-
Oct 16th, 2008, 01:34 PM
#1
Using custom Authentication class
I'm reading the docs for Acegi Security 1.0.7 and I think I'm close to a design for my authentication scheme. I need to hook into Acegi for a SAML SSO integration.
I think I can achieve this by creating an AuthenticationProvider class that will look for an SSO token (in this case, a browser cookie) - if there is one and its valid, user is authenticated, if either is false, redirect to ServiceProvider to initialize SSO.
My problem of the moment is that I don't see how I can access the HttpRequest to fetch the cookie from within the 'authenticate' method.
From what I understand of the framework, I can create an implementation of Authentication (call it SsoCookieAuthentication) that makes the appropriate cookie (or not) available via getCredentials() and I can access the Authentication via:
SecurityContextHolder().getContext().getAuthentica tion()
But how do I configure or code so that the object returned by this call is my SsoCookieAuthentication ? Do I need to write a filter that explicitly creates and sets the Authentication object?
Thanks,
Jon
-
Oct 17th, 2008, 02:58 AM
#2
Hi!
If you want to use a custom authentication token you should implement your own authentication filter to create the new token.
Instead of that, I suggest you to use the filters and authentication tokens provided by Spring Security. If you need to add extra information in the token you can use the "details" attribute.
It's very simple, you need to create a new AuthenticationDetailsSource (http://static.springframework.org/sp...ilsSource.html) This class will be the responsible to build the details of the authentication token.
As you can see in the source of authentication filters, when the token is created the function setDetails(request, authRequest); is called. This function executes the buildDetails function of the authenticationDetailsSource that you have specified in the filter (by default is WebAuthenticationDetailsSource) You can set your own AuthenticationDetailsSource to build the details attribute with a class that holds the SAML and all information you want.
You'll understand it better if you see the source of WebAuthenticationDetailsSource and WebAuthenticationDetails.
Sorry for my english :P I hope this information would be usefull for you. I had the same problem months ago and someone here recommended me to use the way I tried to explain you.
Edit: I found the post where I explained what I was trying to do and Luke Taylor answered me with this information 
http://jira.springframework.org/browse/SEC-948
Last edited by Yuki; Oct 17th, 2008 at 05:59 AM.
Reason: Trying to correct my english and adding useful information
-
Oct 17th, 2008, 08:31 AM
#3
Thanks, Yuki - this looks promising.
-
Oct 21st, 2008, 11:57 AM
#4
Could I just extend WebAuthenticationDetails and implement doPopulateAdditionalInformation ? It seems like that's what it's there for...
-
Oct 23rd, 2008, 03:42 PM
#5
Now that I've created a custom AuthenticationDetailsSource class, how do I configure ACEGI to use it?
This is clearly a n00b question - please humor me!
Jon
-
Oct 23rd, 2008, 06:38 PM
#6
Best option is to add the source jar to your IDE and do a "find usages".
Alternatively, google (on AuthenticationDetailsSource) might lead you to the equivalent Javadoc:
http://www.acegisecurity.org/acegi-s...ilsSource.html
and you can immediately find out where it is used and what beans have setters for it.
Tags for this Thread
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
