topic Re: Setting custom rest authenticator in rest-webapp in Alfresco Archive

Setting custom rest authenticator in rest-webapp

b_schnarr — Fri, 09 May 2014 10:42:47 GMT

Hello at all,we want to implement SSO in the activiti-rest webapp. Therefore, we need to disable the build in rest basic authentication. To achieve this, I created a subclass of org.activiti.rest.service.application.ActivitiRestServicesApplication that implements the method boolean requestRequiresAu

Re: Setting custom rest authenticator in rest-webapp

b_schnarr — Tue, 13 May 2014 10:22:08 GMT

No ideas? Maybe I have forgotten something? I created a subclass of org.activiti.rest.service.application.ActivitiRestServicesApplication that implements just one method of the CustomRestAuthenticator (boolean requestRequiresAuthentication(Request request)). But this seems not to be sufficient. But in the documentation, there is nothing more to read about that. In anothe post, there is written:

"The custom implementation fo the RestAuthenticator can be set on the instance of the org.activiti.rest.common.application.ActivitiRestApplication (or org.activiti.rest.service.application.ActivitiRestServicesApplication)."

But I have no idea how to do this.

Thank you and best regards
Ben

Re: Setting custom rest authenticator in rest-webapp

b_schnarr — Thu, 15 May 2014 08:50:42 GMT

Maybe, the class org.activiti.rest.common.application.ActivitiRestApplication is helpful. There you can find the following method:

<code>
// Set authenticator as a NON-optional filter. If certain request require no authentication, a custom RestAuthenticator
// should be used to free the request from authentication.
authenticator = new ChallengeAuthenticator(null, true, ChallengeScheme.HTTP_BASIC,
      "Activiti Realm") {

@Override
protected boolean authenticate(Request request, Response response) {

    // Check if authentication is required if a custom RestAuthenticator is set
    if(restAuthenticator != null && !restAuthenticator.requestRequiresAuthentication(request)) {
      return true;
    }

    if (request.getChallengeResponse() == null) {
      return false;
    } else {
      boolean authenticated = super.authenticate(request, response);
      if(authenticated && restAuthenticator != null) {
        // Additional check to see if authenticated user is authorised. By default, when no RestAuthenticator
        // is set, a valid user can perform any request.
        authenticated = restAuthenticator.isRequestAuthorized(request);
      }
      return authenticated;
    }
}
};
authenticator.setVerifier(verifier);
</code>

But still, I do not understand how to "set" my custom rest authenticator. The official docu just states that the org.activiti.rest.common.filter.RestAuthenticator interface needs to be implemented and in addition, the web.xml needs to be altered. I did this, but the API still wants to have basic credentials. So I think I must "set" my custom implementation somehow?

Any help is welcome. Thanks a lot
Ben

Re: Setting custom rest authenticator in rest-webapp

b_schnarr — Thu, 15 May 2014 10:37:58 GMT

I solved it this way:

1.) Create the class org.activiti.rest.common.filter.RestAuthenticatorImpl.java which implements the method public boolean requestRequiresAuthentication(Request request)

2.) Set your custom RestAuthenticator in org.activiti.rest.common.application.ActivitiRestApplication.java like this:

In the Constructor public ActivitiRestApplication(), add these lines of code:

<code>
restAuthenticator = new RestAuthenticatorImpl();
setRestAuthenticator(restAuthenticator);
</code>

Re: Setting custom rest authenticator in rest-webapp

golden_boy_t — Tue, 29 Sep 2015 12:04:05 GMT

Hi
Could you please show me an example of how to check the request object in this method :
boolean requestRequiresAuthentication(Request request);
is authenticated over a CAS server?
Thanks

Re: Setting custom rest authenticator in rest-webapp

b_schnarr — Tue, 29 Sep 2015 12:08:07 GMT

Which Activiti version do you use? Since Activiti 5.17, Spring Security is used to secure the REST-API. Therefore, this thread here is not up-to-date anymore.

In addition, what do you want to check in the request object?