I was wondering if there is an easy way to get to the HTTP Session Id after an auth event? Do I need to subclass the SecurityEnforcementFilter to achieve this?

The reason being is that we track the session id in all the events in our app so we can do some reporting on that later.

I've already hacked it into the Access Denied page I've built by grabbing it out the request.

Thanks,
Patrick

You can place whatever you like into Authentication.setDetails(Object). This can then be accesed via the AuthenticationSuccessEvent.getAuthentication(). You'd originally do the setDetails(Object) from a subclass of AbstractProcessingFilter, such as AuthenticationProcessingFilter.

So you are saying subclass AuthenticationProcessingFilter and then call the setDetails(Object)? Will need to duplicate the code of AuthenticationProcessingFilter?

To be honest, I haven't taken a close look at this and I am not at work, but I will check it in the morning.

Thanks,
Patrick

I just committed a change to AuthenticationProcessingFilter into CVS so there is a single method in that class which you can override to control the Authentication.setDetails(Object). Please note that CVS is in a state of change at present, in line with Maven refactoring, so it might pay to give it a couple of days before trying to checkout and build.

Hello,

When using the JdbeDaoImpl to perform a usersByUsernameQuery, I need an additional value
for the query in order to identify a user e.g.
SELECT username,password,'true' AS enabled FROM tbloutletuser WHERE username = ? AND outlet_id= ?

The question is, how do I get the outlet_id value into this?

Looking through the API, I think the answer may partially lie in AuthenticationProcessingFilter.

Could I subclass this and retrieve the outlet_id value (sent by the login page say) from the request,
and if so, then where do I store it so that it could be retrieved by the JdbcDaoImpl
(or whichever class should retrieve it?) and used in the query?

If subclassing AuthenticationProcessingFilter then which method? I was thinking maybe
getDetails() but it seems to be protected meaning that I would have to provide whatever
functionality this method already provides..am i right?

Any help appreciated,

Newbie Acegi user.

There are a few things you'd need to do here and a few problems. Firstly sub-class AuthenticationProcessingFilter and get your value from the page. Then sub-class UsernamePasswordAuthenticationToken to add your need property. This would get down as far as the DaoAuthenticationProvider. The problem you then have is that UserDetailsService.loadUserByUsername(..) only accepts a username. One way of solving this whole thing is to prepend the username with the value e.g. myValue:username. This would then be able to go straight into the UserDetailService.

Thanks for the reply karldmoore!

I tried what you suggested, passing a value with the username but for some reason, in my CustomApplicationProcessingFilter I can't retrieve the value?

Perhaps its something stupid I'm overlooking..
Here is the markup in my signin form:



<form action="/studentapp/student/j_acegi_security_check" method="POST">
<table>
<tr><td>User:</td><td><input type='text' name='j_username' value='null:MY_OUTLET:aodh'></td></tr>
<tr><td>Password:</td><td><input type='password' name='j_password'></td></tr>
<tr><td><input type="checkbox" name="_acegi_security_remember_me"></td><td>Don't ask for my password for two weeks</td></tr>

<input type="hidden" name="outlet_id" value="MY_OUTLET">

<tr><td colspan='2'><input name="submit" type="submit"></td></tr>
<tr><td colspan='2'><input name="reset" type="reset"></td></tr>
</table>

</form>



With the hidden field sending a test value in bold.

It comes up as null in the processing filter?

The key i'm using to retrieve the value from the request is:



private static final String OUTLET_ID = "outlet_id";



I override the obtainUsername() method in the processing filter to do this and it is hitting the method as I get the System.out() outputs...



protected String obtainUsername(HttpServletRequest request) {

String outlet_id=(String) request.getAttribute(OUTLET_ID);

String username=(String)request.getParameter(ACEGI_SECURI TY_FORM_USERNAME_KEY);

System.out.println("OUTLET ID:" + outlet_id);
System.out.println("Username:" + username);


return outlet_id + ":" + username;
}



Any idea why my hidden value isn't making it through to the filter?

The obvious difference is; getAttribute() for one and getParameter() for the other.


String outlet_id=(String) request.getAttribute(OUTLET_ID);
String username=(String)request.getParameter(ACEGI_SECURI TY_FORM_USERNAME_KEY);

Hi Karldmoore,

It's always the little things!

Thanks again,

As a matter of interest, I got the thing to work, but it seems very 'hackish'. I have to parse the string in one place to ensure only the username is stored as the ACEGI_SECURITY_LAST_USERNAME_KEY etc.

I'm afraid that if the username is used anywhere else in the chain that this solution may prove brittle?

I understand what you're saying. It's not the best, but it does work. The only place that the username should be used is in the UserDetailsService and then if you are using the authz tags, that's another place. Other than that I think you should be fine.

I'm trying to get the exception translation filter (i guess) to trigger a login prompt before the user can proceed to place an order in a commerce app. if they are not already authenticated.

To process ordering, I was thinking of using a wizard controller...customer adds stuff to the shopping basket continually until the proceed to checkout button etc. is pressed. If not logged in, a login prompt appears asking them to login, they would then be redirected to a page where they can finally place the order etc.

The difficulty I met upon setting up a quick test is as follows:

The first page of the controller is in a non-secure folder (/WEB-INF/my-non-secure-page.jsp, the second page I placed in a secured directory under /WEB-INF/customer/my-secured-page.jsp).


Now, the controller retrieves the second page when I press Next on the wizard form. I am at no time prompted to login like I would hope.

I know the /customer directory is secured as when I try to access some resource e.g. myapp/customer/blah I am prompted to login first. The reason I am not prompted as far as I can see has to do with two things:

1. because I'm using a InternalResourceViewResolver which prepends /WEB-INF/ and appends .jsp to the wizard page and this is causing Acegi not to intercept as my FilterChainProxy is based on securing /customer/** (although I tried /web/inf/customer/ but no go.)

or

2. When using a controller, such as the wizard form controller, the page is retrieved and rendered without regard to security i.e. the controller is 'permitted' to access secured resources or something like that?

Are these reasons plausible? is there anything I can do?

Thanks for any help!

Aodh.

I think this all depends what how you are protecting things. If you are placing the pages below WEB-INF then people can't directly access them anyway. The only thing to then protect is the URLs. I would double check that the secured URL matches what is being executed. Sticking the debugger on the code is always a good idea.