All,
I upgraded my appfuse application appfuse 1.8.2 to 1.9 and from acegi 0.83 to 1.0 RC1
because I could not get Acegi to work with Siteminder. Well, I still haven't gotten it to work
but I have come a far way in understanding how Acegi works so it was not all in vain :-)
Anyway, as you know to integrate acegi with the Siteminder agent mean add a different
authenticationProcessingFilter to the application-security.xml file. the source file is
SiteminderAuthenticationProcessingFilter which extends AuthenticationProcessingFilter
which in turn extends AbstractProcessingFilter. AbstractProcessingFilter is a very interesting
class, in order for authentication to take place the doFilter() method on the
SiteminderAuthenticationProcessingFilter class is called but since there isn't one the parent doFilter()
gets called instead. But since it's parent AuthenticationProcessingFilter does not have a doFilter() method
it calls the doFilter() method of it’s parent AbstractProcessingFilter. So in the doFilter() of
AbstractProcessingFilter. Here is a code snippet of the doFilter() method. the key to getting authenticated
or an attempt at getting authenticated is getting the method "attemptAuthentication(httpRequest)" called.
In order for this to happen the method "requiresAuthentication(httpRequest, httpResponse)" shown in the snippet
has to return "true". It will ONLY return true if the url ends with "j_security_check." base on what you had set in your
application-security.xml file ( <property name="filterProcessesUrl" value="/j_security_check"/> ) on the
authenticationProcessingFilter bean. So the point of all this is even when the header information is available from Siteminder
the method "requiresAuthentication(httpRequest, httpResponse) " is still evaluating to false which means
" attemptAuthentication(httpRequest)" is never called as shown in the snippet below and so the header information
and authentication never occurs and so authentication fails and sends you to the login form. This is all base on debugging
the login process. I have been told that I need to rewrite other acegi classes but I don't think I need to. Once I get to
to login form and enter my username and password which is the same as the username and hit the login button the
"j_security_check" get sent as the action and so the "requiresAuthentication(httpRequest, httpResponse)" method now
evaluates as "true" and I am authenticated and I am sent to my main page. My question is how can "j_security_check"
get sent as apart of my url so the "requiresAuthentication(httpRequest, httpResponse)" evaluates as "true" ?
that is the question. Sorry for babbling on but this is the only way I could explain it :-)
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
if ( requiresAuthentication(httpRequest, httpResponse) ) {
try {
authResult = attemptAuthentication(httpRequest);
} catch (AuthenticationException failed) {
// Authentication failed
unsuccessfulAuthentication(httpRequest, httpResponse, failed);
return;
}
return;
}
- Paul
