You are viewing a plain text version of this content. The canonical link for it is here.
Posted to slide-user@jakarta.apache.org by Krishna Kankipati <kk...@baan.com> on 2004/10/30 00:22:55 UTC
ACL Problem with Slide2.1 Beta2
Hi,
We were using slide 2.1 Beta 1 and were doing pretty good with ACL. Our
design for custom authentication was like this:
1. Disable web-server authentication (remove security constraint elements in
web.xml).
2. Enable slide security (in slide.properties)
2. Write a filter for webdav servlet. This filter captures every http
request and does custom authentication. After authentication, it sets a
principal object in session based on the logged-user (code for this is given
below)
This worked pretty well for Slide 2.1 B1, except that the slide trace
messages spitted out "unauthneticated" as the principal user. We were OK
with that because the ACL worked on the logged-user (user set in session as
a principal object).
When we upgraded to Slide 2.1 B2, slide server ACL was running on
"unauthenticated" instead of the principal user set in the session. Now
since ACL thinks that the logged user is "unauthenticated", nothing works
....
I do not understand what changed between b1 and b2. Is this a bug
introduced, or am I supposed to do something extra for b2?
Any help appreciated .....
Code for the servlet filter that custom authenticates .....
public void doFilter(ServletRequest req, ServletResponse res,
FilterChain fChain) throws IOException, ServletException
{
// Cast to the Http specific class for the request and the
response
HttpServletRequest httpReq = (HttpServletRequest)req;
HttpServletResponse httpRes = (HttpServletResponse)res;
// Return exception if the filter config object is null
if(fConfig == null)
{
String sError =
"SlideAuthenticationFilter.doFilter()::FilterConfig is null";
httpRes.sendError(WebdavStatus.SC_INTERNAL_SERVER_ERROR, sError);
return;
}
// Check for the authorization header. It will be used to
create the principal object
// for slide authorizations. All webdav client calls
from salespoint should have the
// "Authorization" header in the format "BASIC
username:slideunlockkey". The string
// "username:slideunlockkey" should be encoded in
base64 format. The Slide un-lock key
// is a constant defined in this class (TODO save it in
an external editable resource).
String sAuthorizationHeader =
httpReq.getHeader("Authorization");
if(!authenticateRequest(sAuthorizationHeader))
{
String sError =
"SlideAuthenticationFilter.doFilter()::Authentication failed, invalid slide
repository unlock key";
httpRes.sendError(WebdavStatus.SC_FORBIDDEN,
sError);
return;
}
// User is authenticated, let him through slide
// Fetch the http session object for this user, if none
create one
HttpSession httpSession = httpReq.getSession(true);
// SlidePrincipal is a simple implementation of Principal
interface
// Look if there is a principal object bound to the session
for the logged-in user
SlidePrincipal principal =
(SlidePrincipal)httpSession.getAttribute("org.apache.slide.webdav.method.pri
ncipal");
if((principal !=
null)&&(principal.getName().equals(this.sLoggedUser)))
{
// If valid principal exists in session
// Do nothing
}
else
{
// If principal object is not bound to session yet
create one
// If one is found but principal name does not
match, set it
if(principal == null)
{
// Create a new pricipal object
principal = new SlidePrincipal(sLoggedUser);
// Bind it to session
httpSession.setAttribute("org.apache.slide.webdav.method.principal",
principal);
}
else // Update the existing principal with the right
name
principal.setName(sLoggedUser);
}
fChain.doFilter(req, res);
}
thanks,
Krishna