DataSourceSecurityFilter and Client/Serversession [message #1606943] |
Sun, 08 February 2015 14:30 |
|
Hello there,
I'm wondering if it's possible to select more than one column in the DataSourceSecurityFilter#selectUserPass statement and then the Client/Serversession is populated with the columns form the SELECT statement.
E.g. from the
DataSourceSecurityFilter#selectUserPass=SELECT LOWER(username), id, countyid, seclevel FROM Users WHERE LOWER(username)=? AND PASSWORD=?
statement something like this is possible:
Long countyID = (Long) ClientSession.get().getSharedVariableMap().get("countyid");
Integer secLevel = (Integer) ClientSession.get().getSharedVariableMap().get("seclevel");
Long userId = (Long) ClientSession.get().getSharedVariableMap().get("id");
Would this make sense in a default implementation of DataSourceSecurityFilter or is this too specific.
If it is too specific, can someone give me a hint how I can populate the Client/Serversession on my own?
Thanks
Peter
|
|
|
|
Re: DataSourceSecurityFilter and Client/Serversession [message #1608320 is a reply to message #1608285] |
Mon, 09 February 2015 12:33 |
|
Jeremie Bresson wrote on Mon, 09 February 2015 12:04In execLoadSession() instead of the line "//Do something to initialize the value" you can connect to a database. (using SQL.selectInto(..) like everywhere).
Yes this would be possible,. But this would be another round trip to the server/database. And since I can retrieve all the values with one statement it would make perfectly sense to use the retrieved values.
As a rule of thumb I want to avoid as many round trips as possible.
The same is problems occur when working with collections and SQL.update/delete...
When providing a list as binding variable to the SQL statements, for every entry in the collection a single sql statement is generated and sent to the server instead of using the IN-clause of the RDBMS and transfer a list of the collection values... Because then just one SQL statment has to be processed instead of n statements depending on the collection size.
This is something I think could need some tweaking.
Regards, Peter
|
|
|
|
|
Re: DataSourceSecurityFilter and Client/Serversession [message #1609774 is a reply to message #1609629] |
Tue, 10 February 2015 10:30 |
|
Hello Florian,
thanks for the reply.
Florian Widmer wrote on Tue, 10 February 2015 08:30My solution arose from an authentication that is based on single sign on based on an encrypted URL.
This is something I will have to implement too. At least something similar. My application will be called from another webpage. Some encoded URL. Based on this URL I will call a webservice from the calling web application in order to get user credientials and so on.
Did you set a special URL Filter as well?
Peter
|
|
|
|
|
Re: DataSourceSecurityFilter and Client/Serversession [message #1610069 is a reply to message #1609968] |
Tue, 10 February 2015 14:32 |
Florian Widmer Messages: 8 Registered: March 2012 |
Junior Member |
|
|
Hi Peter,
I can't go into detail about the encryption but here's the servlet filter in a somewhat abbreviated form. The retrieval should work as i described above as well as the Principal.
Unfortunately this is with a quite antiquated version of scout so I cant guarantee that all the API and plugin.xml references are still the same.
I think the detail to notice is that the extension point is the equinox one and not from scout.
Cheers,
Florian
MyServletFilter
public class MyServletFilter extends AbstractChainableSecurityFilter{
(...) //fields and some methods to check timestamp, translate internal state
protected enum AuthenticationState {
USER_AUTHENTICATED, ACCESS_DENIED, SERVER_ERROR
}
@Override
protected int negotiate(HttpServletRequest req, HttpServletResponse resp, final PrincipalHolder holder) throws IOException, ServletException {
final String token = req.getParameter(TOKEN_STRING);
AuthenticationState result = authenticate(holder, token);
return getFinalResult(result, req, resp); //translation from internal states to integer as expected by API
}
private AuthenticationState authenticate(final PrincipalHolder holder, final String token) {
if (token == null) {
return AuthenticationState.ACCESS_DENIED;
} else {
return authenticateUsingToken(token, holder);
}
}
private AuthenticationState authenticateUsingToken(String token, PrincipalHolder holder) {
AuthenticationBean bean;
try {
bean = extractAuthenticationBean(token);
} catch (MyException e) {
return AuthenticationState.SERVER_ERROR;
}
if (checkTimestamp(bean)) {
// Get username and create principal
if (!StringUtility.isEmpty(bean.getUserName())) {
holder.setPrincipal(new MyPrincipal(bean));
return AuthenticationState.USER_AUTHENTICATED;
}
}
return AuthenticationState.ACCESS_DENIED;
}
}
Plugin.xml
<extension point="org.eclipse.equinox.http.registry.filters">
<filter alias="/app" class="package.MyServletFilter">
<init-param name="filter-priority" value="100" />
</filter>
config.ini
package.MyServletFilter#realm=REALM
package.MyServletFilter#active=true
|
|
|
|
Powered by
FUDForum. Page generated in 0.03623 seconds