Brian Moseley wrote:
Andy Depue wrote:
Since #2 would require a two step process (extraction of auth information would be separate from authentication), probably the path of least resistance at the moment would be option #1. Though, the path of least resistance does not always equal the best path. :) With option #1, the principal would already be authenticated by the time your WebDAV servlet is invoked. You would then package up the already authenticated principal in such a way that an Acegi provided JAAS LoginModule would recognize it and handle it accordingly. I have never looked into JAAS support with Acegi, so I don't know where that stands right now.
yep, i've come to these same conclusions. i'm going to prototype with option #1 (letting Acegi Security authenticate) to get a working demo and to become more familiar with acegi Security. then i'll have a better idea of what it would take to implement option #2, which i have a gut feeling would require some refactoring of Acegi Security's authentication filters and so forth.
Hi guys
Sorry to chime in a bit late...
I think let Acegi Security handle the full authentication as per normal, with your choice of authentication processing filters. Importantly, this allows not just BASIC but also Digest, CAS, form, X509 and anything else you'd like to authenticate with. Then write a JAAS LoginModule that does not use the CallbackHandler in any way, meaning whatever the Jackrabbit repository extracts from BASIC authentication headers etc is effectively ignored (as an aside, the WebDAV spec mandates digest authentication - not BASIC). Anyway, your custom LoginModule will simply look at the ContextHolder and obtain the current Authentication, using that as if the LoginModule had completed the authentication itself. Recall net.sf.acegisecurity.Authentication is a subclass of java.security.Principal, so this will work. Also, as Jackrabbit introduces ACL security and _presumably_ uses Principal.getName(), this approach will continue to work as Acegi Security's AbstractAuthenticationToken satisfies the getName() method by returning the authentication object's getPrincipal().toString().
Cheers Ben
------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ Acegiwebdav-developer mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/acegiwebdav-developer
