topic Re: CAS SSO with Activiti REST API in Alfresco Archive

CAS SSO with Activiti REST API

einarwh — Tue, 08 Oct 2013 12:50:10 GMT

Hi,We're building a multi-component web application that communicates with Activiti using the REST API. We'd like to do two things:1. Replace the default basic HTTP authentication, and rely on Tomcat to handle authentication using CAS SSO. We obviously still need a notion of identity for the user -

Re: CAS SSO with Activiti REST API

trademak — Wed, 09 Oct 2013 09:01:00 GMT

Hi,

My first thought is that it should be just fine if you implement your own RestAuthenticator.
You should implement the requestRequiresAuthentication method and always return false.
That prevents the REST layer from calling the Activiti identity management.
In the requestRequiresAuthentication method you could check the SSO token and throw an exception if it's invalid.
Also make sure to set the user on the request, because some REST services need that user object.

Best regards,

Re: CAS SSO with Activiti REST API

einarwh — Wed, 09 Oct 2013 10:56:24 GMT

Hi,

Thanks a lot for your quick answer! Apologies if my follow-up questions are stupid or misguided (Activiti is a very new friend of mine). What are the semantics of throwing an exception in requestRequiresAuthentication? In other words, what would the observed effect be? Also, how would we proceed to implement our custom authorization (using LDAP group membership) if requestRequiresAuthentication always returns false - my understanding is that isRequestAuthorized will never be called in that scenario? Once again, I am sorry that I'm asking from a perspective of ignorance here.

Thanks a lot,
Einar

Re: CAS SSO with Activiti REST API

frederikherema1 — Wed, 09 Oct 2013 13:02:06 GMT

yes, as the javadoc says, if the "requestRequiresAuthentication" returns false, the request is considered to be free of any further DEFAULT authentication (including calls to isRequestAuthorized).

Since the calls are done from restlet, you can throw a ResourceException(…) with a status-code and a description. The rest-error handling that is in place will render a nice response-JSON with the message in it (see ActivitiStatusService) and the HTTP-response code will be the one you provide in the ResourceException. In your case, that will be a UNAUTHORIZED or REQUIRES_AUTHENTICATION, depending on what your SSO logic found out about the request…

Re: CAS SSO with Activiti REST API

einarwh — Wed, 09 Oct 2013 13:25:47 GMT

Thanks a lot, I really appreciate the kind assistance and helpful advice. I think it's very neat that I can use HTTP response codes in that manner. Just to make sure: I'll just ignore the isRequestAuthorized call as such, and implement whatever custom authorization I need to do in the requestRequiresAuthentication call itself. Have I understood correctly?

Thanks again,
Einar