I am trying to implement my own CubaAuthProvider.
It is not some standard protocol like LDAP, OAuth, etc, so I can use only doFilter method to authenticate users.
I know how to check if user valid, but I can’t see what to do to authenticate user inside CUBA:
public class CustomAuthProvider implements CubaAuthProvider {
...
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
if (isAuthenticationRequest(httpRequest)){
// WHAT TO WRITE HERE FOR CUBA TO UNDERSTANDS THAT USER IS AUTHENTICATED NOW?
}
}
private boolean isAuthenticationRequest(ServletRequest request) {
// Some logic here. Don't important for quastion.
}
}
I recommend that use examine com.haulmont.cuba.web.auth.IdpAuthProvider implementation where we authenticate user in doFilter and if a request is authenticated wrap HttpServletRequest into IdpServletRequestWrapper with Principal.
Cuba uses this principal to perform login on page opening: com.haulmont.cuba.web.DefaultApp#loginOnStart
So, in your case in // WHAT TO WRITE HERE section you have to call chain.doFilter with wrapped request that has Principal. Principal’s name will be used as Cuba user login.
| I can not get security context [AppContext.getSecurityContext() is equals to null].
It is a normal situation. You have to set (and clear, performed automatically if withSecurityContext is called) SecurityContext each time you want to access middleware from HttpFilter.
Ok. I can save isAuthenticated=true in session bean. But then How do I know if authentication is expired? Or if user signed out to set isAuthenticated=false there?
IdpAuthProvider#doFilter does the same logic you have described. It redirects user to an external login page and if user is already logged in it just call doFilter with authenticatedRequest. In our case when external IDP session is expired IDP server sends request to our server with session Id and we simply kill user session on middleware, it is enough to show special NoUserSession dialog to user on the next request to middleware from UI, we do not check session life time on each request in IdpAuthProvider.
[if user not authenticated] Do some manipulations and redirections. After them I have request from user browser with cookie. By cookie I get
com.haulmont.cuba.security.entity.User
and want to proceed Authentication for this user in cuba app. As if he authenticated by login/password from login form. Then redirect user to root page.
[if user authenticated]. I would prefer to do nothing. Just let user do what he can do as if he was authenticated by login/password from login form. But as you mentioned earlier I can not do nothing and have to set securityContext by hands.
Ideally, as analogy from SpringSecurity… I want to have the same effect as returning
Authentication != null
from
AuthenticationProvider
. And do the “manipulations and redirections” from implementation of
AbstractAuthenticationProcessingFilter
. I don’t want to change standard
SecurityContextRepository
and think about holding security context by sessions.
I am trying to go with custom SessionHolder. How can I get JSESSIONID in CubaAuthProvider#logout?.
Possibly real question is different. What request [url+method] used on logout. Then I’ll add logout logic to doFilter. Is this URL always the same, or could change in future / by configuration?