Announcement Announcement Module
Collapse
No announcement yet.
Spring Authentication With DWR Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Spring Authentication With DWR

    Hi,

    Does anyone know of an example that shows how to authenticate with Spring using DWR?

    TIA,
    - Ole

  • #2
    Hi ole.ersoy,
    I've posted a proposal in here: http://forum.springsource.org/showthread.php?t=72970

    Maybe we can work this out together.

    Regards,

    Comment


    • #3
      Hi Nickar,

      (I'm Ole). Sure - I'd love to work this out with you. I'm currently reading up on the documentation a little more:
      http://static.springframework.org/sp...-overview.html

      There's a code sample in there that has this:
      Authentication request = new UsernamePasswordAuthenticationToken(name, password);
      Authentication result = am.authenticate(request);
      SecurityContextHolder.getContext().setAuthenticati on(result);

      So I'm thinking we could just wrap this on a service method that throws an authentication exception (Caught on the client side).

      Thoughts?

      Ole

      Comment


      • #4
        P.S. If you want we can post our notes on your proposal thread? I'm going to see whether I can get a mock setup going outside of the container using the lines above, and then gradually move to testing in tomcat from there.

        Comment


        • #5
          That's what i've said
          We must to be careful with Authentication (java.security.Authentication).
          The other alternative is to export AuthenticationManager itself, but you have to build the Authentication object in the client.

          Regards,

          Comment


          • #6
            What do you think about something like this:
            com.example.MyService.authenticate(String username, String password);

            Expose the above type of method via DWR.

            So on the javascript client side we would have something like:
            try {
            RemotedMyService.authenticate(username, password)
            }
            catch (e)
            {
            //authentication failed....tell user to try again
            }

            Comment


            • #7
              It is nice,
              I would like to return the Authentication object, so i can enforce authorizations in the frontend as in the backend.
              The function authenticate must return java.security.Authentication, the object returned by AuthenticationManager.

              Regards,

              Comment


              • #8
                Hmm...I see - nice idea. Me like too . I'm trying to think whether there are any security issues with that...

                Is it possible for a hacker to hack an instance of a DWR proxy on any browser?

                I'll just leave the question up in case anyone has any input on that....

                Comment


                • #9
                  This is what Authentication looks like:
                  Code:
                  package org.acegisecurity;
                  
                  import java.io.Serializable;
                  
                  import java.security.Principal;
                  
                  
                  public interface Authentication extends Principal, Serializable {
                  
                      GrantedAuthority[] getAuthorities();
                  
                      /**
                       * The credentials that prove the principal is correct. This is usually a password, but could be anything
                       */
                      Object getCredentials();
                  
                      /**
                       * Stores additional details about the authentication request. These might be an IP address, certificate
                       * serial number etc.
                       *
                       * @return additional details about the authentication request, or <code>null</code> if not used
                       */
                      Object getDetails();
                  
                      /**
                       * The identity of the principal being authenticated. This is usually a username. Callers are expected to
                       * populate the principal.
                       *
                       * @return the <code>Principal</code> being authenticated
                       */
                      Object getPrincipal();
                  
                      boolean isAuthenticated();
                  
                      void setAuthenticated(boolean isAuthenticated)
                          throws IllegalArgumentException;
                          
                      //FROM 'extends Principal'
                         
                      String 	getName();
                   }
                  We have to clean credentials (the password).
                  Regards,

                  Comment


                  • #10
                    Another thing that needs figuring out is how do we wire up a mock. up. I'm reading through the 2.0 documentation right now and it's done like this with the namespace configuration:
                    Code:
                      <authentication-provider>
                        <user-service>
                          <user name="jimi" password="jimispassword" authorities="ROLE_USER, ROLE_ADMIN" />
                          <user name="bob" password="bobspassword" authorities="ROLE_USER" />
                        </user-service>
                      </authentication-provider>
                    But how do we do something similar using the traditional bean element declarations (bean namespace)? Or maybe we can just use the namespace configuration elements and still get the corresponding authentication manager to authenticate against it?

                    Comment


                    • #11
                      Another thing to test:: In our case can remember me authentication be used?

                      Comment


                      • #12
                        Well,
                        this is a quick implementation.
                        It only works with user & password authentication, and with simple grantedAuthority elements, as it converts them to String.

                        Code:
                        //SecurityService.java
                        package org.siri.seguridad;
                        public interface SecurityService {
                        	public String[] authenticate(String username, String password);
                        }
                        
                        //SecurityServiceImpl.java
                        package org.siri.seguridad;
                        
                        import org.acegisecurity.Authentication;
                        import org.acegisecurity.AuthenticationManager;
                        import org.acegisecurity.providers.UsernamePasswordAuthenticationToken;
                        import org.acegisecurity.GrantedAuthority;
                        
                        public class SecurityServiceImpl implements SecurityService {
                        
                        	AuthenticationManager authenticationManager;
                        
                        	public AuthenticationManager getAuthenticationManager() {
                        		return authenticationManager;
                        	}
                        
                        	public void setAuthenticationManager(AuthenticationManager authenticationManager) {
                        		this.authenticationManager = authenticationManager;
                        	}
                        
                        	public String[] authenticate(String username, String password) {
                        
                                Authentication authentication = new UsernamePasswordAuthenticationToken(username, password);
                                authentication = authenticationManager.authenticate(authentication);
                                GrantedAuthority[] ga = authentication.getAuthorities();
                                String[] retA = new String[ga.length];
                        
                                for (int i = 0; i < ga.length; i++)
                                    retA[i] = (String) ga[i].toString();
                        
                           		return retA;
                        	}
                        }
                        RememberMe authentication works with a filter, so it is independent of this.
                        Also you can use other ways to authenticate.
                        Using a service is an explicit way to do it, using a cookie it is implicit.
                        I personally don't need/want to do other kind of authentication.
                        How can we improve this code?

                        Regards,

                        Comment


                        • #13
                          Originally posted by ole.ersoy View Post
                          Another thing that needs figuring out is how do we wire up a mock. up. I'm reading through the 2.0 documentation right now and it's done like this with the namespace configuration:
                          Code:
                            <authentication-provider>
                              <user-service>
                                <user name="jimi" password="jimispassword" authorities="ROLE_USER, ROLE_ADMIN" />
                                <user name="bob" password="bobspassword" authorities="ROLE_USER" />
                              </user-service>
                            </authentication-provider>
                          But how do we do something similar using the traditional bean element declarations (bean namespace)? Or maybe we can just use the namespace configuration elements and still get the corresponding authentication manager to authenticate against it?
                          I don't really know what do you mean with mockup wiring.
                          The authenticationManager must be configured with all the authenticationProviders needed.

                          I was thinking that perhaps we could separate authentication and the authorization mirroring.

                          something like:
                          boolean authenticate(user,password);
                          String[] getAuthorities() throw NotLoggedException;

                          Regards,

                          Comment


                          • #14
                            How does the SecurityServiceImpl get a configured instance of the AuthenticationManager?

                            My first goal is to just get a unit test working. So something like:

                            Code:
                            	
                            public void testAuthenticate()
                            	{
                            	public void testAuthenticate()
                            	{
                            			Resource resource = 
                            				new FileSystemResource(
                            						"src/test/resources/security-context.xml");
                            			beanFactory = 
                            				new XmlBeanFactory(resource);
                            
                            			SecurityService securityService = 
                            				(SecurityService) beanFactory.getBean("securityService");
                            			
                            			String userName = "elmer";
                            			String password = "secret"
                            			
                            			securityService.authenticate(userName, password);
                            	}
                            	}
                            So right now I'm looking for what to put in security-context.xml to get this to work, and the correct maven dependencies.

                            Any thoughts on logging out. Probably just a matter of removing the Authentication from the SecurityContextHolder....

                            I'm still reading all the 2.0 security documentation. Hope to have more answers than questions soon .

                            Comment


                            • #15
                              OK - At the bottom of this page:

                              http://static.springframework.org/sp...ns-config.html

                              It says we can get the authentication manager like this:

                              Code:
                                <security:authentication-manager alias="authenticationManager"/>
                              
                                <bean id="customizedFormLoginFilter" 
                                      class="com.somecompany.security.web.CustomFormLoginFilter">
                                   <security:custom-filter position="AUTHENTICATION_PROCESSING_FILTER "/>
                                   <property name="authenticationManager" ref="authenticationManager"/>
                                   ...
                                </bean>
                              Hopefully that works in the 2.0 codebase as well. I'm reading the 3.0 documentation.

                              Comment

                              Working...
                              X