Announcement Announcement Module
Collapse
No announcement yet.
Using custom Authentication class Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Using custom Authentication class

    I'm reading the docs for Acegi Security 1.0.7 and I think I'm close to a design for my authentication scheme. I need to hook into Acegi for a SAML SSO integration.

    I think I can achieve this by creating an AuthenticationProvider class that will look for an SSO token (in this case, a browser cookie) - if there is one and its valid, user is authenticated, if either is false, redirect to ServiceProvider to initialize SSO.

    My problem of the moment is that I don't see how I can access the HttpRequest to fetch the cookie from within the 'authenticate' method.

    From what I understand of the framework, I can create an implementation of Authentication (call it SsoCookieAuthentication) that makes the appropriate cookie (or not) available via getCredentials() and I can access the Authentication via:

    SecurityContextHolder().getContext().getAuthentica tion()

    But how do I configure or code so that the object returned by this call is my SsoCookieAuthentication ? Do I need to write a filter that explicitly creates and sets the Authentication object?

    Thanks,

    Jon

  • #2
    Hi!
    If you want to use a custom authentication token you should implement your own authentication filter to create the new token.

    Instead of that, I suggest you to use the filters and authentication tokens provided by Spring Security. If you need to add extra information in the token you can use the "details" attribute.
    It's very simple, you need to create a new AuthenticationDetailsSource (http://static.springframework.org/sp...ilsSource.html) This class will be the responsible to build the details of the authentication token.
    As you can see in the source of authentication filters, when the token is created the function setDetails(request, authRequest); is called. This function executes the buildDetails function of the authenticationDetailsSource that you have specified in the filter (by default is WebAuthenticationDetailsSource) You can set your own AuthenticationDetailsSource to build the details attribute with a class that holds the SAML and all information you want.

    You'll understand it better if you see the source of WebAuthenticationDetailsSource and WebAuthenticationDetails.

    Sorry for my english :P I hope this information would be usefull for you. I had the same problem months ago and someone here recommended me to use the way I tried to explain you.

    Edit: I found the post where I explained what I was trying to do and Luke Taylor answered me with this information http://jira.springframework.org/browse/SEC-948
    Last edited by Yuki; Oct 17th, 2008, 05:59 AM. Reason: Trying to correct my english and adding useful information

    Comment


    • #3
      Thanks, Yuki - this looks promising.

      Comment


      • #4
        Could I just extend WebAuthenticationDetails and implement doPopulateAdditionalInformation ? It seems like that's what it's there for...

        Comment


        • #5
          Now that I've created a custom AuthenticationDetailsSource class, how do I configure ACEGI to use it?

          This is clearly a n00b question - please humor me!

          Jon

          Comment


          • #6
            Best option is to add the source jar to your IDE and do a "find usages".

            Alternatively, google (on AuthenticationDetailsSource) might lead you to the equivalent Javadoc:

            http://www.acegisecurity.org/acegi-s...ilsSource.html

            and you can immediately find out where it is used and what beans have setters for it.

            Comment


            • #7
              I have to admit that I'm still stumped here.

              I have managed to write an AuthenticationProvider and configure my application to use it.

              What I want to do is give the AuthenticationProvider instance access to the HttpServletRequest object (or equivalent) in the authenicate() method.

              Unless this is globally available in a way that I don't know yet, I was hoping to make it accessible via authentication.getDetails() since that returns an arbitrary Object.

              To this end, I have written a class that extends WebAuthenticationDetails and set additional (Request-related) values on the object. However, I am at a loss as to how to configure my application to use the Details class that I've written.

              Comment


              • #8
                Originally posted by jon.lustig View Post
                I have to admit that I'm still stumped here.

                I have managed to write an AuthenticationProvider and configure my application to use it.

                What I want to do is give the AuthenticationProvider instance access to the HttpServletRequest object (or equivalent) in the authenicate() method.

                Unless this is globally available in a way that I don't know yet, I was hoping to make it accessible via authentication.getDetails() since that returns an arbitrary Object.

                To this end, I have written a class that extends WebAuthenticationDetails and set additional (Request-related) values on the object. However, I am at a loss as to how to configure my application to use the Details class that I've written.
                Look into the org.springframework.web.servlet.HandlerInterceptor .

                You can create a class that extends the HandlerInterceptorAdapter class and implements the preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) method.

                As you can see you have access to the HttpServletRequest from there and therefore, can read your cookie.
                Last edited by InfiniteLoop; Oct 29th, 2008, 03:58 PM.

                Comment


                • #9
                  I am facing the same issue and was wondering if you found how to link your own WebAuthenticationDetails to Acegi?

                  Comment


                  • #10
                    Did you figure out how to configure your application to use your WebAuthenticationDetails ?

                    Thanks,

                    Q

                    Comment

                    Working...
                    X