Not sure, do you have any ideas what the AsyncDispatcher does to make an
InheritedThreadLocal (which is how Spring makes the SecurityContext
information available) inaccessible in the Service and even the Errai
Authentication Adapter?
From: Mike Brock [mailto:cbrock at redhat.com]
Sent: Thursday, February 18, 2010 12:53 PM
To: Kevin Jordan
Cc: 'Heiko Braun'; errai-users at lists.jboss.org
Subject: Re: [errai-users] Errai Authentication
Do you have any ideas as to what we could do to make it easier?
On 2010-02-18, at 1:29 PM, Kevin Jordan wrote:
It's already in the session, but I'm not sure that gets around the problem
of letting anything Errai makes a call to have that information too.
From: Mike Brock [mailto:cbrock at redhat.com]
Sent: Thursday, February 18, 2010 12:17 PM
To: Kevin Jordan
Cc: 'Heiko Braun'; errai-users at lists.jboss.org
Subject: Re: [errai-users] Errai Authentication
Is it possible to put the SecurityContext in the session, than then use a
custom SessionProvider to inject that context into Errai's QueueSession?
On 2010-02-18, at 1:04 PM, Kevin Jordan wrote:
I think DefaultBlockingServlet would work since it's not a CometProcessor.
However, at least in Jetty and I think it was this way in Tomcat as well,
the AsyncDispatcher removes my SecurityContext from the current thread so
I'm no longer able to access my user's authentication information, even
though I have it set to go into child threads.
I'm not happy with the solution, but have to do what I can right now to make
forward progress. We won't have many users on right now since it's still in
development so we're not quite worried about not having AsyncDispatcher
right now.
My feeling is that Errai should be able to take advantage of any existing
login mechanisms and not remove any contexts from the existing thread if
possible since Spring Security also provides authorization mechanisms that
might be used outside of an Errai service, or even within it.
From: Heiko Braun [mailto:myownwastebin at googlemail.com]
Sent: Thursday, February 18, 2010 10:21 AM
To: Kevin Jordan
Cc: 'Mike Brock'; errai-users at lists.jboss.org
Subject: Re: [errai-users] Errai Authentication
hm, doesn't sound like an easy thing todo.
If running with the default blocking servlet, would that prevent it from
breaking spring security?
or is it related to the async dispatcher?
are you happy with the solution?
/heiko
On Feb 18, 2010, at 5:14 PM, Kevin Jordan wrote:
Well, I solved my issue with this, although it wasn't easy. I ended up
switching to Jetty. The problem was two things, Spring Security isn't
capable of protecting comet connections on Tomcat since it doesn't have a
filter that implements CometFilter. Switching to Jetty fixed this since it
doesn't have any such thing. Also, the AsyncDispatcher will likely
interrupt Spring Security's SecurityContext since I had to disable that on
Jetty.
From: Kevin Jordan [mailto:kevin.jordan at xteconline.com]
Sent: Thursday, February 11, 2010 4:34 PM
To: 'Mike Brock'
Cc: 'errai-users at lists.jboss.org'
Subject: RE: [errai-users] Errai Authentication
What is it that makes it not possible for me to do this? I assume that
another Thread is spawned for the @Service since the POST that executes it
is able to close. Why am I not able to access the parent thread data (i.e.
the web server thread where the Spring Security data lives) via an
InheritedThreadLocal?
From: Mike Brock [mailto:cbrock at redhat.com]
Sent: Thursday, February 11, 2010 11:49 AM
To: Kevin Jordan
Cc: errai-users at lists.jboss.org
Subject: Re: [errai-users] Errai Authentication
Ah yes, that's definitely a bug. I'll fix that immediately (rules not
being applied to RPC endpoints).
I'll think about what I can do with the SessionProvider stuff to make it
easier to expose these things as needed.
Mike.
On 2010-02-11, at 12:27 PM, Kevin Jordan wrote:
Yes. I was trying to avoid having to pass the username to the server when
it should already know it.
And actually I guess @RequiredAuthentication might be working, just on a
regular @Service implementing MessageCallback, but not for RPC.
From: Mike Brock [mailto:cbrock at redhat.com]
Sent: Thursday, February 11, 2010 10:43 AM
To: Kevin Jordan
Cc: errai-users at lists.jboss.org
Subject: Re: [errai-users] Errai Authentication
You've implemented an AuthenticationAdapter for SpringSecurity?
There's really no way of doing it unless you were to implement your own
SessionProvider... even then you could only copy in information from the
HTTPSession.
Party of the reason we separated these concerns so aggressively was so we
could run ErraiBus in something like Netty... without a Servlet container.
I'm certainly open to ideas as to how we can improve this situation to
satisfy a case like yours.
On 2010-02-11, at 11:29 AM, Kevin Jordan wrote:
Any ideas why I wouldn't be able to access Spring Security information from
inside it? It uses ThreadLocal
(http://java.sun.com/j2se/1.5.0/docs/api/java/lang/ThreadLocal.html?is-exter
nal=true) for access to the session/login information. I also tried making
it use an InheritableThreadLocal
(http://java.sun.com/j2se/1.5.0/docs/api/java/lang/InheritableThreadLocal.ht
ml) holder strategy for the SecurityContext seen below, but it doesn't seem
to be able to get it through that either.
From: Mike Brock [mailto:cbrock at redhat.com]
Sent: Thursday, February 11, 2010 8:16 AM
To: Kevin Jordan
Cc: errai-users at lists.jboss.org
Subject: Re: [errai-users] Errai Authentication
It *should* be enforcing @RequireAuthentication and @RequireRoles ... let me
look into it on my side.
On 2010-02-10, at 1:43 PM, Kevin Jordan wrote:
I'm wondering how authentication works (or is supposed to work) in Errai.
It seems from what I can gather, you're supposed to use doAuthentication in
the SecurityService, however, even if my custom AuthenticationAdapter does
nothing as it currently does (I was curious to see if I could get Spring
Security authentication information using it to pass it on since I can't
seem to in my services, which I can't in there either), but nothing calls
isAuthenticated or anything related to it later on even if I have
@RequireAuthentication or @RequireRoles on my services. In fact, it lets me
call the services even though as far as I think Errai knows, it should have
no authentication principals or roles. Is Authentication incomplete at this
point in time? At this time, I'm not requiring/needing the annotations, but
I do want to get my login information from Spring Security. I would
normally do it in the context of a servlet or jsp as:
try {
SecurityContext context =
SecurityContextHolder.getContext();
Object principal = null;
User user = null;
if (context != null) {
Authentication auth = context.getAuthentication();
if (auth != null) {
principal = auth.getPrincipal();
if (principal instanceof User) {
user = (User) principal;
logger.info(user.getUsername());
} else {
logger.debug("Principal is null or not a
User");
}
} else {
logger.debug("No authentication");
}
} else {
logger.debug("No context");
}
} catch (Exception e) {
logger.error("Error", e);
}
However, that doesn't seem to work, probably because it can't access the
ThreadLocal since I'm assuming most things in Errai, especially services,
get a new Thread? Is there any way for me to access the remote user from
the servlet? I doubt services get a link to the requesting servlet,
correct?
_______________________________________________
errai-users mailing list
errai-users at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/errai-users
_______________________________________________
errai-users mailing list
errai-users at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/errai-users
_______________________________________________
errai-users mailing list
errai-users at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/errai-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/errai-users/attachments/20100218/5374ed00/attachment-0001.html