Il giorno ven, 29/12/2006 alle 08.13 +1100, Ben Alex ha scritto: > You can successfully write an AuthenticationProvider and authentication > mechanism which uses whatever notion of principal identity and > authentication that you wish. The project includes such providers as > X509, SiteMinder, CAS etc that do not rely on a traditional String > username but some form of token. These illustrate the design works.
> It might be useful if you stepped back and explained what it is you are > trying to do at a higher level. It seems to me you are customizing the > system is unusual ways. Please take a read of Part I of the Reference > Guide, which discusses the differences between authentication mechanisms > and authentication providers, and then describe what you're trying to do > here. We'll be happy to help you get it working in your project. Sorry for my bad english, I'll try to be more clear. First of all my project has some unique "feature" (flaws?) about security, but I'm integrating in a legacy system so I can't change it. The first thing is about user repository: I have not unique usernames but only unique username/password pairs. That means I can't use the already provided UserDetails based classess and providers. The second issue is that my webapplication must integrate with an existing legacy PHP portal using a custom security mechanism. It doesn't use PHP sessions, instead I always pass from page to page a custom hash token based on user's password. Actually I have found a working solution for me, creating a custom NicSessionAuthenticationToken, a custom NicSessionAuthenticationProvider and a custom NicSessionProcessingFilter extending AbstractProcessingFilter. Basically it works like a Form based authentication, I've a specific url endpoint that extracts from the request my custom token and initialize an authenticated session (using HttpSessionContextIntegrationFilter). That means that each time a PHP page must link to may webapplication I just link to my "login" endpoint including the required parameters. To be clear, my custom NicSessionAuthenticationProvider uses a specific UserRepository (remember that I cannot use a UserDetailsService) and a PrincipalAndGrants strategy that populates principal and granted privileges from the user (this as an extension point because I use it in different scenarios). Please notice that I do not want to force my principals to have a username (they are Object!) so in my custom NicSessionAuthenticationToken I've a separate property for it and do not rely on getPrincipal().toString() (or ((UserDetails)getPrincipal()).getUsername()). All that stuff actually works. I just want to add a simple login page to directly access my webapplication (basically for testing purposes). I thought it would be simple, I just created a different provider to process UsernamePassword tokens that uses my custom user repository and added the standard AuthenticationProcessingFilter to my filter chain. At first time the SecurityContext is correctly initialized, but the problem arises when it is restored from the session and revalidated: in the session I have a UsernamePasswordAuthenticationToken that has "lost" the login username, simply because it relies on the principal to provide one (see above)! To me it seems an error, because the principal is an Object so we cannot do any assumption about that, neither it should be a UserDetails instance nor it always provides a username when asked for a string rapresentation... In my situation I cannot easily fix it, because I want the principal (or, user object) to be totally decoupled from security profiles (such as a custom Person object with some application specific information attached to it). Okay, it's probably just a small bug and not a "design flaw" (I'd never use a security system with serious flaws ;-), sorry for the unhappy term... Regards, Davide Romanini
signature.asc
Description: Questa รจ una parte del messaggio firmata digitalmente
------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer