Results 1 to 5 of 5

Thread: TokenBasedRememberMeServices and UserDetails

  1. Jul 13th, 2007, 06:24 AM #1
    JimTonic
    JimTonic is offline Member
    Join Date
    Dec 2006
    Location
    Karlsruhe, Germany
    Posts
    47

    Default TokenBasedRememberMeServices and UserDetails

    Hello,

    I'm using acegi 1.0.4.
    I have a question about TokenBasedRememberMeServices.

    The userDetails object is created from the injected userDetailsService in line 165
    Code:
    userDetails = this.userDetailsService.loadUserByUsername(cookieTokens[0]);
    In line 205-207
    Code:
    RememberMeAuthenticationToken auth = new RememberMeAuthenticationToken(this.key, userDetails,
                              userDetails.getAuthorities());
auth.setDetails(authenticationDetailsSource.buildDetails((HttpServletRequest) request));
    this userDetails object is used in the constructor of RememberMeAuthenticationToken. But in the next line it is overwritten by authenticationDetailsSource.buildDetails.
    Why ?

    The Problem for me is, that I have a special userDetailsService which create my UserDetails objects. Why do I have to inject also a special authenticationDetailsSource ? Wouldn't it be enough to use the userDetails from the userDetailsService ?

    Thanks!
  2. Jul 17th, 2007, 04:06 AM #2
    JimTonic
    JimTonic is offline Member
    Join Date
    Dec 2006
    Location
    Karlsruhe, Germany
    Posts
    47

    Default DataAccessException

    Hi again,
    I have made my own TokenBasedRememberMeServices as a workarround for me. I had to copy the autoLogin Method with this modifications:
    Code:
    RememberMeAuthenticationToken auth = new RememberMeAuthenticationToken(getKey(), userDetails,
userDetails.getAuthorities());
//auth.setDetails(authenticationDetailsSource.buildDetails((HttpServletRequest) request));
auth.setDetails(userDetails);
    I've come up with some other points:
    * line 165 should catch a DataAccessException
    * These points makes extension hard:
    ** access to private members with this, instead of getters
    ** cancelCookie is private
    ** constant ACEGI_SECURITY_HASHED_REMEMBER_ME_COOKIE_KEY is private

    Is anybody reading this ?
    Should I post to the dev mailing list ?
    Or make Jira entries ?
    Acegi is a great product !
    I just want to help !
  3. Jul 17th, 2007, 04:24 AM #3
    Marten Deinum
    Marten Deinum is offline Senior Member
    Join Date
    Jun 2006
    Location
    The Netherlands
    Posts
    13,625

    Default

    The 'authenticationDetailsSource' is something different then the 'userDetailsService'... So I don't see the comparison you make.

    The UserDetailsService implementation returns a UserDetail instance. The AuthenticationDetailsSource adds some additional information to the RememberMeAuthenticationToken to enable for instance ConcurrentSessionFilter to work (it adds the current sessionId etc.). But is doesn't override the already set UserDetails object...

    The UserDetails object is available with the getPrincipal method and not the getDetails method! Also the details object isn't even being set in the initial constructor.

    Code:
        public RememberMeAuthenticationToken(String key, Object principal, GrantedAuthority[] authorities) {
        super(authorities);

        if ((key == null) || ("".equals(key)) || (principal == null) || "".equals(principal)) {
            throw new IllegalArgumentException("Cannot pass null or empty values to constructor");
        }

        this.keyHash = key.hashCode();
        this.principal = principal;
        setAuthenticated(true);
    }
    Code:
        public void setDetails(Object details) {
        this.details = details;
    }
    the set details method only sets the details property nothing more nothing less. It doesn't do anything with the principal object (which isn't even accesible!).
    Marten Deinum
    Java Consultant / Pragmatist / Open Source Enthousiast / Author

    Pro Spring MVC: With Web Flow
    Conspect

    Have you read the reference guide.
    Use the [ code ] tags, young padawan
  4. Nov 9th, 2007, 01:45 AM #4
    JimTonic
    JimTonic is offline Member
    Join Date
    Dec 2006
    Location
    Karlsruhe, Germany
    Posts
    47

    Default

    Hello,
    it finally sunk in !
    I wanted to use the <authz:authentication> Tag an noticed that it displays the principal.
    I made an update to acegi 1.0.5 and there the Javadoc of Authentication is much clearer.
    I always thought getDetails() should return a UserDetails object. But actually getPrincipal() should. Now everything makes much more sense.

    A late thanks !

    PS: It was a bit like: What are they talking about, one guy driving against the traffic ? Hundreds !
  5. Nov 10th, 2007, 06:02 AM #5
    Luke Taylor
    Luke Taylor is offline Senior Member Acegi Security System TeamSpring Team
    Join Date
    Aug 2004
    Location
    Glasgow, Scotland
    Posts
    3,449

    Default

    There are a few problems with the existing remember me services implementation and it almost certainly have some alterations made for the 2.0 release. I've also written another implementation of RememberMeServices based on the discussion here

    http://jaspan.com/improved_persisten..._best_practice

    which you might want to take a look at. This also involves refactoring TokenBasedRememberMeServices to use the abstract base class that's been introduced.

    http://opensource.atlassian.com/proj...browse/SEC-588
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules