How about something like this?
Client Application passes in username and password (text version input by
user) to WebService.
WebService looks up user, hashes text password and compares against hashed
password in database/user object...
If match -> authenticated...
public class AuthenticationWebServiceImpl extends BaseWebService implements
AuthenticationWebService { private UserManager userManager; /**
* @return the userManager */ public UserManager getUserManager() {
return userManager; } /** * @param userManager the userManager to
set */ public void setUserManager(UserManager userManager) {
this.userManager = userManager; } public WebServiceUser
authenticateUser(String userName, String password) { WebServiceUser
wsUser = new WebServiceUser(); User user; // be sure
to configure and wrap this method in a transaction String
encPassword = ""; // Authenticate using UserManager // Return
a user // Get user using user manager. try { user
= getUserManager() .getUserByUsername(userName);
// match passwords // 1) Convert supplied password to encrypted
form //Hash the password of user according to system
configuration String algorithm = "SHA"; if (null !=
password) { encPassword = StringUtil.encodePassword(password,
algorithm); } else { //password null, return error
wsUser.getErrors().add( new
Error(WebServiceConstants.ERR_NO_PASSWORD_MESSAGE,
WebServiceConstants.ERR_NO_PASSWORD_CODE,
"password is required")); } String storedPassword=
user.getPassword(); if
(encPassword.equalsIgnoreCase(storedPassword)) { // we have
the correct username and password; populate wsUser and Roles
wsUser=populateUser(wsUser, user); } else { //
wrong password supplied
wsUser.getErrors().add( new
Error(WebServiceConstants.ERR_INVALID_PASSWORD_MESSAGE,
WebServiceConstants.ERR_INVALID_PASSWORD_CODE,
"Password supplied is invalid. You logged in with username='"+
userName+"' password='"+password+"'")); } } catch
(UsernameNotFoundException e) { // user not found, return error
wsUser.getErrors().add( new
Error(WebServiceConstants.ERR_USER_NOT_FOUND_MESSAGE,
WebServiceConstants.ERR_USER_NOT_FOUND_CODE, "The
username supplied, did not match any users in the system. You logged in with
username='"+ userName+"'
password='"+password+"'")); } return wsUser; }
protected WebServiceUser populateUser(WebServiceUser wsUser, User user) {
log.debug("populating user..."); wsUser.setUserPK(user.getUserPK());
wsUser.setFirstName(user.getUserPref().getFirstName());
wsUser.setLastName(user.getUserPref().getLastName());
wsUser.setUsername(user.getUsername()); Iterator<Role> i =
user.getRoles().iterator(); while (i.hasNext()) { Role
role = i.next(); wsUser.getRoles().add(new
WebServiceRole(role.getName())); } log.debug("done
populating..."); return wsUser; } }
Good Luck!
Amin
On 4/12/07 1:15 PM, "Nathan Anderson" <[EMAIL PROTECTED]> wrote:
> The way that comes to mind would be to make your own
> AuthenticationProvider. Depending on your needs [e.g. if you need built
> in AppFuse features like roles] you may need to extend the
> DaoAuthenticationProvider so you can still use the AppFuse User object
> as your UserDetails object.
>
> Does that make sense?
>
> Nathan
>
> sionsmith wrote:
>> Nathan: Yes the plan is to use the webservice as the authentication
>> mechanism. We're using SSL so not worrying about encryption at this time.
>> What i want to be able to do it use all the features of appfuse like the
>> security filter etc. but just do the authentication through the webservice.
>>
>> Mike: The webservice is the authentication method - the client i have sends
>> the username and password that is entered on screen and instead of the
>> authenticationManager using the appfuse way i need to set it depends on the
>> result of the webservice call - you sort of get me?
>>
>> Many Thanks
>>
>> Sion
>>
>> Michael Horwitz wrote:
>>
>>> On 4/12/07, sionsmith <[EMAIL PROTECTED]> wrote:
>>>
>>>> Thanx Mike i've now got that working and talking to the webservice.
>>>> Woohoo
>>>> -
>>>> i'm thinknig that was the easy part compared to what i now have to do. I
>>>> have to use an 'authenticAccount' method on the webservice to authentic
>>>> the
>>>> user which simply takes the username & password and returns me true or
>>>> false
>>>> depending if the attempt was successful . How the hell to i get this to
>>>> work
>>>> with the acegisecurity authenticationManager used in appfuse. Is this
>>>> possible? I've no idea how to go about doing this :(
>>>>
>>> Let me make sure I understand your requirements: you need each user to
>>> authenticate individually with the web service? As in user makes request,
>>> server authenticates with webservice on user behalf per request?
>>>
>>> You can obtain the user object from the current security context easily
>>> enough, but the passwords used in AppFuse are stored using a one way hash.
>>> So they are unlikely to be able to be used as is with your web service. I
>>> would suggest you take a look at the following classes to get an idea of
>>> what needs to be done (you should be able to open the source in your ide,
>>> or
>>> download the sources from http://static.appfuse.org/repository and attach
>>> as
>>> needed):
>>>
>>> UserSecurityAdvice (how to get hold of the current security context)
>>> and
>>> UserFormController (how to encrypt passwords).
>>>
>>> Mike.
>>>
>>> Any help would be greatful
>>>
>>>> Thanx Sion
>>>>
>>>> Michael Horwitz wrote:
>>>>
>>>>> On 4/12/07, sionsmith <[EMAIL PROTECTED]> wrote:
>>>>>
>>>>>> Arrrh i see now! thanx Mike - what about the destory method tho? Do i
>>>>>> place
>>>>>> that in the configure too?
>>>>>>
>>>>> Yup. Add the attribute destroy-method="destroy_method_name".
>>>>>
>>>>> Mike.
>>>>>
>>>>> Thanx sion
>>>>>
>>>>>> Michael Horwitz wrote:
>>>>>>
>>>>>>> On 4/12/07, sionsmith <[EMAIL PROTECTED]> wrote:
>>>>>>>
>>>>>>>> Guys & Girls,
>>>>>>>>
>>>>>>>> I'm using the appfuse jsf framework - we need to talk to a
>>>>>>>>
>>>> webservice,
>>>>
>>>>>> i
>>>>>>
>>>>>>>> have already been given a java client class which talks to the
>>>>>>>>
>>>> service
>>>>
>>>>>> -
>>>>>>
>>>>>>>> however i'm unsure of the best way or how to load this client and
>>>>>>>>
>>>> run
>>>>
>>>>>> its
>>>>>>
>>>>>>>> init method on server startup? I've had look on here, and at the
>>>>>>>> StartupListener in the org.appfuse.webapp.listener package - do i
>>>>>>>>
>>>> need
>>>>
>>>>>> to
>>>>>>
>>>>>>>> write my own listener that extents this? i'm confused? I see
>>>>>>>>
>>>> another
>>>>
>>>>>> way
>>>>>>
>>>>>>>> is
>>>>>>>> to use sumthing called Quartz? whats this and how do i use that?
>>>>>>>>
>>>>>>> The easiest way to get you class up and running is probably to
>>>>>>>
>>>>>> configure
>>>>>>
>>>>>>> it
>>>>>>> in Spring as a bean. You can get Spring to call the init method when
>>>>>>>
>>>> it
>>>>
>>>>>>> starts up the class by adding the attribute
>>>>>>>
>>>> init-method="method_name"
>>>>
>>>>>> on
>>>>>>
>>>>>>> the
>>>>>>> bean definition.
>>>>>>>
>>>>>>> Quartz is a job scheduler: http://www.opensymphony.com/quartz/. You
>>>>>>>
>>>>>> would
>>>>>>
>>>>>>> use Quartz if, for instance, you wanted to call your web service
>>>>>>>
>>>> every
>>>>
>>>>>> day
>>>>>>
>>>>>>> at 23h00.
>>>>>>>
>>>>>>> Mike.
>>>>>>>
>>>>>>> Any help on how to do this would be very greatful :)
>>>>>>>
>>>>>>>> Thanx Sion
>>>>>>>> --
>>>>>>>> View this message in context:
>>>>>>>>
>>>>>>>>
>>>> http://www.nabble.com/Using-Appfuse-With-WebServices-tf3565429s2369.html#a9
>>>> 959171
>>>>
>>>>>>>> Sent from the AppFuse - User mailing list archive at Nabble.com.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>> ---------------------------------------------------------------------
>>>>
>>>>>>>> To unsubscribe, e-mail: [EMAIL PROTECTED]
>>>>>>>> For additional commands, e-mail: [EMAIL PROTECTED]
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>> --
>>>>>> View this message in context:
>>>>>>
>>>>>>
>>>> http://www.nabble.com/Using-Appfuse-With-WebServices-tf3565429s2369.html#a9
>>>> 960321
>>>>
>>>>>> Sent from the AppFuse - User mailing list archive at Nabble.com.
>>>>>>
>>>>>> ---------------------------------------------------------------------
>>>>>> To unsubscribe, e-mail: [EMAIL PROTECTED]
>>>>>> For additional commands, e-mail: [EMAIL PROTECTED]
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>> --
>>>> View this message in context:
>>>> http://www.nabble.com/Using-Appfuse-With-WebServices-tf3565429s2369.html#a9
>>>> 962239
>>>> Sent from the AppFuse - User mailing list archive at Nabble.com.
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: [EMAIL PROTECTED]
>>>> For additional commands, e-mail: [EMAIL PROTECTED]
>>>>
>>>>
>>>>
>>>
>>
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
