Oct 16th, 2008, 01:34 PM
Using custom Authentication class
I'm reading the docs for Acegi Security 1.0.7 and I think I'm close to a design for my authentication scheme. I need to hook into Acegi for a SAML SSO integration.
I think I can achieve this by creating an AuthenticationProvider class that will look for an SSO token (in this case, a browser cookie) - if there is one and its valid, user is authenticated, if either is false, redirect to ServiceProvider to initialize SSO.
My problem of the moment is that I don't see how I can access the HttpRequest to fetch the cookie from within the 'authenticate' method.
From what I understand of the framework, I can create an implementation of Authentication (call it SsoCookieAuthentication) that makes the appropriate cookie (or not) available via getCredentials() and I can access the Authentication via:
But how do I configure or code so that the object returned by this call is my SsoCookieAuthentication ? Do I need to write a filter that explicitly creates and sets the Authentication object?
Oct 17th, 2008, 02:58 AM
If you want to use a custom authentication token you should implement your own authentication filter to create the new token.
Instead of that, I suggest you to use the filters and authentication tokens provided by Spring Security. If you need to add extra information in the token you can use the "details" attribute.
It's very simple, you need to create a new AuthenticationDetailsSource (http://static.springframework.org/sp...ilsSource.html) This class will be the responsible to build the details of the authentication token.
As you can see in the source of authentication filters, when the token is created the function setDetails(request, authRequest); is called. This function executes the buildDetails function of the authenticationDetailsSource that you have specified in the filter (by default is WebAuthenticationDetailsSource) You can set your own AuthenticationDetailsSource to build the details attribute with a class that holds the SAML and all information you want.
You'll understand it better if you see the source of WebAuthenticationDetailsSource and WebAuthenticationDetails.
Sorry for my english :P I hope this information would be usefull for you. I had the same problem months ago and someone here recommended me to use the way I tried to explain you.
Edit: I found the post where I explained what I was trying to do and Luke Taylor answered me with this information http://jira.springframework.org/browse/SEC-948
Last edited by Yuki; Oct 17th, 2008 at 05:59 AM.
Reason: Trying to correct my english and adding useful information
Oct 17th, 2008, 08:31 AM
Thanks, Yuki - this looks promising.
Oct 21st, 2008, 11:57 AM
Could I just extend WebAuthenticationDetails and implement doPopulateAdditionalInformation ? It seems like that's what it's there for...
Oct 23rd, 2008, 03:42 PM
Now that I've created a custom AuthenticationDetailsSource class, how do I configure ACEGI to use it?
This is clearly a n00b question - please humor me!
Oct 23rd, 2008, 06:38 PM
Best option is to add the source jar to your IDE and do a "find usages".
Alternatively, google (on AuthenticationDetailsSource) might lead you to the equivalent Javadoc:
and you can immediately find out where it is used and what beans have setters for it.
Oct 28th, 2008, 02:40 PM
I have to admit that I'm still stumped here.
I have managed to write an AuthenticationProvider and configure my application to use it.
What I want to do is give the AuthenticationProvider instance access to the HttpServletRequest object (or equivalent) in the authenicate() method.
Unless this is globally available in a way that I don't know yet, I was hoping to make it accessible via authentication.getDetails() since that returns an arbitrary Object.
To this end, I have written a class that extends WebAuthenticationDetails and set additional (Request-related) values on the object. However, I am at a loss as to how to configure my application to use the Details class that I've written.
Oct 29th, 2008, 03:40 PM
Look into the org.springframework.web.servlet.HandlerInterceptor .
Originally Posted by jon.lustig
You can create a class that extends the HandlerInterceptorAdapter class and implements the preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) method.
As you can see you have access to the HttpServletRequest from there and therefore, can read your cookie.
Last edited by InfiniteLoop; Oct 29th, 2008 at 03:58 PM.
Dec 31st, 2008, 07:48 AM
I am facing the same issue and was wondering if you found how to link your own WebAuthenticationDetails to Acegi?
Dec 31st, 2008, 07:51 AM
Did you figure out how to configure your application to use your WebAuthenticationDetails ?
Tags for this Thread