pass ip address to authentication provider

[jgangemi]

i have a requirement that i need to pass the source ip address to the backend when authenticating a user.

i've already had to write a custom PasswordAuthenticationDao implementation b/c i am authenticating against a web service call, but the interface only allows for a username and password, and no other information. i'm not seeing anything that would allow me to get at the source ip.

am i going to need to write a whole bunch of custom code to accomplish this, or is there already existing code that i can leverage?

[des09]

If you are implementing your own form based login you could concat the ip onto the username, then strip it off in your PasswordAuthenticationDAO impl.

[jgangemi]

no - i'm just using the standard acegi mechanisms and not rolling my own.

i'm thinking that i could pass this information around as "details" in the Authentication object, and then extend the PasswordAuthenticationDao to allow for an additional object to be passed in that contains any extra information and then extend the PasswordDaoAuthenticationProvider to pass the object when it makes the call do the authentication dao.

of course, if there's an easier way to do this already, i'd love to hear about it.

[Ben Alex]

Use ((WebAuthenticationDetails)authentication.getDetai ls()).getRemoteAddress() within your DaoAuthenticationProvider subclass.

[jgangemi]

thx for the reply - i take it that means i'm still going to have to extend the PasswordAuthenticationDao to allow passing of the ip address though.

if there is other interest in this, i'd be happy to share the implementation when it's done.

[Ben Alex]

I wouldn't recommend using PasswordAuthenticationDao, as it's likely to be removed in a future version of Acegi Security because it's only used by the LDAP DAO and I will probably refactor the LDAP DAO into a fully-fledged AuthenticationProvider.

[jgangemi]

could you provide an approach that you would use?

if PasswordAuthenticationDao is going to removed, what mechanism will be left to ppl who need to write custom password authentication code? tapping into the LDAP dao instead?

[Ben Alex]

Subclass DaoAuthenticationProvider and override isPasswordCorrect(Authentication, UserDetails). The Authentication will contain the IP address as discussed above, and the UserDetails will have been obtained from your AuthenticationDao. Would that meet your needs?

[jgangemi]

thx for the response.

i'm not 100% sure if that will meet my needs or not. the current interface i am working with requires that the ip address be sent as part of the request, so it would have to be an input parameter on the PasswordAuthenticationDao.

i could just create my own implementation of the AuthenticationProvider, but then i'd have to duplicate all the "if user enabled" type code since i am leveraging that already to block users from the site, etc.

it seems this could be more easily acheived with some refactoring of the AuthenticationProvider classes (which both have duplicate code) to add in this type of functionality. i would actually think this type of thing would be somewhat common for custom authentication mechanisms - and perhaps a future revision could just include the WebAuthenticationDetails (or an AuthenicationDetails object that needs to be cast) so this type of additional information could be accessed.

i've managed to push off this requirement for now, but i will have to circle back to it at some point. i'd be very happy to continue this discussion, and help implement a usable solution for all to use when the time comes.

[Ben Alex]

the current interface i am working with requires that the ip address be sent as part of the request, so it would have to be an input parameter on the PasswordAuthenticationDao.

I don't understand. The WebAuthenticationDetails will be part of the request to the DaoAuthenticationProvider, available from inside the Authentication object. Could you please expand?