[EMAIL PROTECTED] wrote:
Ben,
I had to force Basic authentication by modifying the BasicProcessingFilter class so that the doFilter method sets the header field is set to "Basic " if header is null. I know this is ugly, but the SOAP client (Flash component) is not sending this value when the request is made. I do not understand this.
Anyways, here is what I had to code to force this to happen. If you know
a better way then I would like to know about it. I think that the Flash
client is not setting this header field correctly to indicate that it is
Basic auth, but I am not sure. If I do not use this code then a
subsequent Acegi filter will try to redirect to a login page. Please
advise.
Mark
What is supposed to happen is:
1. SOAP request received, and attempted to be executed.
2. MethodSecurityInterceptor throws AuthenticationException.
3. Wrapping SecurityEnforcementFilter detects AuthenticationException and calls AuthenticationEntryPoint (which must be BasicProcessingFilterEntryPoint).
4. BasicProcessingFilterEntryPoint responds with a challenge like this: WWW-Authenticate: Basic realm="WallyWorld"
5. SOAP client reads challenge, and retries request but this time with a header like this: Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
6. SOAP request received, and attempted to be executed.
7. BasicProcessingFilter detects header and attempts authentication, placing successful Authentication into the HttpSession.
8. AutoIntegrationFilter grabs Authentication from HttpSession and onto ContextHolder.
9. MethodSecurityInterceptor successful this time, as an Authentication object on ContextHolder.
Your code change seems to suggest to me your SecurityEnforcementFilter isn't configured properly. It seems as if your BasicProcessingFilter is being used to simulate an attempted authentication, which will cause BasicProcessingFilter to launch BasicProcessingFilterEntryPoint right away (it's designed to do this, as the user might have presented invalid credentials, so they're given a chance to try again). Would you mind copying your application context XML into an email showing the configuration of the security objects? It should look something like this:
<bean id="securityEnforcementFilter" class="net.sf.acegisecurity.intercept.web.SecurityEnforcementFilter">
<property name="filterSecurityInterceptor"><ref bean="filterInvocationInterceptor"/></property>
<property name="authenticationEntryPoint"><ref bean="basicProcessingFilterEntryPoint"/></property> <------ NB this line --->
</bean>
<bean id="basicProcessingFilter" class="net.sf.acegisecurity.ui.basicauth.BasicProcessingFilter">
<property name="authenticationManager"><ref bean="authenticationManager"/></property>
<property name="authenticationEntryPoint"><ref bean="basicProcessingFilterEntryPoint"/></property>
</bean>
<bean id="basicProcessingFilterEntryPoint" class="net.sf.acegisecurity.ui.basicauth.BasicProcessingFilterEntryPoint">
<property name="realmName"><value>My Company's Realm</value></property>
</bean>
Thanks Ben
------------------------------------------------------- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click _______________________________________________ Acegisecurity-developer mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
