Setting custom rest authenticator in rest-webapp
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-09-2014 06:42 AM
Hello at all,
we want to implement SSO in the activiti-rest webapp. Therefore, we need to disable the build in rest basic authentication. To achieve this, I created a subclass of org.activiti.rest.service.application.ActivitiRestServicesApplication that implements the method
Here is my class:
In addition, I altered the web.xml of the activiti-webapp-rest2, that it points to my custom implementation:
The Problem is, that this takes no effekt. After redeploying, the rest-api still wants to have basic credentials and I have no idea, why.
Any reply is appreciated. I googled a lot but without success.
Thank you very much and best regards
Ben
we want to implement SSO in the activiti-rest webapp. Therefore, we need to disable the build in rest basic authentication. To achieve this, I created a subclass of org.activiti.rest.service.application.ActivitiRestServicesApplication that implements the method
boolean requestRequiresAuthentication(Request request)Here is my class:
package org.activiti.rest.service.application; import org.restlet.Request;import org.restlet.data.Form; import javax.crypto.Cipher;import javax.crypto.SecretKey;import javax.crypto.SecretKeyFactory;import javax.crypto.spec.DESedeKeySpec;import javax.crypto.spec.IvParameterSpec;import javax.crypto.spec.SecretKeySpec; import org.activiti.engine.identity.User;import org.activiti.engine.impl.identity.Authentication;import org.apache.commons.codec.binary.Base64; import java.security.Key;import java.security.MessageDigest;import java.security.spec.KeySpec;import java.util.Arrays;import java.util.Date; import org.activiti.rest.common.api.ActivitiUtil;import org.activiti.rest.common.filter.RestAuthenticator; public class CustomActivitiRestServicesApplication extends ActivitiRestServicesApplication implements RestAuthenticator { protected String ltpaKey; protected String ltpaPassword; private static final String AES_DECRIPTING_ALGORITHM = "AES/CBC/PKCS5Padding"; private static final String DES_DECRIPTING_ALGORITHM = "DESede/ECB/PKCS5Padding"; private static final String LTPA_COOKIE_NAME = "LtpaToken2"; String ltpaToken = null; @Override public boolean requestRequiresAuthentication(Request request) { //LTPA-Encrypt-Logic //Authentication.setAuthenticatedUserId(user.getId()); return false; } @Override public boolean isRequestAuthorized(Request request) { // TODO Auto-generated method stub return false; }}In addition, I altered the web.xml of the activiti-webapp-rest2, that it points to my custom implementation:
<!– Restlet adapter –> <servlet> <servlet-name>RestletServlet</servlet-name> <servlet-class>org.restlet.ext.servlet.ServerServlet</servlet-class> <init-param> <!– Application class name –> <param-name>org.restlet.application</param-name> <param-value>org.activiti.rest.service.application.CustomActivitiRestServicesApplication</param-value> </init-param> </servlet>The Problem is, that this takes no effekt. After redeploying, the rest-api still wants to have basic credentials and I have no idea, why.
Any reply is appreciated. I googled a lot but without success.
Thank you very much and best regards
Ben
Labels:
- Labels:
-
Archive
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-13-2014 06:22 AM
No ideas? Maybe I have forgotten something? I created a subclass of org.activiti.rest.service.application.ActivitiRestServicesApplication that implements just one method of the CustomRestAuthenticator (boolean requestRequiresAuthentication(Request request)). But this seems not to be sufficient. But in the documentation, there is nothing more to read about that. In anothe post, there is written:
"The custom implementation fo the RestAuthenticator can be set on the instance of the org.activiti.rest.common.application.ActivitiRestApplication (or org.activiti.rest.service.application.ActivitiRestServicesApplication)."
But I have no idea how to do this.
Thank you and best regards
Ben
"The custom implementation fo the RestAuthenticator can be set on the instance of the org.activiti.rest.common.application.ActivitiRestApplication (or org.activiti.rest.service.application.ActivitiRestServicesApplication)."
But I have no idea how to do this.
Thank you and best regards
Ben
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-15-2014 04:50 AM
Maybe, the class org.activiti.rest.common.application.ActivitiRestApplication is helpful. There you can find the following method:
<code>
// Set authenticator as a NON-optional filter. If certain request require no authentication, a custom RestAuthenticator
// should be used to free the request from authentication.
authenticator = new ChallengeAuthenticator(null, true, ChallengeScheme.HTTP_BASIC,
"Activiti Realm") {
@Override
protected boolean authenticate(Request request, Response response) {
// Check if authentication is required if a custom RestAuthenticator is set
if(restAuthenticator != null && !restAuthenticator.requestRequiresAuthentication(request)) {
return true;
}
if (request.getChallengeResponse() == null) {
return false;
} else {
boolean authenticated = super.authenticate(request, response);
if(authenticated && restAuthenticator != null) {
// Additional check to see if authenticated user is authorised. By default, when no RestAuthenticator
// is set, a valid user can perform any request.
authenticated = restAuthenticator.isRequestAuthorized(request);
}
return authenticated;
}
}
};
authenticator.setVerifier(verifier);
</code>
But still, I do not understand how to "set" my custom rest authenticator. The official docu just states that the org.activiti.rest.common.filter.RestAuthenticator interface needs to be implemented and in addition, the web.xml needs to be altered. I did this, but the API still wants to have basic credentials. So I think I must "set" my custom implementation somehow?
Any help is welcome. Thanks a lot
Ben
<code>
// Set authenticator as a NON-optional filter. If certain request require no authentication, a custom RestAuthenticator
// should be used to free the request from authentication.
authenticator = new ChallengeAuthenticator(null, true, ChallengeScheme.HTTP_BASIC,
"Activiti Realm") {
@Override
protected boolean authenticate(Request request, Response response) {
// Check if authentication is required if a custom RestAuthenticator is set
if(restAuthenticator != null && !restAuthenticator.requestRequiresAuthentication(request)) {
return true;
}
if (request.getChallengeResponse() == null) {
return false;
} else {
boolean authenticated = super.authenticate(request, response);
if(authenticated && restAuthenticator != null) {
// Additional check to see if authenticated user is authorised. By default, when no RestAuthenticator
// is set, a valid user can perform any request.
authenticated = restAuthenticator.isRequestAuthorized(request);
}
return authenticated;
}
}
};
authenticator.setVerifier(verifier);
</code>
But still, I do not understand how to "set" my custom rest authenticator. The official docu just states that the org.activiti.rest.common.filter.RestAuthenticator interface needs to be implemented and in addition, the web.xml needs to be altered. I did this, but the API still wants to have basic credentials. So I think I must "set" my custom implementation somehow?
Any help is welcome. Thanks a lot
Ben
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-15-2014 06:37 AM
I solved it this way:
1.) Create the class org.activiti.rest.common.filter.RestAuthenticatorImpl.java which implements the method public boolean requestRequiresAuthentication(Request request)
2.) Set your custom RestAuthenticator in org.activiti.rest.common.application.ActivitiRestApplication.java like this:
In the Constructor public ActivitiRestApplication(), add these lines of code:
<code>
restAuthenticator = new RestAuthenticatorImpl();
setRestAuthenticator(restAuthenticator);
</code>
1.) Create the class org.activiti.rest.common.filter.RestAuthenticatorImpl.java which implements the method public boolean requestRequiresAuthentication(Request request)
2.) Set your custom RestAuthenticator in org.activiti.rest.common.application.ActivitiRestApplication.java like this:
In the Constructor public ActivitiRestApplication(), add these lines of code:
<code>
restAuthenticator = new RestAuthenticatorImpl();
setRestAuthenticator(restAuthenticator);
</code>
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-29-2015 08:04 AM
Hi
Could you please show me an example of how to check the request object in this method :
boolean requestRequiresAuthentication(Request request);
is authenticated over a CAS server?
Thanks
Could you please show me an example of how to check the request object in this method :
boolean requestRequiresAuthentication(Request request);
is authenticated over a CAS server?
Thanks
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-29-2015 08:08 AM
Which Activiti version do you use? Since Activiti 5.17, Spring Security is used to secure the REST-API. Therefore, this thread here is not up-to-date anymore.
In addition, what do you want to check in the request object?
In addition, what do you want to check in the request object?
