You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@isis.apache.org by Kevin Meyer - KMZ <ke...@kmz.co.za> on 2011/11/29 21:16:13 UTC
Authentication is now really strange
Hi Dan,
Since your latest changes to the authentication engine, I don't know
how to handle authentication in my REST authenticator.
If my authenticator returns false for:
isValid(AuthenticationRequest request)
i.e. if the credentials are not valid, I get an error message:
HTTP ERROR 500
Problem accessing /logon.app. Reason:
No authenticator available for processing org.apache.isis.core.runtime.authentication.AuthenticationRequestPassword
Caused by:
org.apache.isis.core.runtime.authentication.standard.NoAuthenticatorException: No authenticator available for processing org.apache.isis.core.runtime.authentication.AuthenticationRequestPassword
at org.apache.isis.core.runtime.authentication.standard.AuthenticationManagerStandard.authenticate(AuthenticationManagerStandard.java:126)
at org.apache.isis.viewer.html.servlet.LogonServlet.authenticate(LogonServlet.java:126)
If I return true, then you can login with any credentials whatsoever.
Something is not quite right with this... what should I be doing?
Regards,
Kevin
Re: Authentication is now really strange
Posted by Dan Haywood <da...@haywood-associates.co.uk>.
ok, looking into it now. Aargh.
On 30 November 2011 07:36, Kevin Meyer - KMZ <ke...@kmz.co.za> wrote:
> Hi Dan,
>
> > I changed the API for Authenticator a little, so that it would be
> > consistent with the new Registrar:
> >
> > canAuthenticate(AuthenticationRequest)
> >
> > is now
> >
> > canAuthenticate(Class<? extends AuthenticationRequest).
> >
> > In other words, it's the means by which the AuthenticationManagerStandard
> > askes each Authenticator whether it can authenticate a particular *type
> of*
> > AuthenticationRequest, rather than an actual AuthenticationRequest.
> >
> > My guess is that you have a canAuthenticate(AuthenticationRequest) method
> > which doesn't have an @Override on it, and so the compiler didn't flag
> that
> > this is no longer an overriding method?
>
> I am extending "PasswordRequestAuthenticatorAbstract", which has a:
> public final boolean canAuthenticate(final Class<? extends
> AuthenticationRequest> authenticationRequestClass)
>
> Note the "final".
>
> I am overriding isValid:
>
> @Override
> public boolean isValid(AuthenticationRequest request) {
> final AuthenticationRequestPassword passwordRequest =
> (AuthenticationRequestPassword) request;
> final String username = passwordRequest.getName();
> if (Strings.isNullOrEmpty(username)) {
> return false;
> }
> final String password = passwordRequest.getPassword();
> Assert.assertNotNull(password);
>
> return isPasswordValidForUser(passwordRequest, username, password);
>
> // return true;
> }
>
> This used to work fine, now it returns the error message if a login fails.
>
> >
> > ~~~
> > Let me know how you get on...
>
>
> You can reproduce the error with the default "file" authenticator.
>
> Valid details - login.
> Invalid details - HTTP ERROR 500
>
> Regards,
> Kevin
>
>
Re: Authentication is now really strange
Posted by Kevin Meyer - KMZ <ke...@kmz.co.za>.
Yup - thanks!
Seems to work like I remember.
Regards,
Kevin
On 30 Nov 2011 at 8:53, Dan Haywood wrote:
> ok, fixed.
>
> Well, changed, and hopefully fixed.
>
> At any rate, there was definitely a logic bug that I introduced that I've
> now corrected.
>
> do a svn up and let me know...
>
> Dan
Re: Authentication is now really strange
Posted by Dan Haywood <da...@haywood-associates.co.uk>.
ok, fixed.
Well, changed, and hopefully fixed.
At any rate, there was definitely a logic bug that I introduced that I've
now corrected.
do a svn up and let me know...
Dan
On 30 November 2011 07:36, Kevin Meyer - KMZ <ke...@kmz.co.za> wrote:
> Hi Dan,
>
> > I changed the API for Authenticator a little, so that it would be
> > consistent with the new Registrar:
> >
> > canAuthenticate(AuthenticationRequest)
> >
> > is now
> >
> > canAuthenticate(Class<? extends AuthenticationRequest).
> >
> > In other words, it's the means by which the AuthenticationManagerStandard
> > askes each Authenticator whether it can authenticate a particular *type
> of*
> > AuthenticationRequest, rather than an actual AuthenticationRequest.
> >
> > My guess is that you have a canAuthenticate(AuthenticationRequest) method
> > which doesn't have an @Override on it, and so the compiler didn't flag
> that
> > this is no longer an overriding method?
>
> I am extending "PasswordRequestAuthenticatorAbstract", which has a:
> public final boolean canAuthenticate(final Class<? extends
> AuthenticationRequest> authenticationRequestClass)
>
> Note the "final".
>
> I am overriding isValid:
>
> @Override
> public boolean isValid(AuthenticationRequest request) {
> final AuthenticationRequestPassword passwordRequest =
> (AuthenticationRequestPassword) request;
> final String username = passwordRequest.getName();
> if (Strings.isNullOrEmpty(username)) {
> return false;
> }
> final String password = passwordRequest.getPassword();
> Assert.assertNotNull(password);
>
> return isPasswordValidForUser(passwordRequest, username, password);
>
> // return true;
> }
>
> This used to work fine, now it returns the error message if a login fails.
>
> >
> > ~~~
> > Let me know how you get on...
>
>
> You can reproduce the error with the default "file" authenticator.
>
> Valid details - login.
> Invalid details - HTTP ERROR 500
>
> Regards,
> Kevin
>
>
Re: Authentication is now really strange
Posted by Kevin Meyer - KMZ <ke...@kmz.co.za>.
Hi Dan,
> I changed the API for Authenticator a little, so that it would be
> consistent with the new Registrar:
>
> canAuthenticate(AuthenticationRequest)
>
> is now
>
> canAuthenticate(Class<? extends AuthenticationRequest).
>
> In other words, it's the means by which the AuthenticationManagerStandard
> askes each Authenticator whether it can authenticate a particular *type of*
> AuthenticationRequest, rather than an actual AuthenticationRequest.
>
> My guess is that you have a canAuthenticate(AuthenticationRequest) method
> which doesn't have an @Override on it, and so the compiler didn't flag that
> this is no longer an overriding method?
I am extending "PasswordRequestAuthenticatorAbstract", which has a:
public final boolean canAuthenticate(final Class<? extends AuthenticationRequest> authenticationRequestClass)
Note the "final".
I am overriding isValid:
@Override
public boolean isValid(AuthenticationRequest request) {
final AuthenticationRequestPassword passwordRequest = (AuthenticationRequestPassword) request;
final String username = passwordRequest.getName();
if (Strings.isNullOrEmpty(username)) {
return false;
}
final String password = passwordRequest.getPassword();
Assert.assertNotNull(password);
return isPasswordValidForUser(passwordRequest, username, password);
// return true;
}
This used to work fine, now it returns the error message if a login fails.
>
> ~~~
> Let me know how you get on...
You can reproduce the error with the default "file" authenticator.
Valid details - login.
Invalid details - HTTP ERROR 500
Regards,
Kevin
Re: Authentication is now really strange
Posted by Dan Haywood <da...@haywood-associates.co.uk>.
Hi Kevin,
I changed the API for Authenticator a little, so that it would be
consistent with the new Registrar:
canAuthenticate(AuthenticationRequest)
is now
canAuthenticate(Class<? extends AuthenticationRequest).
In other words, it's the means by which the AuthenticationManagerStandard
askes each Authenticator whether it can authenticate a particular *type of*
AuthenticationRequest, rather than an actual AuthenticationRequest.
My guess is that you have a canAuthenticate(AuthenticationRequest) method
which doesn't have an @Override on it, and so the compiler didn't flag that
this is no longer an overriding method?
If so, you should change it, eg:
boolean canAuthenticate(AuthenticationRequest request) {
return request instanceof AuthenticationRequestPassword;
}
is now
boolean canAuthentication(Class<? extends AuthenticationRequest>
requestType) {
return AuthenticationRequestPassword.class.isAssignableFrom(requestType);
}
~~~
Let me know how you get on...
Dan
On 29 November 2011 20:16, Kevin Meyer - KMZ <ke...@kmz.co.za> wrote:
> Hi Dan,
>
> Since your latest changes to the authentication engine, I don't know
> how to handle authentication in my REST authenticator.
>
> If my authenticator returns false for:
> isValid(AuthenticationRequest request)
> i.e. if the credentials are not valid, I get an error message:
>
> HTTP ERROR 500
>
> Problem accessing /logon.app. Reason:
>
> No authenticator available for processing
> org.apache.isis.core.runtime.authentication.AuthenticationRequestPassword
>
> Caused by:
>
> org.apache.isis.core.runtime.authentication.standard.NoAuthenticatorException:
> No authenticator available for processing
> org.apache.isis.core.runtime.authentication.AuthenticationRequestPassword
> at
> org.apache.isis.core.runtime.authentication.standard.AuthenticationManagerStandard.authenticate(AuthenticationManagerStandard.java:126)
> at
> org.apache.isis.viewer.html.servlet.LogonServlet.authenticate(LogonServlet.java:126)
>
>
> If I return true, then you can login with any credentials whatsoever.
>
> Something is not quite right with this... what should I be doing?
>
> Regards,
> Kevin
>
>