Has anyone customized Spring security / OE Realm to support extra authentication fields besides username and password? We have been requested to provide login service using username + device id + pin code.
A quick-and-dirty solution would be to concatenate username + delimiter character + device id in j_username and pin code in j_password and then parse received j_username in the OE Realm class. It seems (according to a quick Google search) that it would also be possible to customize Spring security to handle extra fields to make a more "elegant" solution.
I would gladly hear about any experiences in solving a similar requirement. Any help, hints and suggestions are appreciated.
Hi Marko,
In-order to send something other than username and password and perform authentication, I would choose something like CustomAuthorization. This is something I would choose if I have to pass tokens for authentication.
For your case, you can pass the username+password+device-id as one encoded token using Custom Authorization to ABL, then ABL can decode it and validate the details. Once validated, it will work the same way as OERealm.
Here are the properties I would set to use customAuthorization. Important details are "authSchema,realmClass,authHeader and tokenSecret)
customAuthorizationFilter.authPolicy=required
customAuthorizationFilter.authScheme=devtoken
customAuthorization.UserDetails.realmClass=OpenEdge.Security.Authentication.CustomAuthorization
customAuthorizationFilter.authHeader=Authorization
customAuthorizationFilter.tokenSecret=secret
customAuthorization.AuthProvider.multiTenant=true
customAuthorization.AuthProvider.expires=0
customAuthorization.AuthProvider.sealClientPrincipal=true
customAuthorization.AuthProvider.accntinfo=true
customAuthorization.AuthProvider.authz=true
authSchema -Required name of the Authentication-scheme
realmClass - The name of the OERealm ABL class to execute
tokenSecret - A shared secret that can be sent to the CustomAuthHeader class's ValidatePassword() method, where it may be used by the CustomAuthHeader class to authenticate its caller. The CustomAuthHeader class may choose to ignore validating the shared secret or not.
authHeader=The HTTP header name to intercept
Attached the sample ABL Classes that I used for CustomAuthorization. My use-case was to send a token in a HTTP Header to PAOSE and get it validated.
[View:/cfs-file/__key/communityserver-discussions-components-files/19/1351.CustomAuthorization.cls:320:240][View:/cfs-file/__key/communityserver-discussions-components-files/19/UserAuthorization.cls:320:240]
Hi Marko,
In-order to send something other than username and password and perform authentication, I would choose something like CustomAuthorization. This is something I would choose if I have to pass tokens for authentication.
For your case, you can pass the username+password+device-id as one encoded token using Custom Authorization to ABL, then ABL can decode it and validate the details. Once validated, it will work the same way as OERealm.
Here are the properties I would set to use customAuthorization. Important details are "authSchema,realmClass,authHeader and tokenSecret)
customAuthorizationFilter.authPolicy=required
customAuthorizationFilter.authScheme=devtoken
customAuthorization.UserDetails.realmClass=OpenEdge.Security.Authentication.CustomAuthorization
customAuthorizationFilter.authHeader=Authorization
customAuthorizationFilter.tokenSecret=secret
customAuthorization.AuthProvider.multiTenant=true
customAuthorization.AuthProvider.expires=0
customAuthorization.AuthProvider.sealClientPrincipal=true
customAuthorization.AuthProvider.accntinfo=true
customAuthorization.AuthProvider.authz=true
authSchema -Required name of the Authentication-scheme
realmClass - The name of the OERealm ABL class to execute
tokenSecret - A shared secret that can be sent to the CustomAuthHeader class's ValidatePassword() method, where it may be used by the CustomAuthHeader class to authenticate its caller. The CustomAuthHeader class may choose to ignore validating the shared secret or not.
authHeader=The HTTP header name to intercept
Attached the sample ABL Classes that I used for CustomAuthorization. My use-case was to send a token in a HTTP Header to PAOSE and get it validated.
[View:/cfs-file/__key/communityserver-discussions-components-files/19/1351.CustomAuthorization.cls:320:240][View:/cfs-file/__key/communityserver-discussions-components-files/19/UserAuthorization.cls:320:240]
Thanks a lot, Irfan! This looks promising, I will take a look.