topic Re: Custom authentication in 5.17 REST app in Alfresco Archive

Custom authentication in 5.17 REST app

gleisonsilva — Thu, 29 Jan 2015 21:54:59 GMT

Hello!I've spend all day long searching posts about custom authentication, but, It seems that in the last version, 5.17, somethings have changed on activiti-rest implementation.I need to generate, after a user success login, a token for a third app. How can I, in this new version, hack the code to i

Re: Custom authentication in 5.17 REST app

b_schnarr — Fri, 30 Jan 2015 14:25:15 GMT

I recognized this, too. In former versions, you could implement a custom org.activiti.rest.common.filter.RestAuthenticator and set this custom RestAuthenticator in org.activiti.rest.common.application.ActivitiRestApplication.java

In my CustomRestAuthenticator, I need access to the HTTP-Request to get my SSO-Token (this was possible in the org.activiti.rest.common.filter.RestAuthenticator).

And now?

Re: Custom authentication in 5.17 REST app

solanki — Sat, 31 Jan 2015 08:15:46 GMT

Even I am facing the same issue, I used to access the Http Request Object (in CustomRestAuthenticator) to derive request cookie Information and validate in against a service to authenticate my Rest requests.

In 5.17 for Implementing same customization in Spring security the advise is to override the authenticationProvider() in SecurityConfiguration. However the Custom AuthenticationProvider has access to only Authentication Object and not Request Object. Hence I am unable to get my request Cookie related Information.

I have been searching for other solutions in Spring Security, implementing a filter seems to be one way but I am still trying to understand where to hook my Cookie based authentication logic. Any pointers some sample approaches will help !!

Re: Custom authentication in 5.17 REST app

b_schnarr — Sat, 31 Jan 2015 12:07:36 GMT

Solanki, exactly! The old construct was very simple and effective (method RequestRequiresAuthentication). Now, there seems no way to access the HTTP-Headers in a Custom Spring Authentication-Provider. Activiti-Developers, why did you remove this old construct? And which ways are there to easily access HTTP-Request Parameters in a Spring Authentication-Provider?

Re: Custom authentication in 5.17 REST app

b_schnarr — Wed, 04 Feb 2015 10:52:18 GMT

No ideas?

Re: Custom authentication in 5.17 REST app

trademak — Wed, 04 Feb 2015 14:08:58 GMT

We didn't remove this option on purpose, but we switched from Restlet to Spring MVC which means the RestAuthenticator is not available anymore. Spring Security should definitely provide a way to solve this. Did you look into the Spring Security documentation?

Best regards,

Re: Custom authentication in 5.17 REST app

solanki — Fri, 06 Feb 2015 05:41:27 GMT

Hi Tijs,

I looked at the documentation but I am not able to find a simple approach where I can extract request cookies hook my custom authentication logic and set the authenticated user for Rest call, as we did earlier.

There are many configuration in spring security, in some sample apporaches I saw we have to -
>Implement a Filter
>A security context class
>Custom Userdetails/userdetail service.

I am new to spring, If possible can you provide one running example where we are using the request object to obtain any authentication information (token etc) and using it to authenticate the Rest call.

thanks
Solanki

Re: Custom authentication in 5.17 REST app

bens1 — Fri, 06 Feb 2015 15:45:58 GMT

Currently, I try to get this up and running using filters. But I have a very strange problem. Look at this url for my code and for further details:
https://stackoverflow.com/questions/28368254/infinite-loop-in-custom-spring-security-application

Any ideas are appreciated

Best regards
Ben

Re: Custom authentication in 5.17 REST app

b_schnarr — Sun, 08 Feb 2015 19:52:26 GMT

I succeeded in realizing my own custom authentication with the code from the link above with a little modification:

With this here, my infinite recursion disappeared:

<code>
static final String FILTER_APPLIED = "__spring_security_scpf_applied";
if (req.getAttribute(FILTER_APPLIED) != null) {
     chain.doFilter(req, res);
     return;
    }
    req.setAttribute(FILTER_APPLIED, Boolean.TRUE);
</code>

Therefore, you need to implement a custom filter and a custom AuthenticationManager. The existing BasicAuthenticationProvider stays untouched,

Best regards
Ben

Re: Custom authentication in 5.17 REST app

jbarrez — Mon, 09 Feb 2015 22:03:46 GMT

Thanks, thats very useful info.