HttpInvoker and Autorization [Archive] - Spring Community Forums

View Full Version : HttpInvoker and Autorization

netsuke

Oct 3rd, 2004, 08:15 PM

Hello, I need some guidelines on how to use authorization with Spring´s HttpInvoker.
I have configured in my web.xml the HTTP BASIC Authorization Filter and Acegi Security System for Spring Auto Integration Filter. In my application context, I have put a MethodSecurityInterceptor and a AutoProxyCreator that refers to my business bean using the security interceptor.
The bean is then exported using httpInvoker, and when a remote client tries to use it, the following error appears:

[java]net.sf.acegisecurity.AuthenticationCredentialsNotF oundException: A valid SecureContext was not provided in the RequestContext

The client uses Jakarta Commons HttpClient (CommonsHttpInvokerRequestExecutor). How can I change my client code so it can pass the credentials and other security info as needed ?

thanks...
________________________
~gRIM

carango

Jan 9th, 2007, 02:46 PM

Hello.

In the client, I use the org.acegisecurity.context.httpinvoker.Authenticati onSimpleHttpInvokerRequestExecutor
instead of the CommonsHttpInvokerRequestExecutor. This will search the credentials in the client's Security Context (you have to put an Authorization object there at some point) and adds the authentication information to the HTTP request. The AuthenticationSimpleHttpInvokerRequestExecutor extends Spring's SimpleHttpInvokerRequestExecutor, therefore, you loose some of the advanced functionality provided by Commons HTTP Client.

Acegi does not provide a class to add authentication to commons HTTP client. If you learn how to do so, please let me know.

carango

Jan 11th, 2007, 10:13 AM

The extension to CommonsHttpInvokerRequestExecutor to include credentials taken from SecurityContext is actually very simple:

public class AuthenticatedCommonsHttpInvokerRequestExecutor extends CommonsHttpInvokerRequestExecutor {

protected void setRequestBody(HttpInvokerClientConfiguration config, PostMethod postMethod, ByteArrayOutputStream baos) throws IOException {
super.setRequestBody(config, postMethod, baos);
Authentication auth = SecurityContextHolder.getContext().getAuthenticati on();
if(auth != null){
String username = auth.getCredentials().toString();
String password = auth.getPrincipal().toString();
Credentials credentials = new UsernamePasswordCredentials(username, password);
getHttpClient().getState().setCredentials(AuthScop e.ANY, credentials);
}
}

}

This works for commons HttpClient 3.0.

Regards,