationToken token = (CasAuthenticationToken)context.getAuthentication( );
    // or
    // CasAuthenticationToken token = (CasAuthenticationToken) SecurityContextHolder.getContext().getAuthenticati on();

    String pgtIou = token.getProxyGrantingTicketIou();
    String target = "https://BAR/some_service";
    String pt = ProxyTicketReceptor.getProxyTicket(pgtIou, target);
    But now, I have no idea how to use this proxy ticket.

    I just called BAR's target service appending proxy ticket:

    GetMethod method = new GetMethod(target + "?ticket=" + pt);
    int status = httpClient.executeMethod(method);
    But it didn't work, just redirected to CAS login page.


    I read some posts saying without using proxy ticket, access another CASifying service using BasicAuthentication.
    So, I tried

    Credentials credential = new UsernamePasswordCredentials(CasProcessingFilter.CA S_STATEFUL_IDENTIFIER, pt);
    // or
    // Credentials credential = new UsernamePasswordCredentials(token.getCredentials() .toString(), token.getPrincipal().toString());

    httpClient.getState().setCredentials(AuthScope.ANY , credential);

    GetMethod method = new GetMethod(url);
    method.setDoAuthentication(true);
    int status = httpClient.executeMethod(method);
    However, always I get a redirected CAS login page.

    What is the correct way to use proxy ticket, or how can I call another web-app service from web action via http/https under CAS/Acegi?

    Thanks,

  • #2
    I have a similar set up where I needed to call a servlet from one web-app to another.

    You will have to change your filters for the acegi authentication. The fact that you are getting directed to a login page means in your filter sequence you are going to go to a login page which will capture credentials from the user.

    I had the same problem.

    The work around was I specified a filter sequence for my servlet pattern which did basic authentication.

    Code:
    <bean id="filterChainProxy" class="org.acegisecurity.util.FilterChainProxy">
            <property name="filterInvocationDefinitionSource">
                <value>
                    <!-- 
                        The order of the filters is important.  The rational for the filter ordering below is as follows:
                        - ChannelProcessingFilter to handle redirecting protocols (HTTPS)
                        - ConcurrentSessionFilter to reflect ongoing requests from a user
                        - HttpSessionContextIntegrationFilter to create a SecurityContext at the beginning of a web request
                            * filters of this type should disallow session creation for webservices, since no session id
                              is provided as part of a web service
                        - Any filter (Authentication, Cas, Basic, HttpRequest, etc.) that will contain an Authentication token
                        - SecurityContextHolderAwareRequestFilter if installing an Acegi-aware request wrapper to servlet container
                        - RememberMeProcessingFilter to handle updating SecurityContextHolder from requests that present a cookie
                        - AnonymousProcessingFilter to put an anonymous Authentication token in the SecurityContextHolder
                        - ExceptionTranslationFilter to manage Acegi security exceptions as HTTP errors
                        - FilterSecurityInterceptor to protect web URIs
                    -->
                    CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
                    PATTERN_TYPE_APACHE_ANT
                    /webservices/*webservices*=httpSessionContextIntegrationFilter,logoutFilter,basicProcessingFilter,securityContextHolderAwareRequestFilter,rememberMeProcessingFilter,anonymousProcessingFilter,basicExceptionTranslationFilter,filterSecurityInterceptor
                    /upload/=httpSessionContextIntegrationFilter,logoutFilter,basicProcessingFilter,securityContextHolderAwareRequestFilter,rememberMeProcessingFilter,anonymousProcessingFilter,basicExceptionTranslationFilter,filterSecurityInterceptor
                    /**=httpSessionContextIntegrationFilter,logoutFilter,authenticationProcessingFilter,securityContextHolderAwareRequestFilter,rememberMeProcessingFilter,anonymousProcessingFilter,authenticationExceptionTranslationFilter,filterSecurityInterceptor
                 </value>
            </property>
        </bean>
    The text highlighted in bold is used to call the servlet and it says use basic authentication and I used your code excerpt to supply authentication details.
    Last edited by zbhiwandiwala; Mar 24th, 2008, 12:47 PM. Reason: Found a solution

    Comment


    • #3
      Thank you for the configuration sample.

      I found that I was not putting BasicProcessingFilter that checks Basic header in http protocol for authentication information.

      After I added BasicProcessingFilter to my ACEGI filter chain, finally my remoting method worked with CAS proxy authentication.

      Thanks a lot.

      Comment

      Working...
      X