Authentication
perissf
in my very simple setup I currently don't use the client API. I have
setup a basic authenticator and would like to accept all connections
coming from users authenticated through the j_security_check, without
sending authentication details from Dojo (I don't even know how to do
it). However I would like to use cometd authenticator in order to make
the associations between username and ServerSession. My problem is how
to retrieve the username during handshake. Or is there any better
setup than this?
Francesco
Simone Bordet
I am not sure I understand...
To establish a CometD session, you need to send a handshake message,
and this is done via the client API.
It is perhaps possible to implement some incredibly hacky solution via
j_security_check, but I would not recommend that, and I am not even
sure it's possible.
Perhaps you can explain with some more details what you want to do ?
Simon
--
http://bordet.blogspot.com
---
Finally, no matter how good the architecture and design are,
to deliver bug-free software with optimal performance and reliability,
the implementation technique must be flawless. Victoria Livschitz
perissf
My app has some web services (a RESTful web service that connects to
the db) and I need a security for them. I chose what I seemed to me
the "standard" Java solution explained in all tutorials: to create a
realm and to authenticate via j_security_check.
Since the cometd service is necessary to the same users, I don't think
it's necessary to create another authentication level... is it clearer
now?
> > Ciao Simone
> > in my very simple setup I currently don't use the client API. I have
> > setup a basic authenticator and would like to accept all connections
> > coming from users authenticated through the j_security_check, without
> > sending authentication details from Dojo (I don't even know how to do
> > it). However I would like to use cometd authenticator in order to make
> > the associations between username and ServerSession. My problem is how
> > to retrieve the username during handshake. Or is there any better
> > setup than this?
>
> I am not sure I understand...
> To establish a CometD session, you need to send a handshake message,
> and this is done via the client API.
> It is perhaps possible to implement some incredibly hacky solution via
> j_security_check, but I would not recommend that, and I am not even
> sure it's possible.
>
> Perhaps you can explain with some more details what you want to do ?
>
> Simon
Simone Bordet
On Sun, Sep 4, 2011 at 14:17, perissf <per...@gmail.com> wrote:
> Ok.
> My app has some web services (a RESTful web service that connects to
> the db) and I need a security for them. I chose what I seemed to me
> the "standard" Java solution explained in all tutorials: to create a
> realm and to authenticate via j_security_check.
Uhm, j_security_check is used to do FORM authentication, which
normally is done when there is human interaction (i.e. user enters
username and password).
RESTful services are not normally authenticated with j_security_check
but with other mechanisms, ranging from (timed) tokens, to basic
authentication, etc. (i.e. something that does not require human
interaction).
CometD would work the same way, for example passing the HTTP headers
required by Basic authentication.
Since CometD requests (when using HTTP transports) are POSTs, you
can't POST additional data (like you would with j_security_check).
I am not sure how you can do that with restful services, for example
if I perform a POST request.
If you have a login page first, where you do your j_security_check,
and out of that page you get some authentication token, you can pass
that in CometD and have it processed on server-side (see
http://cometd.org/documentation/2.x/howtos/authentication).
Simon
--