Using hst:subjectbasedsession with rest calls and basic authentication
58 views
Skip to first unread message
EugTDSC
Jul 29, 2015, 5:51:31 PM7/29/15
to Hippo Community
I have implemented a simple rest call within Hippo and trying to use repository level authorization integration. As per document here:
when I set hst:subjectbasedsession = true
the rest call appear to work correctly with hippo FORM authentication, but as I switch to basic authentication the rest call stops working. I am getting the following in the log:
[INFO] [talledLocalContainer] 29.07.2015 15:27:43 WARN http-nio-8080-exec-3 [HstDelegateeFilterBean.doFilter:412] ContainerException for 'Request{ method='GET', scheme='http', host='localhost:8080', requestURI='/site/restplain/tdrest/getnode', queryString='node=/'}': org.hippoecm.hst.core.container.ContainerException: Failed to create session based on subject. Cause 'javax.jcr.LoginException: Repository credentials for the subject is not found.’
when hst:subjectbasedsession is set back to false the rest call works, but the JCR session isn’t created with credentials from basic authentication.
Any idea why and how I can fix that?
Woonsan Ko
Jul 30, 2015, 3:49:27 PM7/30/15
to hippo-c...@googlegroups.com
Hi,
hst:subjectbasedsession option is supported only when using form
authentication with org.hippoecm.hst.security.servlet.LoginServlet by
default.
It is not supported with Basic authentication or other method (including
form authentication if not using the LoginServlet) by default.
I think the document is unclear about this.
If you can use HST Spring Security Support forge module instead with
basic authentication option (BasicAuthenticationFilter) there, then it
could work.
Let me give you some detail:
when form authentication used with the LoginServlet, the proxy phase
stores the user credentials temporarily (constant:
ContainerConstants.SUBJECT_REPO_CREDS_ATTR_NAME) and SecurityValve reads
it to set up a Subject for later use with removing the temporary attribute.
This process doesn't happen when using basic authentication provided by
the servlet container because there's nothing in the middle to capture
the credentials temporarily, and the container wouldn't store the
private login credentials.
If you use spring security's basic authentication filter instead, then
it's possible to store the credentials. SpringSecurityValve [1] stores
it by default to make hst:subjectsession option work.
Regards,
Woonsan
[1] http://hst-springsec.forge.onehippo.org/
> --
> Hippo Community Group: The place for all discussions and announcements
> about Hippo CMS (and HST, repository etc. etc.)
>
> To post to this group, send email to hippo-c...@googlegroups.com
> RSS:
> https://groups.google.com/group/hippo-community/feed/rss_v2_0_msgs.xml?num=50
> ---
> You received this message because you are subscribed to the Google
> Groups "Hippo Community" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to hippo-communi...@googlegroups.com
> <mailto:hippo-communi...@googlegroups.com>.
> Visit this group at http://groups.google.com/group/hippo-community.
> For more options, visit https://groups.google.com/d/optout.
--
w....@onehippo.com www.onehippo.com
Boston - 745 Atlantic Ave, 8th Floor, Boston MA 02111
Amsterdam - Oosteinde 11, 1017 WT Amsterdam
US +1 877 414 4776 (toll free)
Europe +31(0)20 522 4466
hst:subjectbasedsession option is supported only when using form
authentication with org.hippoecm.hst.security.servlet.LoginServlet by
default.
It is not supported with Basic authentication or other method (including
form authentication if not using the LoginServlet) by default.
I think the document is unclear about this.
If you can use HST Spring Security Support forge module instead with
basic authentication option (BasicAuthenticationFilter) there, then it
could work.
Let me give you some detail:
when form authentication used with the LoginServlet, the proxy phase
stores the user credentials temporarily (constant:
ContainerConstants.SUBJECT_REPO_CREDS_ATTR_NAME) and SecurityValve reads
it to set up a Subject for later use with removing the temporary attribute.
This process doesn't happen when using basic authentication provided by
the servlet container because there's nothing in the middle to capture
the credentials temporarily, and the container wouldn't store the
private login credentials.
If you use spring security's basic authentication filter instead, then
it's possible to store the credentials. SpringSecurityValve [1] stores
it by default to make hst:subjectsession option work.
Regards,
Woonsan
[1] http://hst-springsec.forge.onehippo.org/
> Hippo Community Group: The place for all discussions and announcements
> about Hippo CMS (and HST, repository etc. etc.)
>
> To post to this group, send email to hippo-c...@googlegroups.com
> RSS:
> https://groups.google.com/group/hippo-community/feed/rss_v2_0_msgs.xml?num=50
> ---
> You received this message because you are subscribed to the Google
> Groups "Hippo Community" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to hippo-communi...@googlegroups.com
> <mailto:hippo-communi...@googlegroups.com>.
> Visit this group at http://groups.google.com/group/hippo-community.
> For more options, visit https://groups.google.com/d/optout.
--
w....@onehippo.com www.onehippo.com
Boston - 745 Atlantic Ave, 8th Floor, Boston MA 02111
Amsterdam - Oosteinde 11, 1017 WT Amsterdam
US +1 877 414 4776 (toll free)
Europe +31(0)20 522 4466
Reply all
Reply to author
Forward
0 new messages