Mobilefirst 7.0 protecting a Java Adapter fails with Custom Authenticator

点点圈 提交于 2020-01-17 05:16:07

问题


Im following and using the sample code from Custom Authenticator and Login Module and UserAdapter from Java SQL Adapter.

I want to get the user list after authenticated.

My configuring the authenticationConfig.xml file

<realms>
    <realm loginModule="CustomLoginModule" name="CustomAuthenticatorRealm">
        <className>com.mypackage.MyCustomAuthenticator</className>
    </realm>
</realms>

<loginModules>
    <loginModule name="CustomLoginModule">
        <className>com.mypackage.MyCustomLoginModule</className>
    </loginModule>
</loginModules>

My configuring the Java adapter, UserAdapterResource.java file

@GET
@Produces("application/json")
@OAuthSecurity(scope="CustomAuthenticatorRealm")
public Response getAllUsers() throws SQLException{
    JSONArray results = new JSONArray();
    Connection con = ds.getConnection();
    PreparedStatement getAllUsers = con.prepareStatement("SELECT * FROM users");
    ResultSet data = getAllUsers.executeQuery();

    while(data.next()){
        JSONObject item = new JSONObject();
        item.put("userId", data.getString("userId"));
        item.put("firstName", data.getString("firstName"));
        item.put("lastName", data.getString("lastName"));
        item.put("password", data.getString("password"));

        results.add(item);
    }

    getAllUsers.close();
    con.close();

    return Response.ok(results).build();
}

But when I invoke the procedure above on client-side, it still return a response without authentication require, while it have to show a login module


回答1:


From your code you only have a challenge handler for the CustomAuthenticatorRealm realm. Why not updated your adapter and protect it with that same realm instead of using myRealm.

Updated UserAdapterResource.java skeleton

@Path("/")
public class UserAdapterResource {
    // ... 

    @POST
    @OAuthSecurity(scope="CustomAuthenticatorRealm")
    public Response createUser(@FormParam("userId") String userId, 
                                @FormParam("firstName") String firstName, 
                                @FormParam("lastName") String lastName, 
                                @FormParam("password") String password) 
                                        throws SQLException{
        // ...
    }

    @GET
    @Produces("application/json")
    @Path("/{userId}")
    public Response getUser(@PathParam("userId") String userId) throws SQLException{
        // ...
    }

    @GET
    @Produces("application/json")
    @OAuthSecurity(scope="CustomAuthenticatorRealm")
    public Response getAllUsers() throws SQLException{
        // ...
    }

    // it's a good practice to protect this operation
    @PUT
    @Path("/{userId}")
    @OAuthSecurity(scope="CustomAuthenticatorRealm")
    public Response updateUser(@PathParam("userId") String userId, 
                                @FormParam("firstName") String firstName, 
                                @FormParam("lastName") String lastName, 
                                @FormParam("password") String password) 
                                        throws SQLException{
        // ...

    }

    // it's a good practice to protect this operation
    @DELETE
    @Path("/{userId}")
    @OAuthSecurity(scope="CustomAuthenticatorRealm")
    public Response deleteUser(@PathParam("userId") String userId) throws SQLException {
        // ...
    }

}

With these changes, when the application launches it will show the login form to authenticate before showing the list of users.

UPDATE:

The Java Adapter protection is using OAuth and so the MobileFirst server issues a token for authentication. This token has a lifespan with an expiration. Logging out of a realm doesn't affect the token.

One way to implement this based on your needs is to decrease the TTL (time to live) of your token to something like 10 or 15 seconds (or whatever you want). You can do this by setting the expirationInSeconds attribute in your login module inside authenticationConfig.xml.

authenticationConfig.xml

    <!-- token will expire 10 seconds after being issued -->
    <loginModule name="CustomLoginModule" expirationInSeconds="10">
        <className>com.mypackage.MyCustomLoginModule</className>
    </loginModule>

If 10 seconds have passed since the app connected to the server via adapter invocation or any other method then the user will need to reauthenticate.



来源:https://stackoverflow.com/questions/29717407/mobilefirst-7-0-protecting-a-java-adapter-fails-with-custom-authenticator

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!