Authenticator for multiple authentication schemes

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Authenticator for multiple authentication schemes

Fabian Mandelbaum
Hello there,

our Restlet-based application needs to have users authenticated using both cookies and http basic (hopefully to be switched to digest soon) authentication (Actually it's either cookies or http auth, but see below for auth flow). We also use our own verifier storing credentials on JCR and set it as the defaultVerifier() for the app's context in createInboundRoot().

I've seen that the ChallengeAuthenticator class only accepts one authentication method on its constructor so, a priori, one cannot have a Guard that uses more than one auth method.

The authentication workflow with the Guard/Authenticator our app needs would be something like this:

1) If cookie is present, verify it
2) if cookie verification passes, all OK, continue processing request
3) if cookie verification fails, use HTTP authentication

Is this possible with Restlet 2.1?

I'd appreciate any guide/pointer/idea you may have. Thanks in advance.

--
Fabián Mandelbaum
IS Engineer
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Authenticator for multiple authentication schemes

Tim Peierls
It should be possible to chain two different Authenticator instances, with optional = true on the first, and multiAuthenticating = false on the second. If the first one succeeds, the second should see ClientInfo.isAuthenticated() == true and bypass its operation. If the first one fails, the second one sees ClientInfo.isAuthenticated() == false and does not bypass its operation. 

But before you try that, consider using CookieAuthenticator -- much of the implementation is parameterized and/or overridable.


On Thu, Jan 2, 2014 at 7:29 AM, Fabian Mandelbaum <[hidden email]> wrote:
Hello there,

our Restlet-based application needs to have users authenticated using both cookies and http basic (hopefully to be switched to digest soon) authentication (Actually it's either cookies or http auth, but see below for auth flow). We also use our own verifier storing credentials on JCR and set it as the defaultVerifier() for the app's context in createInboundRoot().

I've seen that the ChallengeAuthenticator class only accepts one authentication method on its constructor so, a priori, one cannot have a Guard that uses more than one auth method.

The authentication workflow with the Guard/Authenticator our app needs would be something like this:

1) If cookie is present, verify it
2) if cookie verification passes, all OK, continue processing request
3) if cookie verification fails, use HTTP authentication

Is this possible with Restlet 2.1?

I'd appreciate any guide/pointer/idea you may have. Thanks in advance.

--
Fabián Mandelbaum
IS Engineer

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Authenticator for multiple authentication schemes

Tim Peierls
Not sure how much of this works in Restlet 2.1 -- I use CookieAuthenticator successfully with Restlet 2.2.


On Thu, Jan 2, 2014 at 1:32 PM, Tim Peierls <[hidden email]> wrote:
It should be possible to chain two different Authenticator instances, with optional = true on the first, and multiAuthenticating = false on the second. If the first one succeeds, the second should see ClientInfo.isAuthenticated() == true and bypass its operation. If the first one fails, the second one sees ClientInfo.isAuthenticated() == false and does not bypass its operation. 

But before you try that, consider using CookieAuthenticator -- much of the implementation is parameterized and/or overridable.


On Thu, Jan 2, 2014 at 7:29 AM, Fabian Mandelbaum <[hidden email]> wrote:
Hello there,

our Restlet-based application needs to have users authenticated using both cookies and http basic (hopefully to be switched to digest soon) authentication (Actually it's either cookies or http auth, but see below for auth flow). We also use our own verifier storing credentials on JCR and set it as the defaultVerifier() for the app's context in createInboundRoot().

I've seen that the ChallengeAuthenticator class only accepts one authentication method on its constructor so, a priori, one cannot have a Guard that uses more than one auth method.

The authentication workflow with the Guard/Authenticator our app needs would be something like this:

1) If cookie is present, verify it
2) if cookie verification passes, all OK, continue processing request
3) if cookie verification fails, use HTTP authentication

Is this possible with Restlet 2.1?

I'd appreciate any guide/pointer/idea you may have. Thanks in advance.

--
Fabián Mandelbaum
IS Engineer


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Authenticator for multiple authentication schemes

Fabian Mandelbaum
Hello Tim,

thanks for your answers.

I've tried, using the example in the Restlet IN ACTION book as a guide, what you proposed, the two chained authenticators, and it does not work.

I've chained them like this:

cookieauth -> httpauth -> guarded_resources

I'll test with Restlet 2.2 today, though I don't know if we can switch our stable project to the still unstable Restlet 2.2...

BTW, Restlet ppl, any idea on when 2.2 will become 'final'? The roadmap page on the Restlet website states Q3 2013... and that's about 3 months ago now...

Thanks.


On Thu, Jan 2, 2014 at 3:32 PM, Tim Peierls <[hidden email]> wrote:
Not sure how much of this works in Restlet 2.1 -- I use CookieAuthenticator successfully with Restlet 2.2.


On Thu, Jan 2, 2014 at 1:32 PM, Tim Peierls <[hidden email]> wrote:
It should be possible to chain two different Authenticator instances, with optional = true on the first, and multiAuthenticating = false on the second. If the first one succeeds, the second should see ClientInfo.isAuthenticated() == true and bypass its operation. If the first one fails, the second one sees ClientInfo.isAuthenticated() == false and does not bypass its operation. 

But before you try that, consider using CookieAuthenticator -- much of the implementation is parameterized and/or overridable.


On Thu, Jan 2, 2014 at 7:29 AM, Fabian Mandelbaum <[hidden email]> wrote:
Hello there,

our Restlet-based application needs to have users authenticated using both cookies and http basic (hopefully to be switched to digest soon) authentication (Actually it's either cookies or http auth, but see below for auth flow). We also use our own verifier storing credentials on JCR and set it as the defaultVerifier() for the app's context in createInboundRoot().

I've seen that the ChallengeAuthenticator class only accepts one authentication method on its constructor so, a priori, one cannot have a Guard that uses more than one auth method.

The authentication workflow with the Guard/Authenticator our app needs would be something like this:

1) If cookie is present, verify it
2) if cookie verification passes, all OK, continue processing request
3) if cookie verification fails, use HTTP authentication

Is this possible with Restlet 2.1?

I'd appreciate any guide/pointer/idea you may have. Thanks in advance.

--
Fabián Mandelbaum
IS Engineer





--
Fabián Mandelbaum
IS Engineer
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Authenticator for multiple authentication schemes

Fabian Mandelbaum
Hello there,

I've updated to Reslet 2.2-M6, replaced my HTTP Basic Guard with CookieAuthenticator, and when trying to access a guarded resource, instead of the login dialog I got HTTP 401 and this on logs:

2014-01-03 11:25:24 0:0:0:0:0:0:0:1%0 - 0:0:0:0:0:0:0:1%0 9000 GET /res/dojo-release/dijit/themes/claro/images/tooltipGradient.png - 200 - 0 6 http://localhost:9000 Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:26.0) Gecko/20100101 Firefox/26.0 http://localhost:9000/res/dojo-release/dijit/themes/claro/claro.css

2014-01-03 11:25:25 0:0:0:0:0:0:0:1%0 - 0:0:0:0:0:0:0:1%0 9000 GET /workspaces/ - 401 424 0 http://localhost:9000 Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:26.0) Gecko/20100101 Firefox/26.0 http://localhost:9000/

Challenge scheme HTTP_Cookie not supported by the Restlet engine.

2014-01-03 11:25:25 0:0:0:0:0:0:0:1%0 - 0:0:0:0:0:0:0:1%0 9000 GET /favicon.ico - 401 424 0 http://localhost:9000 Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:26.0) Gecko/20100101 Firefox/26.0 -

Challenge scheme HTTP_Cookie not supported by the Restlet engine.

2014-01-03 11:25:25 0:0:0:0:0:0:0:1%0 - 0:0:0:0:0:0:0:1%0 9000 GET /favicon.ico - 401 424 0 http://localhost:9000 Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:26.0) Gecko/20100101 Firefox/26.0 -

Challenge scheme HTTP_Cookie not supported by the Restlet engine.

What's going on? What am I doing wrong?

Thanks in advance for your help.




On Fri, Jan 3, 2014 at 7:53 AM, Fabián Mandelbaum <[hidden email]> wrote:
Hello Tim,

thanks for your answers.

I've tried, using the example in the Restlet IN ACTION book as a guide, what you proposed, the two chained authenticators, and it does not work.

I've chained them like this:

cookieauth -> httpauth -> guarded_resources

I'll test with Restlet 2.2 today, though I don't know if we can switch our stable project to the still unstable Restlet 2.2...

BTW, Restlet ppl, any idea on when 2.2 will become 'final'? The roadmap page on the Restlet website states Q3 2013... and that's about 3 months ago now...

Thanks.


On Thu, Jan 2, 2014 at 3:32 PM, Tim Peierls <[hidden email]> wrote:
Not sure how much of this works in Restlet 2.1 -- I use CookieAuthenticator successfully with Restlet 2.2.


On Thu, Jan 2, 2014 at 1:32 PM, Tim Peierls <[hidden email]> wrote:
It should be possible to chain two different Authenticator instances, with optional = true on the first, and multiAuthenticating = false on the second. If the first one succeeds, the second should see ClientInfo.isAuthenticated() == true and bypass its operation. If the first one fails, the second one sees ClientInfo.isAuthenticated() == false and does not bypass its operation. 

But before you try that, consider using CookieAuthenticator -- much of the implementation is parameterized and/or overridable.


On Thu, Jan 2, 2014 at 7:29 AM, Fabian Mandelbaum <[hidden email]> wrote:
Hello there,

our Restlet-based application needs to have users authenticated using both cookies and http basic (hopefully to be switched to digest soon) authentication (Actually it's either cookies or http auth, but see below for auth flow). We also use our own verifier storing credentials on JCR and set it as the defaultVerifier() for the app's context in createInboundRoot().

I've seen that the ChallengeAuthenticator class only accepts one authentication method on its constructor so, a priori, one cannot have a Guard that uses more than one auth method.

The authentication workflow with the Guard/Authenticator our app needs would be something like this:

1) If cookie is present, verify it
2) if cookie verification passes, all OK, continue processing request
3) if cookie verification fails, use HTTP authentication

Is this possible with Restlet 2.1?

I'd appreciate any guide/pointer/idea you may have. Thanks in advance.

--
Fabián Mandelbaum
IS Engineer





--
Fabián Mandelbaum
IS Engineer



--
Fabián Mandelbaum
IS Engineer
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Authenticator for multiple authentication schemes

Tim Peierls
Looking at older conversations about this, it might be a failure to override the login form path. Failing that, I can only offer examples of what works for me.

I had to extend CookieAuthenticator to provide standard challenge behavior. I still use this extension (further extended for my purposes), but it might not be necessary any more:


Here's a Restlet application to serve login and logout resources and a login form resource:


LoginFormResource in my case just serves a Freemarker template representation of a login form:


The Freemarker template is something like this:


HTH


On Fri, Jan 3, 2014 at 9:31 AM, Fabian Mandelbaum <[hidden email]> wrote:
Hello there,

I've updated to Reslet 2.2-M6, replaced my HTTP Basic Guard with CookieAuthenticator, and when trying to access a guarded resource, instead of the login dialog I got HTTP 401 and this on logs:

2014-01-03 11:25:24 0:0:0:0:0:0:0:1%0 - 0:0:0:0:0:0:0:1%0 9000 GET /res/dojo-release/dijit/themes/claro/images/tooltipGradient.png - 200 - 0 6 http://localhost:9000 Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:26.0) Gecko/20100101 Firefox/26.0 http://localhost:9000/res/dojo-release/dijit/themes/claro/claro.css

2014-01-03 11:25:25 0:0:0:0:0:0:0:1%0 - 0:0:0:0:0:0:0:1%0 9000 GET /workspaces/ - 401 424 0 http://localhost:9000 Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:26.0) Gecko/20100101 Firefox/26.0 http://localhost:9000/

Challenge scheme HTTP_Cookie not supported by the Restlet engine.

2014-01-03 11:25:25 0:0:0:0:0:0:0:1%0 - 0:0:0:0:0:0:0:1%0 9000 GET /favicon.ico - 401 424 0 http://localhost:9000 Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:26.0) Gecko/20100101 Firefox/26.0 -

Challenge scheme HTTP_Cookie not supported by the Restlet engine.

2014-01-03 11:25:25 0:0:0:0:0:0:0:1%0 - 0:0:0:0:0:0:0:1%0 9000 GET /favicon.ico - 401 424 0 http://localhost:9000 Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:26.0) Gecko/20100101 Firefox/26.0 -

Challenge scheme HTTP_Cookie not supported by the Restlet engine.

What's going on? What am I doing wrong?

Thanks in advance for your help.




On Fri, Jan 3, 2014 at 7:53 AM, Fabián Mandelbaum <[hidden email]> wrote:
Hello Tim,

thanks for your answers.

I've tried, using the example in the Restlet IN ACTION book as a guide, what you proposed, the two chained authenticators, and it does not work.

I've chained them like this:

cookieauth -> httpauth -> guarded_resources

I'll test with Restlet 2.2 today, though I don't know if we can switch our stable project to the still unstable Restlet 2.2...

BTW, Restlet ppl, any idea on when 2.2 will become 'final'? The roadmap page on the Restlet website states Q3 2013... and that's about 3 months ago now...

Thanks.


On Thu, Jan 2, 2014 at 3:32 PM, Tim Peierls <[hidden email]> wrote:
Not sure how much of this works in Restlet 2.1 -- I use CookieAuthenticator successfully with Restlet 2.2.


On Thu, Jan 2, 2014 at 1:32 PM, Tim Peierls <[hidden email]> wrote:
It should be possible to chain two different Authenticator instances, with optional = true on the first, and multiAuthenticating = false on the second. If the first one succeeds, the second should see ClientInfo.isAuthenticated() == true and bypass its operation. If the first one fails, the second one sees ClientInfo.isAuthenticated() == false and does not bypass its operation. 

But before you try that, consider using CookieAuthenticator -- much of the implementation is parameterized and/or overridable.


On Thu, Jan 2, 2014 at 7:29 AM, Fabian Mandelbaum <[hidden email]> wrote:
Hello there,

our Restlet-based application needs to have users authenticated using both cookies and http basic (hopefully to be switched to digest soon) authentication (Actually it's either cookies or http auth, but see below for auth flow). We also use our own verifier storing credentials on JCR and set it as the defaultVerifier() for the app's context in createInboundRoot().

I've seen that the ChallengeAuthenticator class only accepts one authentication method on its constructor so, a priori, one cannot have a Guard that uses more than one auth method.

The authentication workflow with the Guard/Authenticator our app needs would be something like this:

1) If cookie is present, verify it
2) if cookie verification passes, all OK, continue processing request
3) if cookie verification fails, use HTTP authentication

Is this possible with Restlet 2.1?

I'd appreciate any guide/pointer/idea you may have. Thanks in advance.

--
Fabián Mandelbaum
IS Engineer





--
Fabián Mandelbaum
IS Engineer



--
Fabián Mandelbaum
IS Engineer

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Authenticator for multiple authentication schemes

Rajavelu
This post has NOT been accepted by the mailing list yet.
In reply to this post by Tim Peierls
hi Tim Peierls!

I tried to send  HTTP parameters via POST method  as like as follows:

String urlParameters = "param1=testing";
String request = " ";
URL url = new URL(request);
HttpURLConnection connection = (HttpURLConnection) url.openConnection();          
connection.setRequestMethod("POST");
connection.setRequestProperty("charset", "utf-8");
connection.setRequestProperty("Content-Length", "" + Integer.toString(urlParameters.getBytes().length));
DataOutputStream wr = new DataOutputStream(connection.getOutputStream ());
wr.writeBytes(urlParameters);
wr.flush();
wr.close();


In my CookieAuthenticator file, request.getResourceRef().getQueryAsForm() gives [].
How can i get parameters from HTTP POST method?

Thanks in advance.
Loading...