authentication by code

**newreaders** · Jun 4th, 2005, 06:12 AM

Hi

I am using the following code to login programatically but it doesn't work (seems to not recognizing the authorities), can someone tell me what's wrong?

Code:

UsernamePasswordAuthenticationToken auth =
    new UsernamePasswordAuthenticationToken&#40;user.getUsername&#40;&#41;, user.getPassword&#40;&#41;&#41;;
auth.setDetails&#40;request.getRemoteAddr&#40;&#41;&#41;;
auth.setAuthenticated&#40;true&#41;;
    
Context context = ContextHolder.getContext&#40;&#41;;
if &#40;context instanceof SecureContext&#41; &#123;
    &#40;&#40;SecureContext&#41; context&#41;.setAuthentication&#40;auth&#41;;
&#125;

I didn't set the authorities because in the javadoc of UsernamePasswordAuthenticationToken, it says that I shouldn't call the setAuthorities method.

How can I get the AuthenticationManager? So that I can authenticate the UsernamePasswordAuthenticationToken.

Thanks

**Luke Taylor** · Jun 5th, 2005, 08:10 PM

Hi,

What do you mean by "it doesn't work"? What's failing and what's the error? Presumable the code you've posted works OK, so it's whatever you're trying to do afterwards that's not working? You haven't really explained the context in which this is taking place. Where are you calling this code from?

Normally the authentication manager will populate the authorities based on some external configuration (e.g. a database). How you obtain one depends on what you're trying to do.

Luke.

**newreaders** · Jun 5th, 2005, 08:25 PM

I passed an encrypted password to the authenticator instead of a plaintext password and as a result I could not access to the restricted pages. Even though I wasn't authenticated, the request.getRemoteUser() call shows my username.

Thanks

**Ben Alex** · Jun 24th, 2005, 09:08 PM

Originally Posted by newreaders

Even though I wasn't authenticated, the request.getRemoteUser() call shows my username.

The code you have shown above looks like an attempt to write an authentication mechanism. As Luke said, what is the context of the code - what is it trying to do?

If it's an authentication mechansim (something that presents credentials to the security framework), it is required to present the Authentication to the AuthenticationManager. If AuthenticationManager returns an exception, it is required to set the ContextHolder to null. If AuthenticationManager returns a populated Authentication, an authentication mechanism is required to set the ContextHolder to that returned Authentication. Please take a look at AbstractProcessingFilter and AuthenticationProcessingFilter for a concrete example of this description.

I would encouage you to use Acegi Security's standard authentication mechanisms instead of writing your own, unless you have a compelling reason.

The reason request.getRemoteUser() returns a username is because your authentication mechanism has left the ContextHolder with an Authentication object, when if authentication failed if should have set the ContextHolder to null.

Thread: authentication by code

Thread Tools

Display

authentication by code

Similar Threads

Complete Code For Spring-StateLessSessionBean

org.springframework.jdbc.CannotGetJdbcConnectionException

Problem: SecureContextImpl reused in subsequent session

Loosing my SecureContext

Method call why not be intercepted by MethodSecurityIntercep

Posting Permissions