Re: [appfuse-user] How to get authentication info into a Spring bean / Hibernate interceptor

[Rob Hills]

Hi Richard,

[EMAIL PROTECTED] wrote:
Thanks for the ideas. I was hoping not to bind the AuditInterceptor too
tightly to the Servlet API. To do that I might have to pass in the username
and IP address as separate parms, and of course have to set these up in
advance. But I can also  just have a different implementation for
non-servlet situations I guess.
Yes, handling this at login/authentication makes sense, and then putting it
in the session. Maybe there's a hook in ACEGI to do this and someone will
volunteer how.
  
I know how to do that part.  As mentioned in my previous email, you 
simply need to create your own bean that implements the two interfaces 
ApplicationListener and ServletContextAware.

The ServletContextAware interface will require you to implement a 
setServletContext(ServletContext) method that will then give you access 
to the ServletContext (and its getRequest() method)

The ApplicationListener interface will require you to implement an 
onApplicationEvent(ApplicationEvent event) method that will trap any 
event fired within the Application.  Inside this method, you check if 
the event is an AuthenticationSuccessEvent (eg if (event instanceof 
AuthenticationSuccessEvent) { // do stuff after a successful login }).

The following example is from my "AuthenticationLoginListener" bean and 
shows how to get the user details.  Note, in my app, I have tweaked the 
original AppFuse User class to include a Company attribute which I need 
to load up on login and store in the session:

   public void onApplicationEvent(ApplicationEvent event) {
       if (event instanceof AuthenticationSuccessEvent) {

           /**
            * Get the username and look up his/her company and load it 
into the session.
            */
           UsernamePasswordAuthenticationToken token = 
(UsernamePasswordAuthenticationToken)event.getSource();
           String userName = token.getName();
           if (!Utility.isEmpty(userName)) {
               Company usersCompany = 
companyManager.getCompanyForUserName(userName);
               if (usersCompany != null) {
                   
getRequest().getSession().setAttribute(Constants.COMPANY, 
usersCompany.getCopy());
                   log.debug("Stored users Company in session: " + 
usersCompany.getName());
                   loadReportsMenu(usersCompany);
               }
           } else {
               // As the user has been authenticated, this should never 
happen
               log.error("No User found for AUTHENTICATED username: " + 
userName);
           }

       } else {
           log.debug("Intercepted Application Event of class: " + 
event.getClass());
       }
   }


Note, the rest of my bean just has necessary fields and getters/setters.

In my applicationContext.xml, I just added the following:

   <bean id="loginListener" 
class="au.com.tiwest.security.AuthenticationLoginListener">
       <property name="companyManager" ref="companyManager" />
   </bean>

Note, I didn't even need to specify the servletContext attribute - it's 
just injected automatically.  In my case, I inject a companyManager to 
give me access to the relevant Company details I need from the db - you 
can put anything you like in there (or nothing of course).

HTH,

Rob Hills
Waikiki, Western Australia

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]