I have a Customized Security Filter added to the server of the application. If i run the SWT UI for the application it shows a Login Dialog at startup. But if i run the RAP UI (the only one im interested in) there is no dialog. I think i can do the same implementation for the RAP. But that would mean to have two different Authentications mechanisms. Is there some way to invoke the Server side authentication, and by this generating a login dialog in the web browser?
You propably need to register your filter in the rap plugin for the alias "/". If a login is required, the browser will automatically open a login window, if your filter returns an appropriate basic auth response (see also BasicSecurityFilter).
Some more information:
- Rap server connects to /ajax of the actual server with a token. /ajax typically is not covered by the servlet filters in the server.
- The bundles org.eclipse.scout.rt.server and org.eclipse.scout.rt.ui.rap register two servlet filters by default, one for development and one for production. The one for development doesn't ask for a login, it simply sets the user to the one defined in the system property "user.name". They are registered with a very high ranking to make sure custom filters come first.
I think you don't get any login box at the moment, because the DevelopmentAuthFilter is used.
If add the /ajax alias to the server filter, ui layer gets kicked out when accessing the server,
i think because authentication on the rap ui layer is not active or is not thought to work that way.
I can add a customized security filter on the rap layer, but that is forcing me to keep up two
different security filters, and accesing the database from the rap ui layer and i don´t want to do that (or i am missing something??).
I want the access to the database to check authentication be done on the server side. Is this approach wrong?
Should i do a "securityprocessservice" server side and access it from the rap ui layer?
you are correct about the developmentauthfilter, basicfilter makes the login dialog appear also....
Accessing the database only from the actual server and not from the rap server is a good idea. I suggest to provide a servlet on the actual server which does the authentication check. The security filter on the rap server can then make a call to this servlet. If the response from the servlet is not HttpServletResponse.SC_OK, return HttpServletResponse.SC_UNAUTHORIZED along with the basic auth headers.