You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@isis.apache.org by Kevin Meyer - KMZ <ke...@kmz.co.za> on 2011/11/29 21:16:13 UTC

Authentication is now really strange

Hi Dan,

Since your latest changes to the authentication engine, I don't know 
how to handle authentication in my REST authenticator.

If my authenticator returns false for: 
	isValid(AuthenticationRequest request)
i.e. if the credentials are not valid, I get an error message:

HTTP ERROR 500

Problem accessing /logon.app. Reason:

    No authenticator available for processing org.apache.isis.core.runtime.authentication.AuthenticationRequestPassword

Caused by:

org.apache.isis.core.runtime.authentication.standard.NoAuthenticatorException: No authenticator available for processing org.apache.isis.core.runtime.authentication.AuthenticationRequestPassword
	at org.apache.isis.core.runtime.authentication.standard.AuthenticationManagerStandard.authenticate(AuthenticationManagerStandard.java:126)
	at org.apache.isis.viewer.html.servlet.LogonServlet.authenticate(LogonServlet.java:126)


If I return true, then you can login with any credentials whatsoever.

Something is not quite right with this... what should I be doing?

Regards,
Kevin

Re: Authentication is now really strange

Posted by Dan Haywood <da...@haywood-associates.co.uk>.

ok, looking into it now. Aargh.

On 30 November 2011 07:36, Kevin Meyer - KMZ <ke...@kmz.co.za> wrote:

> Hi Dan,
>
> > I changed the API for Authenticator a little, so that it would be
> > consistent with the new Registrar:
> >
> > canAuthenticate(AuthenticationRequest)
> >
> > is now
> >
> > canAuthenticate(Class<? extends AuthenticationRequest).
> >
> > In other words, it's the means by which the AuthenticationManagerStandard
> > askes each Authenticator whether it can authenticate a particular *type
> of*
> > AuthenticationRequest, rather than an actual AuthenticationRequest.
> >
> > My guess is that you have a canAuthenticate(AuthenticationRequest) method
> > which doesn't have an @Override on it, and so the compiler didn't flag
> that
> > this is no longer an overriding method?
>
> I am extending "PasswordRequestAuthenticatorAbstract", which has a:
> public final boolean canAuthenticate(final Class<? extends
> AuthenticationRequest> authenticationRequestClass)
>
> Note the "final".
>
> I am overriding isValid:
>
>    @Override
>    public boolean isValid(AuthenticationRequest request) {
>        final AuthenticationRequestPassword passwordRequest =
> (AuthenticationRequestPassword) request;
>        final String username = passwordRequest.getName();
>        if (Strings.isNullOrEmpty(username)) {
>            return false;
>        }
>        final String password = passwordRequest.getPassword();
>        Assert.assertNotNull(password);
>
>        return isPasswordValidForUser(passwordRequest, username, password);
>
>        // return true;
>    }
>
> This used to work fine, now it returns the error message if a login fails.
>
> >
> > ~~~
> > Let me know how you get on...
>
>
> You can reproduce the error with the default "file" authenticator.
>
> Valid details - login.
> Invalid details - HTTP ERROR 500
>
> Regards,
> Kevin
>
>

Re: Authentication is now really strange

Posted by Kevin Meyer - KMZ <ke...@kmz.co.za>.

Yup - thanks!

Seems to work like I remember.

Regards,
Kevin


On 30 Nov 2011 at 8:53, Dan Haywood wrote:

> ok, fixed.
> 
> Well, changed, and hopefully fixed.
> 
> At any rate, there was definitely a logic bug that I introduced that I've
> now corrected.
> 
> do a svn up and let me know...
> 
> Dan

Re: Authentication is now really strange

Posted by Dan Haywood <da...@haywood-associates.co.uk>.

ok, fixed.

Well, changed, and hopefully fixed.

At any rate, there was definitely a logic bug that I introduced that I've
now corrected.

do a svn up and let me know...

Dan


On 30 November 2011 07:36, Kevin Meyer - KMZ <ke...@kmz.co.za> wrote:

> Hi Dan,
>
> > I changed the API for Authenticator a little, so that it would be
> > consistent with the new Registrar:
> >
> > canAuthenticate(AuthenticationRequest)
> >
> > is now
> >
> > canAuthenticate(Class<? extends AuthenticationRequest).
> >
> > In other words, it's the means by which the AuthenticationManagerStandard
> > askes each Authenticator whether it can authenticate a particular *type
> of*
> > AuthenticationRequest, rather than an actual AuthenticationRequest.
> >
> > My guess is that you have a canAuthenticate(AuthenticationRequest) method
> > which doesn't have an @Override on it, and so the compiler didn't flag
> that
> > this is no longer an overriding method?
>
> I am extending "PasswordRequestAuthenticatorAbstract", which has a:
> public final boolean canAuthenticate(final Class<? extends
> AuthenticationRequest> authenticationRequestClass)
>
> Note the "final".
>
> I am overriding isValid:
>
>    @Override
>    public boolean isValid(AuthenticationRequest request) {
>        final AuthenticationRequestPassword passwordRequest =
> (AuthenticationRequestPassword) request;
>        final String username = passwordRequest.getName();
>        if (Strings.isNullOrEmpty(username)) {
>            return false;
>        }
>        final String password = passwordRequest.getPassword();
>        Assert.assertNotNull(password);
>
>        return isPasswordValidForUser(passwordRequest, username, password);
>
>        // return true;
>    }
>
> This used to work fine, now it returns the error message if a login fails.
>
> >
> > ~~~
> > Let me know how you get on...
>
>
> You can reproduce the error with the default "file" authenticator.
>
> Valid details - login.
> Invalid details - HTTP ERROR 500
>
> Regards,
> Kevin
>
>

Re: Authentication is now really strange

Posted by Kevin Meyer - KMZ <ke...@kmz.co.za>.

Hi Dan,

> I changed the API for Authenticator a little, so that it would be
> consistent with the new Registrar:
> 
> canAuthenticate(AuthenticationRequest)
> 
> is now
> 
> canAuthenticate(Class<? extends AuthenticationRequest).
> 
> In other words, it's the means by which the AuthenticationManagerStandard
> askes each Authenticator whether it can authenticate a particular *type of*
> AuthenticationRequest, rather than an actual AuthenticationRequest.
> 
> My guess is that you have a canAuthenticate(AuthenticationRequest) method
> which doesn't have an @Override on it, and so the compiler didn't flag that
> this is no longer an overriding method?

I am extending "PasswordRequestAuthenticatorAbstract", which has a:
public final boolean canAuthenticate(final Class<? extends AuthenticationRequest> authenticationRequestClass)

Note the "final".

I am overriding isValid:

    @Override
    public boolean isValid(AuthenticationRequest request) {
        final AuthenticationRequestPassword passwordRequest = (AuthenticationRequestPassword) request;
        final String username = passwordRequest.getName();
        if (Strings.isNullOrEmpty(username)) {
            return false;
        }
        final String password = passwordRequest.getPassword();
        Assert.assertNotNull(password);

        return isPasswordValidForUser(passwordRequest, username, password);

        // return true;
    }

This used to work fine, now it returns the error message if a login fails.

> 
> ~~~
> Let me know how you get on...


You can reproduce the error with the default "file" authenticator.

Valid details - login.
Invalid details - HTTP ERROR 500

Regards,
Kevin

Re: Authentication is now really strange

Posted by Dan Haywood <da...@haywood-associates.co.uk>.

Hi Kevin,
I changed the API for Authenticator a little, so that it would be
consistent with the new Registrar:

canAuthenticate(AuthenticationRequest)

is now

canAuthenticate(Class<? extends AuthenticationRequest).

In other words, it's the means by which the AuthenticationManagerStandard
askes each Authenticator whether it can authenticate a particular *type of*
AuthenticationRequest, rather than an actual AuthenticationRequest.

My guess is that you have a canAuthenticate(AuthenticationRequest) method
which doesn't have an @Override on it, and so the compiler didn't flag that
this is no longer an overriding method?

If so, you should change it, eg:

boolean canAuthenticate(AuthenticationRequest request) {
  return request instanceof AuthenticationRequestPassword;
}

is now

boolean canAuthentication(Class<? extends AuthenticationRequest>
requestType) {
  return AuthenticationRequestPassword.class.isAssignableFrom(requestType);
}

~~~
Let me know how you get on...

Dan

On 29 November 2011 20:16, Kevin Meyer - KMZ <ke...@kmz.co.za> wrote:

> Hi Dan,
>
> Since your latest changes to the authentication engine, I don't know
> how to handle authentication in my REST authenticator.
>
> If my authenticator returns false for:
>        isValid(AuthenticationRequest request)
> i.e. if the credentials are not valid, I get an error message:
>
> HTTP ERROR 500
>
> Problem accessing /logon.app. Reason:
>
>    No authenticator available for processing
> org.apache.isis.core.runtime.authentication.AuthenticationRequestPassword
>
> Caused by:
>
> org.apache.isis.core.runtime.authentication.standard.NoAuthenticatorException:
> No authenticator available for processing
> org.apache.isis.core.runtime.authentication.AuthenticationRequestPassword
>        at
> org.apache.isis.core.runtime.authentication.standard.AuthenticationManagerStandard.authenticate(AuthenticationManagerStandard.java:126)
>        at
> org.apache.isis.viewer.html.servlet.LogonServlet.authenticate(LogonServlet.java:126)
>
>
> If I return true, then you can login with any credentials whatsoever.
>
> Something is not quite right with this... what should I be doing?
>
> Regards,
> Kevin
>
>