Authenticate only against custom database

cheelee3650 · November 11, 2016, 6:03am

I would like to verify the login username and password using my internal database. I created a custom CubaAuthProvider and registered it in web-app.properties and it seems to work.


cuba.web.externalAuthentication = true
cuba.web.externalAuthenticationProviderClass = com.company.tasek.web.MyAuthProvider

But I noticed that I can also login using the password created in Cuba Administration screen not just the one from my internal database. How do I stop this and only validate against my internal database ?

This is my custom AuthProvider.


public class MyAuthProvider implements CubaAuthProvider {
    private static final Logger LOG = Logger.getLogger(MyAuthProvider.class.getName());

    @Inject
    private AuthenticationService authenticationService;

    @Override
    public void authenticate(String login, String password, Locale messagesLocale) throws LoginException {
        LOG.info("Authenticating: " + login + " password: " + password);

        authenticationService.authenticate(login,password,messagesLocale);
    }

    @Override
    public void init(FilterConfig filterConfig) throws ServletException {
    }

    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
        chain.doFilter(request, response);
    }

    @Override
    public void destroy() {
    }
}

artamonov · November 15, 2016, 2:27pm

Hi,

I do not recommend to disable the fall-back on default authentication, because some day you will need to login to your system to fix some problem and you will not be able to do it if your external auth is inaccessible.

Instead of disabling default authentication you can just set passwords for your non-priveleged users to null, that will disable default authentication for these users.

You cannot set password for a user to null using standard UI of CUBA, but you can do it using custom action or if you extend UserEditor screen. Password is not a mandatory attribute, for instance anonymous user has null password to prevent login as anonymous from LoginWindow.

If you really want to disable default authentication you can create extended Login window using Studio: Screens - Create login window. Then override doLogin method in your ExtAppLoginWindow:


public class ExtAppLoginWindow extends AppLoginWindow {
    @Override
    protected void doLogin(String login, String password, Locale locale) throws LoginException {
        throw new LoginException("Unable to login");
    }
}

neutrino36 · September 6, 2019, 11:33am

How could I proceed if I want to disable Admin and Anonymous and enable only another user(let say John with Admin rights and Doe with standard rights)?