HttpInvoker Basic Authentication and SecurityContextHolder

[simas]

Hi,

I use HttpInvoker for the remoting of my application. Authentication is done with the AuthenticationSimpleHttpInvokerRequestExecutor.

The Dispatcher Servlet is secured whit Tomcat Security:

<security-constraint>
<web-resource-collection>
<web-resource-name>zld</web-resource-name>
<description></description>
<url-pattern>/remote/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<description></description>
<role-name>zld</role-name>
</auth-constraint>
</security-constraint>

<login-config>
<auth-method>BASIC</auth-method>
</login-config>

<security-role>
<description></description>
<role-name>zld</role-name>
</security-role>

On the server I like to get the username of this request and try to use SecurityContextHolder.getContext().getAuthenticati on()

But authentication is NULL!

How do I tell Acegi to set user of the HTTP request to the SecurityContext?
Do I have to use a filter?

Thanks a lot.

Kind Regards, Simon

[Andreas Senft]

How do I tell Acegi to set user of the HTTP request to the SecurityContext?
Do I have to use a filter?

Yes. See here for reference.

I use this chain:

Code:

	<bean id="security.filterChainProxy" class="org.acegisecurity.util.FilterChainProxy">
      <property name="filterInvocationDefinitionSource">
         <value>
		    CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
		    PATTERN_TYPE_APACHE_ANT
            /remoting/**=httpSessionContextIntegrationFilter,basicProcessingFilter
         </value>
      </property>
    </bean>

Regards,
Andreas

[simas]

Hi Andreas,

Thanks for your answer.

I tried only with httpSessionContextIntegrationFilter. But it didn't work.

I understand httpSessionContextIntegrationFilter but what do you do in basicProcessingFilter?

Thanks, Simon

[simas]

I did it!
I wrote a BasicAndDigestProcessingFilter that is taking the username from the http header.

Simon

[Andreas Senft]

Why did you write your own? I used the already existing one:

Code:

    <bean id="httpSessionContextIntegrationFilter" class="org.acegisecurity.context.HttpSessionContextIntegrationFilter">
    	<property name="allowSessionCreation" value="false"/>
    </bean>


	<bean id="basicProcessingFilter" class="org.acegisecurity.ui.basicauth.BasicProcessingFilter">
  		<property name="authenticationManager"><ref bean="authenticationManager"/></property>
		<property name="authenticationEntryPoint"><ref bean="authenticationEntryPoint"/></property>
  		<property name="ignoreFailure" value="true"/>
	</bean>

	<bean id="authenticationEntryPoint" class="org.acegisecurity.ui.basicauth.BasicProcessingFilterEntryPoint">
  		<property name="realmName"><value>Foo</value></property>
	</bean>

To answer your former question: The BasicProcessingFilter is the one that actually does the work. The HttpSessionContextIntegrationFilter is mostly necessary for cleaning up things.

Regards,
Andreas

[simas]

Yes I know that there is an existing one.
But I only want to get the username of the authenticated user. The authentication is done with J2EE Security and not with Acegi.

if ((header != null) && header.startsWith("Basic ")) {
String base64Token = header.substring(6);
String token = new String(Base64.decodeBase64(base64Token.getBytes()) );

int delim = token.indexOf(":");

if (delim != -1) {
username = token.substring(0, delim);
}
}
Authentication existingAuth = SecurityContextHolder.getContext()
.getAuthentication();

if ((existingAuth == null) || !existingAuth.getName().equals(username)) {
UsernamePasswordAuthenticationToken auth = new UsernamePasswordAuthenticationToken(
username, null);

SecurityContextHolder.getContext().setAuthenticati on(auth);
}

[Luke Taylor]

If tomcat is authenticating the user then you can probably access the username directly from the HttpServletRequest object (getRemoteUser()).

[simas]

Hey Luke,

Stupid me! Thanks for your hint.

Regards, Simon