Eclipse Community Forums: scout » Authentication and Authorization in RAP

Help

Home

Home » Eclipse Projects » scout » Authentication and Authorization in RAP

Show: Today's Messages :: Show Polls :: Message Navigator

Authentication and Authorization in RAP [message #1248801]

Mon, 17 February 2014 17:24

Jose Ribeiro

Messages: 5
Registered: December 2013

Junior Member

Hi,

I have an application available in SWT and RAP.
Currently i have authentication working on SWT client with a custom security filter (that connects with a remote service).

On RAP, i would like to have a similar solution compared with SWT, meaning the only place that knows to talk with remote services is the server (it requires a bunch of legacy libraries and configuration).

Is it possible to put the RAP client talking with server security in order to authenticate the webuser?
Will this mechanism impact scout Authorization mechanisms??

Thanks for your help

Report message to a moderator

Re: Authentication and Authorization in RAP [message #1249829 is a reply to message #1248801]

Tue, 18 February 2014 17:28

Jose Ribeiro

Messages: 5
Registered: December 2013

Junior Member

Hi again,

For RAP authentication i have decided to create a new custom filter that extends basicsecurityfilter.

protected int negotiate...{
  ...
      if (login(aCredentialsSet)) {
        {
          //updates the holder with a new principal with user name
          ....
          return STATUS_CONTINUE_WITH_PRINCIPAL;
        }
      }
    }
  ...
  }

  protected boolean login(final SortedSet<Credential> theUpdatedCredentials) {
      try {
        // try to do a login based on credentials specified as application arguments
        Authentication aAuthenticationResult = SERVICES.getService(IAuthenticationService.class).doAuthenticate(theUpdatedCredentials);
        //Return a status depending on your query in your IPersistenceService
        if (aAuthenticationResult.isAuthenticated()) {
          return true;
        }
      }
      catch (Exception e) {
        // there was an error authenticated the user
      }
    return false;
  }

This filter will call a scout service, but it is not able to get it and returns null, causing the login to fail.

On the server side everything seems ok, so i believe the problem is on the client accesing the service.

Basicly my question now is: How to call scout service from a securityfilter??

Thanks,

Report message to a moderator

Re: Authentication and Authorization in RAP [message #1249837 is a reply to message #1249829]

Tue, 18 February 2014 17:39

Jose Ribeiro

Messages: 5
Registered: December 2013

Junior Member

I have found a topic with a similar issue, but applied to SWT - server.

http://www.eclipse.org/forums/index.php/m/1223485/?srch=scout+service+from+filter#msg_1223485

I have also tried to implement a equivalent solution for RAP, but also without any success Sad

 protected boolean login(final SortedSet<Credential> theUpdatedCredentials) {

    ClientJob job = new ClientJob("security-filter-job", new ClientSession(), true) {
      @Override
      public IStatus runNow(IProgressMonitor monitor) {
        try {
          // try to do a login based on credentials specified as application arguments
          Authentication aAuthenticationResult = SERVICES.getService(IAuthenticationService.class).doAuthenticate(theUpdatedCredentials);
          //Return a status depending on your query in your IPersistenceService
          if (aAuthenticationResult.isAuthenticated()) {
            return Status.OK_STATUS;
          }
        }
        catch (Exception e) {
          // there was an error authenticated the user
        }
        return Status.CANCEL_STATUS;
      }
    };
    IStatus status = job.runNow(new NullProgressMonitor());
    try {
      job.throwOnError();
    }
    catch (ProcessingException e) {
      // FIXME Auto-generated catch block
      e.printStackTrace();
    }

    //Use the status to decide if the user is valid or not.
    if (status.isOK())
    {
      return true;
    }

    return false;
  }

Thanks

Report message to a moderator

Re: Authentication and Authorization in RAP [message #1251753 is a reply to message #1249837]

Thu, 20 February 2014 15:10

Jose Ribeiro

Messages: 5
Registered: December 2013

Junior Member

Hi,

i have managed to have authentication working in RAP and SWT, both solutions using a custom scout service provided by the server.

SWT
-----
Custom filter defined on the server that calls the scout service:

protected boolean login(final SortedSet<Credential> theUpdatedCredentials) {
    ServerJob job = new ServerJob("security-filter-job", new ServerSession()) {
      @Override
      protected IStatus runTransaction(IProgressMonitor monitor) throws Exception {
        //Here you can call serviceS.getservice(..)
        //Use the status to decide if the user is valid or not.
        Authentication anAuthentication = SERVICES.getService(IAuthenticationService.class).doAuthenticate(theUpdatedCredentials);
        //Return a status depending on result
        if (anAuthentication.isAuthenticated())
        {
          return Status.OK_STATUS;
        }
        return Status.CANCEL_STATUS;
      }
    };
    IStatus status = job.runNow(new NullProgressMonitor());
    if (status.isOK()) {
      return true;
    }
    return false;
  }
...

For RAP, it was not easy. The only option i have found was to create a custom authentication servlet in scout server (declared in server plugin.xml) and then call it from the RAP security filter.

For the servlet code i have:

public class AuthenticationServlet extends ServiceTunnelServlet {

  /**
   * The long <code>serialVersionUID</code>.
   */
  private static final long serialVersionUID = 1L;

  @Override
  protected void doGet(HttpServletRequest theReq, HttpServletResponse theResp) throws IOException, ServletException {
    // creates the credential set with mandatory credentials (user and pass)
    SortedSet<Credential> aCredentialsSet = new TreeSet<Credential>();
    // fill the empty credentials with values received in http headers
    if (fillCredentials(aCredentialsSet, theReq)) {
      if (login(aCredentialsSet)) {
        {
          theResp.setStatus(HttpServletResponse.SC_OK);
          return;
        }
      }
    }
    theResp.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
  }

  /**
   * Invokes the custom server security service to perform the authentication based on credentials.
   * 
   * @param theUpdatedCredentials
   * @return true if login has success
   */
  protected boolean login(final SortedSet<Credential> theUpdatedCredentials) {
    ServerJob job = new ServerJob("security-filter-job", new ServerSession()) {
      @Override
      protected IStatus runTransaction(IProgressMonitor monitor) throws Exception {
        //Here you can call serviceS.getservice(..)
        //Use the status to decide if the user is valid or not.
        Authentication anAuthentication = SERVICES.getService(IAuthenticationService.class).doAuthenticate(theUpdatedCredentials);
        //Return a status depending on result
        if (anAuthentication.isAuthenticated())
        {
          return Status.OK_STATUS;
        }
        return Status.CANCEL_STATUS;
      }
    };
    IStatus status = job.runNow(new NullProgressMonitor());
    if (status.isOK()) {
      return true;
    }
    return false;
  }
...

In RAP security filter :

public class DialogSecurityFilter extends AbstractChainableSecurityFilter {
  /**
   * the prop used to control the filter
   * The String <code>PROP_BASIC_ATTEMPT</code>.
   */
  public static final String PROP_BASIC_ATTEMPT = "BasicSecurityFilter.basicAttempt";

  @Override
  protected int negotiate(HttpServletRequest theReq, HttpServletResponse theResp, PrincipalHolder theHolder) throws IOException, ServletException {
    String aUser;
    // get user name and password from request and try to efectuate the login
    if ((aUser = login(theReq)) != null) {
      {
        //updates the holder with a new principal with user name
        theHolder.setPrincipal(new SimplePrincipal(aUser));
        return STATUS_CONTINUE_WITH_PRINCIPAL;
      }
    }
    int attempts = getBasicAttempt(theReq);
    if (attempts > 2) {
      return STATUS_CONTINUE_CHAIN;
    }
    else {
      setBasicAttept(theReq, attempts + 1);
      theResp.setHeader("WWW-Authenticate", "Basic realm=\"" + getRealm() + "\"");
      return STATUS_CONTINUE_CHAIN;
    }
  }

  /**
   * Call a server authentication servlet responsable for user authentication
   * 
   * @param theReq
   * @return the user name if login succeeds
   */
  protected String login(HttpServletRequest theReq) {

    URL aAuthServlet = null;

    try {
      String h = theReq.getHeader("Authorization");
      if (h != null && h.matches("Basic .*")) {
        String[] a = new String(Base64Utility.decode(h.substring(6)), "ISO-8859-1").split(":", 4);
        String user = unescapeColon(a[0].toLowerCase());
        String pass = unescapeColon(a[1]);
        // TODO we should get server base url from configuration
        aAuthServlet = new URL("localhost/example_server/auth?user=" + user + "&pass=" + pass);
        HttpURLConnection servletConnection = (HttpURLConnection) aAuthServlet.openConnection();
        servletConnection.setRequestMethod("GET");
        servletConnection.connect();
        int aResultStatus = servletConnection.getResponseCode();

        if (aResultStatus == HttpServletResponse.SC_OK) {
          return user;
        }
      }
    }
    catch (Exception e) {
      // TODO
      e.printStackTrace();
    }
    return null;
  }
...

The code is still a proof of concept, so if you have a better suggestion please tell me.

Thanks

Report message to a moderator

Previous Topic:	Cannot Close Outline using OutlineViewButton
Next Topic:	Desktop Extensions - Location of a Menu

Goto Forum:

-=] Back to Top [=-

[ Syndicate this forum (XML) ] [

]

Current Time: Sun Nov 17 04:45:05 GMT 2019

.:: Contact :: Home ::.

Breadcrumbs

Sign up to our Newsletter