[Acegisecurity-developer] Anonymous Authentication: getRemoteUser should return null?
I've recently upgraded AppFuse from a snapshot of 0.7.0 to 0.8.0 and now
I'm using the anonymous authentication stuff. While it seems to work
well, I tend to use request.getRemoteUser() as an indicator that a user
has logged in successfully. For this reason, and to be more in-line
with container-managed authentication, I think it's a good idea to
change ContextHolderAwareRequestWrapper.java to return null for
anonymous users. Below is a patch to make this happen - I can also send
the file if necessary.
Matt
Index:
core/src/main/java/net/sf/acegisecurity/wrapper/ContextHolderAwareRequestWrapper.java
===
RCS file:
/cvsroot/acegisecurity/acegisecurity/core/src/main/java/net/sf/acegisecurity/wrapper/ContextHolderAwareRequestWrapper.java,v
retrieving revision 1.1
diff -u -r1.1 ContextHolderAwareRequestWrapper.java
---
core/src/main/java/net/sf/acegisecurity/wrapper/ContextHolderAwareRequestWrapper.java
21 Feb 2005 06:48:25 - 1.1
+++
core/src/main/java/net/sf/acegisecurity/wrapper/ContextHolderAwareRequestWrapper.java
10 Mar 2005 04:53:33 -
@@ -16,6 +16,8 @@
package net.sf.acegisecurity.wrapper;
import net.sf.acegisecurity.Authentication;
+import net.sf.acegisecurity.AuthenticationTrustResolver;
+import net.sf.acegisecurity.AuthenticationTrustResolverImpl;
import net.sf.acegisecurity.GrantedAuthority;
import net.sf.acegisecurity.UserDetails;
import net.sf.acegisecurity.context.ContextHolder;
@@ -39,6 +41,10 @@
* @version $Id: ContextHolderAwareRequestWrapper.java,v 1.1 2005/02/21
06:48:25 benalex Exp $
*/
public class ContextHolderAwareRequestWrapper extends HttpServletRequestWrapper
{
+//~ Instance fields
+
+private AuthenticationTrustResolver authenticationTrustResolver = new
AuthenticationTrustResolverImpl();
+
//~ Constructors ===
public ContextHolderAwareRequestWrapper(HttpServletRequest request) {
@@ -109,8 +115,12 @@
private Authentication getAuthentication() {
if ((ContextHolder.getContext() != null)
&& ContextHolder.getContext() instanceof SecureContext) {
-return ((SecureContext) ContextHolder.getContext())
-.getAuthentication();
+Authentication auth = ((SecureContext) ContextHolder.getContext())
+ .getAuthentication();
+// only return authentication for non-anonymous users
+if (!authenticationTrustResolver.isAnonymous(auth)) {
+return auth;
+}
}
return null;
---
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
___
Home: http://acegisecurity.sourceforge.net
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
[Acegisecurity-developer] session.invalidate() vs. ContextHolder.setContext(null)
With Acegi Security 0.7.0, I was able to use session.invalidate() to logout a user - much like I do when using container-managed authentication. However, with 0.8.0, I've found that I have to use ContextHolder.setContext(null). Is there anyway to change back to the old behavior so I don't have any Acegi Security-specific code in my app - so users can easily switch back to CMA (non-Acegi Security based) if they want? Thanks, Matt --- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
[Acegisecurity-developer] FilterChainProxy and ContextHolderAwareRequestFilter
Sorry for all the questions, just want to get all my ducks in a row so AppFuse is using Acegi Security in the recommended fashion. There are two questions below: All of the above filters use |FilterToBeanProxy| or |FilterChainProxy|, which is discussed in the previous sections. It is recommended that a single |FilterToBeProxy| proxy through to a single |FilterChainProxy| for each application, with that |FilterChainProxy| defining all of the Acegi Security |Filter|s. Question 1: I've found that putting the ContextHolderAwareRequestFilter in a FilterChainProxy bean does not work - it has to be explicitly mapped in my web.xml. Is this a bug in the documentation or implementation? web.xml: --- securityFilter net.sf.acegisecurity.util.FilterToBeanProxy targetClass net.sf.acegisecurity.util.FilterChainProxy securityFilter /* applicationContext-security.xml: - CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON PATTERN_TYPE_APACHE_ANT /**=httpSessionContextIntegrationFilter,authenticationProcessingFilter,remoteUserFilter,anonymousProcessingFilter,securityEnforcementFilter Where "remoteUserFilter" is defined as a bean in this same file: Question 2: Because I still have to map 2 filters for Acegi Security, I'm leaning toward using the 5-filters in web.xml, rather than the one filter+FilterChainProxy. Are there any advantages to one or the other? The one thing I like about individual filters is I can make the a little more explicit. Is something like the following possible with FilterChainProxy - so all 5 filters aren't processed for every request? sessionContextIntegrationFilter /* authenticationFilter /j_security_check anonymousAuthenticationFilter *.html securityEnforcementFilter *.html remoteUserFilter /* Thanks, Matt --- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
