First, thanks to Ben for helping me understand some of the Acegi internals.
My question revolves around using BASIC authentication with Acegi. First,
let me start by stating that I am not using HTML. I am using Flex which
uses a Flash client with SOAP requests. What I want to know is if I use
BASIC authentication will Acegi still be able to use the notion of a
ContextHolder to store authentication credentials such as roles? I want to
use the roles for my Spring managed business objects of course.
Furthermore, is there a filter that I should be using that will not
redirect to a page if authentication fails? Instead of the filter
redirecting to a JSP, or other page, I would like to just send a
response.sendError(HttpServlet.SC_UNAUTHORIZED) back to the client. Should
I just write my own filter that is similar to the BasicProcessingFilter and
append it in the chain of filters? The Flash client is expecting a 401
HTTP error to notice a Client.Authentication fault/exception. The current
filter tries to redirect to the custom login form which does not apply in
my context.
Here is an example of the kind of filter I would need for my Flex client to
understand what happens when the user is not authenticated:
public void doFilter(ServletRequest req, ServletResponse res, FilterChain
chain) throws ServletException,
IOException {
HttpServletRequest request = (HttpServletRequest) req;
HttpServletResponse response = (HttpServletResponse) res;
String authorization = request.getHeader("Authorization");
boolean authorized = false;
if (authorization != null) {
String encoded =
authorization.substring(HttpServletRequest.BASIC_AUTH.length());
String decoded = new String(Base64.decode(encoded));
String username = decoded.substring(0, decoded.indexOf(":"));
String password = decoded.substring(decoded.indexOf(":") + 1);
authorized = "sampleuser".equals(username) &&
"samplepassword".equals(password);
}
if (!authorized) {
response.setHeader("WWW-Authenticate", "BASIC realm=\"\"");
response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
return;
}
chain.doFilter(req, res);
}
Also, can I narrow the number of filters that need to be applied if I use
BASIC authentication?
This security framework would be a *huge* advantage for our development if
we can integrate it with Spring and Flex.
Thanks,
Mark
-------------------------------------------------------
This SF.Net email sponsored by Black Hat Briefings & Training.
Attend Black Hat Briefings & Training, Las Vegas July 24-29 -
digital self defense, top technical experts, no vendor pitches,
unmatched networking opportunities. Visit www.blackhat.com
_______________________________________________
Acegisecurity-developer mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
