Moving the Acegi AuthenticationManager to a web service
Setting up Acegi to secure a local Tapestry application is tough enough...but it doesn't gain you too much. You need to provide a remote, centralized source of authentication for your web apps to be at all consistent.
Note that I haven't even looked at CAS yet as an option, so this is perhaps wasted effort. Nonetheless, here's what I did to pull the Acegi AuthenticationProvider code out of the GUI and in to a remote web service.
Step 1) Go to the application-context.xml of your web service and add the following Acegi configuration information. (Remove this info from the application-context-acegi.xml in your Tapestry app)
Step 2) Export the Authentication Manager as a web service by editing the remote-servlet.xml and adding these lines:
Step 3) There's a client context file managed within the web service project that the client service gets as part of the client jar. In the example of this project, the context file that we package in the client jar is called edis3-ws-client-context.xml. Edit that file to make the client know about the web service...this is also important because the client's acegi configuration information will need to reference the bean defined in this client context file.
Step 4) Ok...finally on to the client. From step 1, you should have removed all the Acegi configuration information from the application-context-acegi.xml file. Now update that file to point to the beans that are exported and defined via the client-context.xml we updated in step 3.
The only modifications I had to make was this line of the basicProcessingFilter and authenticationProcessingFilter specifications:
OLD
NEW
Note that I haven't even looked at CAS yet as an option, so this is perhaps wasted effort. Nonetheless, here's what I did to pull the Acegi AuthenticationProvider code out of the GUI and in to a remote web service.
Step 1) Go to the application-context.xml of your web service and add the following Acegi configuration information. (Remove this info from the application-context-acegi.xml in your Tapestry app)
[!-- ========================================================= --]
[!-- ACEGI Security (Authentication Provider) --]
[!-- ========================================================= --]
[bean id="authenticationManager"
class="org.acegisecurity.providers.ProviderManager"]
[property name="providers"]
[list]
[ref local="daoAuthenticationProvider"/]
[ref local="anonymousAuthenticationProvider"/
[/list]
[/property]
[/bean]
[bean id="daoAuthenticationProvider"
class="org.acegisecurity.providers.dao.DaoAuthenticationProvider"]
[property name="userDetailsService"]
[ref local="inMemoryDaoImpl"/]
[/property]
[/bean]
[bean id="passwordEncoder"
class="org.acegisecurity.providers.encoding.Md5PasswordEncoder"/]
[bean id="inMemoryDaoImpl"
class="org.acegisecurity.userdetails.memory.InMemoryDaoImpl"]
[property name="userMap"]
[value]
tom=tvaughan,ROLE_USER,ROLE_INTERNAL,ROLE_SYSTEM_ADMIN
sue=stillery,ROLE_USER,ROLE_INTERNAL,ROLE_SYSTEM_ADMIN
carlos=cfernandez,ROLE_USER,ROLE_INTERNAL,ROLE_USER_ADMIN
joel=jmoeller,ROLE_USER,ROLE_INTERNAL,ROLE_USER_ADMIN
tony=tgiaccone,ROLE_USER,ROLE_INTERNAL,ROLE_SERVICE_LIST_ADMIN
jack=jrodriguez,ROLE_USER,ROLE_INTERNAL,ROLE_INVESTIGATION_ADMIN
walter=wkelly,ROLE_USER,ROLE_INTERNAL,ROLE_INVESTIGATION_MGR
joeexternal=password,ROLE_SUBMITTER
anonymous=anonymous,
[/value]
[/property]
[/bean]
[bean id="anonymousAuthenticationProvider"
class="org.acegisecurity.providers.anonymous.AnonymousAuthenticationProvider"]
[property name="key"][value]foobar[/value][/property]
[/bean]
Step 2) Export the Authentication Manager as a web service by editing the remote-servlet.xml and adding these lines:
[bean name="/edis-authentication-manager"
class="org.springframework.remoting.httpinvoker.HttpInvokerServiceExporter"]
[property name="service" ref="authenticationManager" /]
[property name="serviceInterface"]
[value]org.acegisecurity.AuthenticationManager[/value]
[/property]
[/bean]
Step 3) There's a client context file managed within the web service project that the client service gets as part of the client jar. In the example of this project, the context file that we package in the client jar is called edis3-ws-client-context.xml. Edit that file to make the client know about the web service...this is also important because the client's acegi configuration information will need to reference the bean defined in this client context file.
[bean id="authenticationManager"
class="org.springframework.remoting.httpinvoker.HttpInvokerProxyFactoryBean"]
[property name="serviceUrl"]
[value]
$WS{PROTOCOL}://$WS{HOST}:$WS{PORT}/edis3-ws/remote/edis-authentication-manager
[/value]
[/property]
[property name="serviceInterface"]
[value]org.acegisecurity.AuthenticationManager[/value]
[/property]
[/bean]
Step 4) Ok...finally on to the client. From step 1, you should have removed all the Acegi configuration information from the application-context-acegi.xml file. Now update that file to point to the beans that are exported and defined via the client-context.xml we updated in step 3.
The only modifications I had to make was this line of the basicProcessingFilter and authenticationProcessingFilter specifications:
OLD
[property name="authenticationManager"]
[ref local="authenticationManager"/]
[/property]
NEW
[property name="authenticationManager"]
[ref bean="authenticationManager"/]
[/property]
0 Comments:
Post a Comment
<< Home