Hi, I'm developing some web application with Acegi Security, and I found some inconsistency in Authentication objects design. We have Authentication objects, that extend Principal (so they are principals). They also carry a principal, but this one is an Object (not a Principal) intended for custom informations about the user. Tipically this is a UserDetails, but be aware that they are not the details you get with getDetails() method (that are something different, I call them AuthenticationRequestDetails).... a lot of mess...
I'm working on different web applications with a couple of nasty things about security: - my users table have uniqueness for PAIRS username/password, not for usernames, so I can't reuse UserDetailsService. - I'm integrating the various webapps in a PHP portal that uses custom session tokens (carried in each request) after first login. When I access the SecurityContext I need to find a custom person object (it varies between applications) attached at the principal (note, a person is NOT the same as a user, it is NOT a principal!). I already have a ProcessingFilter/AuthenticationProvider for the custom token. The latter uses a special Repository with a loadByUsername( username ) method that finds a list of valid usernames/password. Then for each of them it checks against the custom token to find the correct one. I use a strategy to find the right person object and its privileges so each webapplication can use its own domain object. I'd want to create a simple extension of this provider to work also with UsernamePasswordAuthenticationToken, but it doesn't work, because it uses username as its principal object (???) and when I use a custom domain object as my "principal" I loose the username! It seems a small flaw in design: name, credentials and request details should be seperated from user object (the "principal") so they don't risk to change when the Authentication is processed. What happen to me is the following: - login.jsp posts to j_acegi_security_check fields j_username and j_password - AuthenticationProcessingFilter creates a UsernamePasswordAuthenticationToken and pass it to authentication manager - My custom AuthenticationProvider processes the token and finds a custom domain object (a Person) to use as a "principal". It then returns a new UsernamePasswordAuthenticationToken that looses the username (it uses principal.toString()). - AuthenticationProcessingFilter redirects to target url, after HttpSessionContextIntegrationFilter stored the authenticated token in the session. - HttpSessionContextIntegrationFilter restores the token. It then tries to revalidate it against authentication manager. This time it DON'T work, because it cannot find the username. Some suggestion? Bye, Davide Romanini
signature.asc
Description: Questa รจ una parte del messaggio firmata digitalmente
------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer