request.getRemoteUser()

[sjivan]

Ben,
Can Ageci set the correct remote user on the request object on successful authentication?

ie

Code:

request.getRemoteUser()

should transparently return

Code:

((net.sf.acegisecurity.providers.dao.User) auth.getPrincipal()).getUsername()

Some third party libraries/filters like Clickstream use the standard HttpServletRequest API call getRemoteUser() to determine the remote user. It would be nice if the same API call works even when using Acegi authentication as it would make the Acegi authentication more spec compliant or more aligned with the Servlet Web Container authentication.

I do see the difficulty implementing this since the HttpServletRequest interface does not have a setRemoteUser(..) and neither does Weblogic's' implementation of this interface however maybe you can come up with a solution like wrapping the container HttpServletRequest with a proxy in the Agegi filter.


Thanks,
Sanjiv

[Ben Alex]

If you'd like to implement a HttpServletRequest wrapper, I'd be happy to add it to the source code. Personally I'd try one of the following though:

(i) Modify code relying on HttpServletRequest.getRemoteUser(). The "principal source" should be pluggable in any decent library, or made pluggable by introduction of an interface. I'm sure projects like ClickStream would welcome an pluggable approach. If it's pluggable you can easily obtain the Authentication in the standard way from the ContextHolder.

(ii) Use a container adapter. That way Acegi Security will be used for authentication via servlet spec security, and the container will thus populate the HttpServletRequest. Although I tend to stay away from container adapters as much as possible (difficult configuration, need to use the servlet spec to commence authentication based on URL requests, non-portable between web containers).

[paramosyermos]

Here is the HttpServletRequestWrapper

Code:

public class AcegiHttpServletRequestWrapper extends HttpServletRequestWrapper {

    public AcegiHttpServletRequestWrapper(HttpServletRequest request) {
        super(request);
    }

    public boolean isUserInRole(String role) {
        return isGranted(role);
    }

    public String getRemoteUser() {

        Authentication auth = getAuthentication();

        if (auth == null)
            return null;

        return ((net.sf.acegisecurity.providers.dao.User) auth.getPrincipal()).getUsername();
    }

    private Authentication getAuthentication() {

        if (ContextHolder.getContext() != null && ContextHolder.getContext() instanceof SecureContext) {
            return ((SecureContext) ContextHolder.getContext()).getAuthentication();
        }

        return null;
    }

    private boolean isGranted(String role) {

        Authentication auth = getAuthentication();

        if (auth == null)
            return false;

        for &#40;int i=0; i < auth.getAuthorities&#40;&#41;.length; i++&#41; &#123;
            if &#40;role.equals&#40;auth.getAuthorities&#40;&#41;&#91;i&#93;.getAuthority&#40;&#41;&#41;&#41;
                return true;
        &#125;

        return false;
    &#125;
&#125;

Here is the filter

Code:

public class AcegiHttpServletRequestFilter implements Filter {

    public void init(FilterConfig filterConfig) throws ServletException {}

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {

        HttpServletRequest request = (HttpServletRequest) servletRequest;

        if (!(request instanceof AcegiHttpServletRequestWrapper)) {
            request = new AcegiHttpServletRequestWrapper(request);
        }

        filterChain.doFilter(request, servletResponse);
    }

    public void destroy() {}
}

And here is the web.xml:

<filter>
<filter-name>Acegi Http Servlet Request Filter</filter-name>
<filter-class>packagename.AcegiHttpServletRequestFilter</filter-class>
</filter>

<filter-mapping>
<filter-name>Acegi Http Servlet Request Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>

[Ben Alex]

Thanks Sanjiv, this is a really useful integration. I'll add it to Acegi Security CVS later on today.

[sjivan]

Ben,
Actually I just asked the question and never got to implement it.

Thank 'paramosyermos' for the implementation.

Looking forward to using this feature.

Regards,
Sanjiv

[Ben Alex]

Ooops, thanks paramosyermos (could you send me a real name via email, so I can add you to the contributors?).

[Ben Alex]

I've now added this to CVS (renamed a little), along with unit tests. See the net.sf.acegisecurity.ui.wrapper package.

[mraible]

Is this implemented in Acegi by default now? I don't see the "net.sf.acegisecurity.ui.wrapper" package.

[Ben Alex]

Matt, it's still in CVS. You'll need to checkout. We really need to get a version 0.7.0 out sometime soon....

[mraible]

I was looking CVS - then I discovered there's more than one src tree: src and core/main/src. I'm guessing the "src" tree is deprecated? Thanks for the help, I'll try using the ContextHolderAwareRequestFilter to get request.getRemoteUser() to work.