Using custom Authentication class

**jon.lustig** · Oct 16th, 2008, 01:34 PM

I'm reading the docs for Acegi Security 1.0.7 and I think I'm close to a design for my authentication scheme. I need to hook into Acegi for a SAML SSO integration.

I think I can achieve this by creating an AuthenticationProvider class that will look for an SSO token (in this case, a browser cookie) - if there is one and its valid, user is authenticated, if either is false, redirect to ServiceProvider to initialize SSO.

My problem of the moment is that I don't see how I can access the HttpRequest to fetch the cookie from within the 'authenticate' method.

From what I understand of the framework, I can create an implementation of Authentication (call it SsoCookieAuthentication) that makes the appropriate cookie (or not) available via getCredentials() and I can access the Authentication via:

SecurityContextHolder().getContext().getAuthentica tion()

But how do I configure or code so that the object returned by this call is my SsoCookieAuthentication ? Do I need to write a filter that explicitly creates and sets the Authentication object?

Thanks,

Jon

**Yuki** · Oct 17th, 2008, 02:58 AM

Hi!
If you want to use a custom authentication token you should implement your own authentication filter to create the new token.

Instead of that, I suggest you to use the filters and authentication tokens provided by Spring Security. If you need to add extra information in the token you can use the "details" attribute.
It's very simple, you need to create a new AuthenticationDetailsSource (http://static.springframework.org/sp...ilsSource.html) This class will be the responsible to build the details of the authentication token.
As you can see in the source of authentication filters, when the token is created the function setDetails(request, authRequest); is called. This function executes the buildDetails function of the authenticationDetailsSource that you have specified in the filter (by default is WebAuthenticationDetailsSource) You can set your own AuthenticationDetailsSource to build the details attribute with a class that holds the SAML and all information you want.

You'll understand it better if you see the source of WebAuthenticationDetailsSource and WebAuthenticationDetails.

Sorry for my english :P I hope this information would be usefull for you. I had the same problem months ago and someone here recommended me to use the way I tried to explain you.

Edit: I found the post where I explained what I was trying to do and Luke Taylor answered me with this information

http://jira.springframework.org/browse/SEC-948

**jon.lustig** · Oct 17th, 2008, 08:31 AM

Thanks, Yuki - this looks promising.

**jon.lustig** · Oct 21st, 2008, 11:57 AM

Could I just extend WebAuthenticationDetails and implement doPopulateAdditionalInformation ? It seems like that's what it's there for...

**jon.lustig** · Oct 23rd, 2008, 03:42 PM

Now that I've created a custom AuthenticationDetailsSource class, how do I configure ACEGI to use it?

This is clearly a n00b question - please humor me!

Jon

**Luke Taylor** · Oct 23rd, 2008, 06:38 PM

Best option is to add the source jar to your IDE and do a "find usages".

Alternatively, google (on AuthenticationDetailsSource) might lead you to the equivalent Javadoc:

http://www.acegisecurity.org/acegi-s...ilsSource.html

and you can immediately find out where it is used and what beans have setters for it.

**jon.lustig** · Oct 28th, 2008, 02:40 PM

I have to admit that I'm still stumped here.

I have managed to write an AuthenticationProvider and configure my application to use it.

What I want to do is give the AuthenticationProvider instance access to the HttpServletRequest object (or equivalent) in the authenicate() method.

Unless this is globally available in a way that I don't know yet, I was hoping to make it accessible via authentication.getDetails() since that returns an arbitrary Object.

To this end, I have written a class that extends WebAuthenticationDetails and set additional (Request-related) values on the object. However, I am at a loss as to how to configure my application to use the Details class that I've written.

**InfiniteLoop** · Oct 29th, 2008, 03:40 PM

Originally Posted by jon.lustig

I have to admit that I'm still stumped here.

I have managed to write an AuthenticationProvider and configure my application to use it.

What I want to do is give the AuthenticationProvider instance access to the HttpServletRequest object (or equivalent) in the authenicate() method.

Unless this is globally available in a way that I don't know yet, I was hoping to make it accessible via authentication.getDetails() since that returns an arbitrary Object.

To this end, I have written a class that extends WebAuthenticationDetails and set additional (Request-related) values on the object. However, I am at a loss as to how to configure my application to use the Details class that I've written.

Look into the org.springframework.web.servlet.HandlerInterceptor .

You can create a class that extends the HandlerInterceptorAdapter class and implements the preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) method.

As you can see you have access to the HttpServletRequest from there and therefore, can read your cookie.

**Queeny** · Dec 31st, 2008, 07:48 AM

I am facing the same issue and was wondering if you found how to link your own WebAuthenticationDetails to Acegi?

**Queeny** · Dec 31st, 2008, 07:51 AM

Did you figure out how to configure your application to use your WebAuthenticationDetails ?

Thanks,

Q

Thread: Using custom Authentication class

Thread Tools

Display

Using custom Authentication class

Tags for this Thread

Posting Permissions