[prev in list] [next in list] [prev in thread] [next in thread] 

List:       cactus-dev
Subject:    RE: Adding Authentication To Cactus
From:       "Nicholas Lesiecki" <nick () eblox ! com>
Date:       2001-12-28 16:53:53
[Download RAW message or body]

Jason,

Thanks a lot for submitting this! we'll look it over and provide feedback to
you (Vincent will probably have more than I do...) sometime within the next
few days.

thanks,

Nicholas Lesiecki
Technical Team Lead
eBlox, Inc.
(520) 615-9345 x104
Check out my new book!:
Java Tools for Extreme Programming: Mastering Open Source Tools, including
Ant, JUnit, and Cactus

http://www.amazon.com/exec/obidos/ASIN/047120708X/qid=1009555097/sr=8-1/ref=
sr_8_3_1/104-6010699-0942316


-----Original Message-----
From: Robertson, Jason [mailto:Jason.Robertson@acs-inc.com]
Sent: Friday, December 28, 2001 9:34 AM
To: 'cactus-dev@jakarta.apache.org'
Subject: Adding Authentication To Cactus


Howdy all,

I'm a new Cactus user and I hit a stumbling block right out of the gate: no
authentication capabilities. So, after a quick check with Vince where I
found out there wasn't any active work being done on the topic, I dove in
and would like to submit my first-pass solution for review.

The solution is fairly simple and is designed for expansion, and there is
one issue that I will need guidance on what is the proper thing to do to
keep with the Cactus "spirit". Also, the solution does revolve around basic
authentication so it may not adapt well to form-based authentication, but
I'm hoping it will.

First, here is the user perspective:

public void beginSomeTest(WebRequest theRequest)
{
    String username = "???";
    String password = "???";

    theRequest.setAuthentication(
        new BasicAuthentication(username, password));
}

The WebRequest object was expanded to hold an AbstractAuthentication object,
and currently the only concrete object of this type is BasicAuthentication.
Implementing FormAuthentication will hopefully be straight-forward and would
be used identically by the user.

The AbstractAuthentication class was designed with the simple assumption
that ALL authentication implementations will have a String UserId and a
String Password. Two abstract functions validateUserId and validatePassword
provide for concrete implementations to perform character validation.

All the work is then done in this abstract function:

void configureAuthentication(HttpURLConnection connection);

In the BasicAuthentication class, for example, the configuring is done by
adding the request property "Authorization" with a value "Basic
<base64encode of 'userid:password'>".

In HttpClientHelper, there are now these lines in the connect method:

AbstractAuthentication authentication =
    theRequest.getAuthentication();

if (authentication != null) {
    authentication.configureAuthentication(connection);
}

And it's really as simple as that ... almost.

In order to make the execution context of my servlet-under-test have the
proper authentication, you have to require the same authentication on
ServletRedirector. So everything is fine with the above code for the
CALL_TEST service. But then there's the GET_RESULTS service - which uses its
own WebRequest (and thus doesn't have the authentication information). The
call to GET_RESULTS returns with a 401 Unauthorized error.

To solve this, I hacked it up by passing the original WebRequest into
callGetResult and pulling the Authentication object from this request and
sticking it in the new request. This is where I need some guidance on what
would be "proper".

All the files I modified are attached and should compile with the 12/25/01
nightly build files.

One out of one test has passed on my machine so I'm sure my code works in
all circumstances everywhere else in the world. :)

I'm going to look into form authentication this afternoon, but I'm not
promising anything by the end of the day!

Small Issues:

- I didn't use java.security.Principal to hold the userId because it didn't
seem to buy me much. This could easily be changed if necessary.
- Similarly, commons-httpclient has a UsernamePasswordCredentials object
which seems similar to my AbstractAuthentication Object minus the configure
method, but I didn't get the code for it yet and can't verify exactly what
is does.
- Is there a base64Encode method somewhere that I could be using instead of
pasting my own into the BasicAuthentication class?
- I put the Abstract & BasicAuthentication objects in the util package, only
so I wouldn't have to pull any other package into WebReqeust. If they belong
somewhere more appropriate (and I'm betting they do), let me know.

Jason

p.s. I'm on vacation all next week, so when I don't reply to anyone please
don't think I'm a jerk! :) I'll be back in the office on Jan 7.



--
To unsubscribe, e-mail:   <mailto:cactus-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:cactus-dev-help@jakarta.apache.org>

[prev in list] [next in list] [prev in thread] [next in thread]