Ben,
Thank you for the detailed response. Yes, I hope that the company security
infrastructure is good and I am sure it is since to enter in your login
credentials you would have had to gone through several layers of security
already to get to the login prompt. I myself was a bit surprised to know
that only Remote user was needed by the app for authentication. I will give
what you instructed a go. But I do have one question, is there a diagram or
pictorial representation of the components for Acegi? Thank you.
Monday, July 19, 2004 11:29 PM
To: [EMAIL PROTECTED]
cc:
From: Ben Alex <[EMAIL PROTECTED]>
Subject: Re: [Acegisecurity-developer] Using a corporate authentication
with Acegi
Stefan D Sookraj wrote:
> All,
> I am trying to integrate Spring /Acegi into a critical application.
> Our company has common web authentication mechnism that we need to use
> for authentication. It basically set the REMOTE_USER variable in the
> http request. I can use request.getRemoteUser or
> request.getUserPrincipal() to retrive the userid from a controller.
> How can I use this id to then integrate with Acegi authorization
> capabilities. Since authentication is already taken care of by the
> company's authentication mechanism, I just need to get the
> authorization info from acegi. Any help or pointer where to begin is
> much appreciated. Thank you.
Hi Stefan
You'd need to write two things:
1. A filter which is always executed and queries the REMOTE_USER. It
will create an Authentication request object. It will then pass through
to an AuthenticationManager. Upon successful authentication, it will
place it in the ContextHolder. This approach is very similar to
CasProcessingFilter, BasicProcessingFilter etc (except yours is much
easier as you simply rely on REMOTE_USER).
2. An AuthenticationProvider similar to CasAuthenticationProvider. It
will take the "request" Authentication object (which has a username in
it, as created by the first class above) and will query a backend
repository to determine the GrantedAuthority[]s that apply (for CAS
people usually use DaoCasAuthoritiesPopulator). From there it will
create a "success" Authentication object and return it to the caller.
The eventual caller, as mentioned above, will place it on the
ContextHolder.
There's no reason you need two separate classes. The filter could do
both steps. It's just if you wanted to copy existing patterns, you'd do
it using two classes.
You'd probably use AuthenticationProcessingFilterEntryPoint against your
SecurityEnforcementFilter, so it can redirect to some sort of page which
explains they have not completed the proper corporate login sequence. Or
you can write your own AuthenticationEntryPoint implementation if you
would like other behaviour.
What you're trying to do it pretty easy. I take it there is some good
security infrastructure in place to ensure REMOTE_USER is correctly set!
:-)
HTH
Ben
-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
_______________________________________________
Acegisecurity-developer mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
_______________________________________________
Acegisecurity-developer mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
