AnsweredAssumed Answered

correct way to provide the ticket

Question asked by tim-erwin on Feb 26, 2008
Latest reply on May 7, 2008 by mcirwin
Hi,

the way I chose to handle authentification  is:
  1. get the ticket from AuthenticationUtils.startSession(username, password); during the first request

  2. in the subsequent requests pass the ticket (saved in the session) to the AuthenticationCallbackHandler; all webservice calls will get the ticket from the latter
That's only 2 steps and with the CallbackHandler quite elegant though "hacky", since I had to write my own one, because the original one has no setTicket()-method. As described in this post that way works only most of the times and moreover causes problems when putting alfresco and my application on different servers (may be sth. different though).

sylvain78 proposed another approach: again using startSession(user, pass), storing the ticket and then providing it by creating the services with it as an argument, e.g.:
repositoryService = (RepositoryServiceSoapBindingStub)locator.getRepositoryService();
repositoryService.setPassword(details.getTicket());

A third approach I found in theses forums was to create and destroy a session for each request. That would be quite easy, however, supposedly not elegant nor fast. Moreover, you have to store the user's password somewhere to re-authenticate and send it over the network over and over again.

What now is the correct way to authenticate? (Perhaps it helps to know that I develop an application running on a tomcat. The user sends requests to my application which then asks alfresco. The ticket is stored in the user's session of my application. So from alfresco's point of view my application is the client which is proud owner of an alfresco ticket…)

Thanks in advance,
Tim-Erwin

Outcomes