im using the quick-start but I would rather login using a servlet rather than the filter provided, what do I need to do in the servlet to login a user?
Junior Member
how do i login without using the provided filter?
im using the quick-start but I would rather login using a servlet rather than the filter provided, what do I need to do in the servlet to login a user?
Senior Member
Spring Team
You simply need to have the Servlet obtain the username and password from the HttpRequest, check it's valid by calling the AuthenticationManager, and if so, storing the returned Authentication object in the "well known location". This is usually the HttpSession attribute with the key obtained from HttpSessionIntegrationFilter.ACEGI_SECURITY_AUTHEN TICATION_KEY.
Junior Member
do I need to setup ContextHolder with a Context or SecureContext object at all?
in the quick-start there is a debug.jsp that gets the Authentication object from SecureContext but the Authentication object is also placed in the session
Senior Member
Spring Team
The AbstractSecurityInterceptor is the class which "reads" what should be a valid Authentication object off the ContextHolder. Whilst AbstractSecurityInterceptor still confirms it is valid by presenting it to the AuthenticationManager again, typically applications will validate the username/password when the user first presents them (so it can provide user-friendly feedback, give them a chance to retry etc).
The net.sf.acegisecurity.ui packages are devoted to getting a valid Authentication onto the ContextHolder. You can use as much or as little of these packages as you like. You can write anything you wish as long as a valid Authentication ends up on the ContextHolder by the time the AbstractSecurityInterceptor gets called.
You don't need to use HttpSession if you don't wish. But it is a convenient place to hold the valid Authentication object, thus enabling the HttpSessionIntegrationFilter to place a copy on the ContextHolder at the beginning of each web request, and remove it at the end of each web request. If you go with this approach, your Servlet code will not work with ContextHolder at all (leave it to HttpSessionIntegrationFilter, which takes care of threading concerns).
I hope this clarifies what is going on.
Junior Member
Hi,
I,ve tried this approach and tried to use auth.isAuthenticated(), later i saw that this method had the following decription :
What other form to verify this exist?Code:classes should not rely on this value as being valid unless it has been set by a trusted <code>AbstractSecurityInterceptor</code>.
Thanks
Senior Member
Spring Team
This is just a reminder that any code can set Authentication.setAuthenticated(true). If your classes use the Authentication object, you must ensure a subclass of AbstractSecurityInterceptor has been called sometime beforehand, as it will delegate validation of the Authentication object to an AuthenticationManager.
Posting Permissions
