Member
Accessing HTTP Session Id after Auth attempt
I was wondering if there is an easy way to get to the HTTP Session Id after an auth event? Do I need to subclass the SecurityEnforcementFilter to achieve this?
The reason being is that we track the session id in all the events in our app so we can do some reporting on that later.
I've already hacked it into the Access Denied page I've built by grabbing it out the request.
Thanks,
Patrick
Senior Member
Spring Team
You can place whatever you like into Authentication.setDetails(Object). This can then be accesed via the AuthenticationSuccessEvent.getAuthentication(). You'd originally do the setDetails(Object) from a subclass of AbstractProcessingFilter, such as AuthenticationProcessingFilter.
Member
So you are saying subclass AuthenticationProcessingFilter and then call the setDetails(Object)? Will need to duplicate the code of AuthenticationProcessingFilter?
To be honest, I haven't taken a close look at this and I am not at work, but I will check it in the morning.
Thanks,
Patrick
Senior Member
Spring Team
I just committed a change to AuthenticationProcessingFilter into CVS so there is a single method in that class which you can override to control the Authentication.setDetails(Object). Please note that CVS is in a state of change at present, in line with Maven refactoring, so it might pay to give it a couple of days before trying to checkout and build.
Junior Member
Passing token from login page to userdetails service
Hello,
When using the JdbeDaoImpl to perform a usersByUsernameQuery, I need an additional value
for the query in order to identify a user e.g.
SELECT username,password,'true' AS enabled FROM tbloutletuser WHERE username = ? AND outlet_id= ?
The question is, how do I get the outlet_id value into this?
Looking through the API, I think the answer may partially lie in AuthenticationProcessingFilter.
Could I subclass this and retrieve the outlet_id value (sent by the login page say) from the request,
and if so, then where do I store it so that it could be retrieved by the JdbcDaoImpl
(or whichever class should retrieve it?) and used in the query?
If subclassing AuthenticationProcessingFilter then which method? I was thinking maybe
getDetails() but it seems to be protected meaning that I would have to provide whatever
functionality this method already provides..am i right?
Any help appreciated,
Newbie Acegi user.
Senior Member
There are a few things you'd need to do here and a few problems. Firstly sub-class AuthenticationProcessingFilter and get your value from the page. Then sub-class UsernamePasswordAuthenticationToken to add your need property. This would get down as far as the DaoAuthenticationProvider. The problem you then have is that UserDetailsService.loadUserByUsername(..) only accepts a username. One way of solving this whole thing is to prepend the username with the value e.g. myValue:username. This would then be able to go straight into the UserDetailService.
Junior Member
Passing value with username
Thanks for the reply karldmoore!
I tried what you suggested, passing a value with the username but for some reason, in my CustomApplicationProcessingFilter I can't retrieve the value?
Perhaps its something stupid I'm overlooking..
Here is the markup in my signin form:
With the hidden field sending a test value in bold.HTML Code:<form action="/studentapp/student/j_acegi_security_check" method="POST"> <table> <tr><td>User:</td><td><input type='text' name='j_username' value='null:MY_OUTLET:aodh'></td></tr> <tr><td>Password:</td><td><input type='password' name='j_password'></td></tr> <tr><td><input type="checkbox" name="_acegi_security_remember_me"></td><td>Don't ask for my password for two weeks</td></tr> [B]<input type="hidden" name="outlet_id" value="MY_OUTLET">[/B] <tr><td colspan='2'><input name="submit" type="submit"></td></tr> <tr><td colspan='2'><input name="reset" type="reset"></td></tr> </table> </form>
It comes up as null in the processing filter?
The key i'm using to retrieve the value from the request is:
Code:private static final String OUTLET_ID = "outlet_id";
I override the obtainUsername() method in the processing filter to do this and it is hitting the method as I get the System.out() outputs...
Any idea why my hidden value isn't making it through to the filter?Code:protected String obtainUsername(HttpServletRequest request) { String outlet_id=(String) request.getAttribute(OUTLET_ID); String username=(String)request.getParameter(ACEGI_SECURITY_FORM_USERNAME_KEY); System.out.println("OUTLET ID:" + outlet_id); System.out.println("Username:" + username); return outlet_id + ":" + username; }
Senior Member
The obvious difference is; getAttribute() for one and getParameter() for the other.
Code:String outlet_id=(String) request.getAttribute(OUTLET_ID); String username=(String)request.getParameter(ACEGI_SECURITY_FORM_USERNAME_KEY);
Junior Member
getAttribute() instead of getParameter()
Hi Karldmoore,
It's always the little things!
Thanks again,
As a matter of interest, I got the thing to work, but it seems very 'hackish'. I have to parse the string in one place to ensure only the username is stored as the ACEGI_SECURITY_LAST_USERNAME_KEY etc.
I'm afraid that if the username is used anywhere else in the chain that this solution may prove brittle?
Senior Member
I understand what you're saying. It's not the best, but it does work. The only place that the username should be used is in the UserDetailsService and then if you are using the authz tags, that's another place. Other than that I think you should be fine.
Posting Permissions
