i've implemented an authentication scheme for my webdav server that
allows a client to provide one or more "tickets" in the headers and/or
parameters of a request. the idea is that any person who has a ticket
that is valid on a particular webdav resource can provide it instead
of being forced to provide a username and password.
the server also supports basic authentication for those people who
actually do have accounts on the server and can provide usernames and
passwords. basic is a little bit stronger of a security mechanism than
tickets (tho still not very strong at all of course).
i'd like to configure acegi security so that if request contains
*both* tickets and an Authorization header, then the server will first
try to authenticate the basic credentials, and if that fails, look to
see if any of the tickets are valid.
a more complete description of the algorithm is:
1) if basic credentials only, authenticate them and return a basic
challenge if they fail
2) if tickets only, look for a valid ticket, and return 401 if there are none
3) if both tickets and basic credentials, authenticate the basic
credentials; if those fail, look for a valid ticket, and return a
basic challenge if there are none
where i'm stumbling is that BasicProcessingFilter immediately
authenticates the credentials it finds in the Authorization header,
and upon failure it commences its configured authentication entry
point. why does it do this? why doesn't it simply set up an
authentication token and let the SecurityEnforcementFilter handle the
authentication? that's what my TicketProcessingFilter does, and it
works fine (when the request contains only ticket credentials).
below are most of the relevant bean configurations. i have omitted
those that don't seem to be relevant to these questions.
thanks!
ps: i'm using version 0.9.0, by the way, waiting for the 1.0 final
release before i upgrade.
===================
<bean id="ticketAuthenticationProvider"
class="org.osaf.cosmo.acegisecurity.ticket.TicketAuthenticationProvider">
<property name="ticketDao">
<ref bean="ticketDao"/>
</property>
</bean>
<bean id="authenticationManager"
class="net.sf.acegisecurity.providers.ProviderManager">
<property name="providers">
<list>
<ref local="daoAuthenticationProvider"/>
<ref local="anonymousAuthenticationProvider"/>
<ref local="ticketAuthenticationProvider"/>
</list>
</property>
</bean>
<!-- interceptor which specifies access control rules for the
URL space, invoked by security enforcement filter -->
<bean id="davFilterInvocationInterceptor"
class="net.sf.acegisecurity.intercept.web.FilterSecurityInterceptor">
<property name="authenticationManager">
<ref bean="authenticationManager"/>
</property>
<property name="accessDecisionManager">
<ref bean="accessDecisionManager"/>
</property>
<property name="objectDefinitionSource">
<value>
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
PATTERN_TYPE_APACHE_ANT
/**=ROLE_ROOT
</value>
</property>
</bean>
<!-- filter chain that kicks off request-time processing -->
<bean id="davFilterChainProxy"
class="net.sf.acegisecurity.util.FilterChainProxy">
<property name="filterInvocationDefinitionSource">
<value>
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
PATTERN_TYPE_APACHE_ANT
/**=davHttpRequestContextIntegrationFilter,davBasicProcessingFilter,davTicketProcessingFilter,davSecurityEnforcementFilter
</value>
</property>
</bean>
<!-- filter that integrates SecurityContext into HTTP request -->
<bean id="davHttpRequestContextIntegrationFilter"
class="org.osaf.cosmo.acegisecurity.HttpRequestContextIntegrationFilter"/>
<!-- filter that performs ticket authentication -->
<bean id="davTicketProcessingFilter"
class="org.osaf.cosmo.acegisecurity.ticket.TicketProcessingFilter"/>
<!-- filter that performs Basic authentication -->
<bean id="davBasicAuthenticationEntryPoint"
class="net.sf.acegisecurity.ui.basicauth.BasicProcessingFilterEntryPoint">
<property name="realmName">
<value>Cosmo Sharing Server</value>
</property>
</bean>
<bean id="davBasicProcessingFilter"
class="net.sf.acegisecurity.ui.basicauth.BasicProcessingFilter">
<property name="authenticationManager">
<ref bean="authenticationManager"/>
</property>
<property name="authenticationEntryPoint">
<ref local="davBasicAuthenticationEntryPoint"/>
</property>
</bean>
<!-- filter that enforces security constraints on dav requests -->
<bean id="davSecurityEnforcementFilter"
class="net.sf.acegisecurity.intercept.web.SecurityEnforcementFilter">
<property name="filterSecurityInterceptor">
<ref local="davFilterInvocationInterceptor"/>
</property>
<property name="authenticationEntryPoint">
<ref local="davBasicAuthenticationEntryPoint"/>
</property>
</bean>
-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems? Stop! Download the new AJAX search engine that makes
searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid�3432&bid#0486&dat�1642
_______________________________________________
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
