Hyland Connect

gleisonsilva · ‎01-29-2015

Hello!

I've spend all day long searching posts about custom authentication, but, It seems that in the last version, 5.17, somethings have changed on activiti-rest implementation.

I need to generate, after a user success login, a token for a third app. How can I, in this new version, hack the code to implement my code on authentication process?

Thank you very much!

Rgs

b_schnarr · ‎01-30-2015

I recognized this, too. In former versions, you could implement a custom org.activiti.rest.common.filter.RestAuthenticator and set this custom RestAuthenticator in org.activiti.rest.common.application.ActivitiRestApplication.java

In my CustomRestAuthenticator, I need access to the HTTP-Request to get my SSO-Token (this was possible in the org.activiti.rest.common.filter.RestAuthenticator).

And now?

solanki · ‎01-31-2015

Even I am facing the same issue, I used to access the Http Request Object (in CustomRestAuthenticator) to derive request cookie Information and validate in against a service to authenticate my Rest requests.

In 5.17 for Implementing same customization in Spring security the advise is to override the authenticationProvider() in SecurityConfiguration. However the Custom AuthenticationProvider has access to only Authentication Object and not Request Object. Hence I am unable to get my request Cookie related Information.

I have been searching for other solutions in Spring Security, implementing a filter seems to be one way but I am still trying to understand where to hook my Cookie based authentication logic. Any pointers some sample approaches will help !!

b_schnarr · ‎01-31-2015

Solanki, exactly! The old construct was very simple and effective (method RequestRequiresAuthentication). Now, there seems no way to access the HTTP-Headers in a Custom Spring Authentication-Provider. Activiti-Developers, why did you remove this old construct? And which ways are there to easily access HTTP-Request Parameters in a Spring Authentication-Provider?

b_schnarr · ‎02-04-2015

No ideas?

trademak · ‎02-04-2015

We didn't remove this option on purpose, but we switched from Restlet to Spring MVC which means the RestAuthenticator is not available anymore. Spring Security should definitely provide a way to solve this. Did you look into the Spring Security documentation?

Best regards,

solanki · ‎02-06-2015

Hi Tijs,

I looked at the documentation but I am not able to find a simple approach where I can extract request cookies hook my custom authentication logic and set the authenticated user for Rest call, as we did earlier.

There are many configuration in spring security, in some sample apporaches I saw we have to -
>Implement a Filter
>A security context class
>Custom Userdetails/userdetail service.

I am new to spring, If possible can you provide one running example where we are using the request object to obtain any authentication information (token etc) and using it to authenticate the Rest call.

thanks
Solanki

bens1 · ‎02-06-2015

Currently, I try to get this up and running using filters. But I have a very strange problem. Look at this url for my code and for further details:
https://stackoverflow.com/questions/28368254/infinite-loop-in-custom-spring-security-application

Any ideas are appreciated

Best regards
Ben

b_schnarr · ‎02-08-2015

I succeeded in realizing my own custom authentication with the code from the link above with a little modification:

With this here, my infinite recursion disappeared:

<code>
static final String FILTER_APPLIED = "__spring_security_scpf_applied";
if (req.getAttribute(FILTER_APPLIED) != null) {
     chain.doFilter(req, res);
     return;
    }
    req.setAttribute(FILTER_APPLIED, Boolean.TRUE);
</code>

Therefore, you need to implement a custom filter and a custom AuthenticationManager. The existing BasicAuthenticationProvider stays untouched,

Best regards
Ben

jbarrez · ‎02-09-2015

Thanks, thats very useful info.

Hyland Connect

Custom authentication in 5.17 REST app