AnsweredAssumed Answered

Setting custom rest authenticator in rest-webapp

Question asked by b.schnarr on May 9, 2014
Latest reply on Sep 29, 2015 by b.schnarr
Hello at all,

we want to implement SSO in the activiti-rest webapp. Therefore, we need to disable the build in rest basic authentication. To achieve this, I created a subclass of org.activiti.rest.service.application.ActivitiRestServicesApplication that implements the method
boolean requestRequiresAuthentication(Request request)
of the custom org.activiti.rest.common.filter.RestAuthenticator interface. Always returning false disables the basic authentication in theory.

Here is my class:


package org.activiti.rest.service.application;

import org.restlet.Request;
import org.restlet.data.Form;

import javax.crypto.Cipher;
import javax.crypto.SecretKey;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.DESedeKeySpec;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;

import org.activiti.engine.identity.User;
import org.activiti.engine.impl.identity.Authentication;
import org.apache.commons.codec.binary.Base64;

import java.security.Key;
import java.security.MessageDigest;
import java.security.spec.KeySpec;
import java.util.Arrays;
import java.util.Date;

import org.activiti.rest.common.api.ActivitiUtil;
import org.activiti.rest.common.filter.RestAuthenticator;

public class CustomActivitiRestServicesApplication extends ActivitiRestServicesApplication implements RestAuthenticator {

    protected String ltpaKey;
    protected String ltpaPassword;

   private static final String AES_DECRIPTING_ALGORITHM = "AES/CBC/PKCS5Padding";
   private static final String DES_DECRIPTING_ALGORITHM = "DESede/ECB/PKCS5Padding";
   private static final String LTPA_COOKIE_NAME = "LtpaToken2";
   String ltpaToken = null;

   @Override
   public boolean requestRequiresAuthentication(Request request) {

           //LTPA-Encrypt-Logic
          //Authentication.setAuthenticatedUserId(user.getId());
      return false;
   }

   @Override
   public boolean isRequestAuthorized(Request request) {
      // TODO Auto-generated method stub
      return false;
   }
}


In addition, I altered the web.xml of the activiti-webapp-rest2, that it points to my custom implementation:


  <!– Restlet adapter –> 
  <servlet> 
    <servlet-name>RestletServlet</servlet-name> 
    <servlet-class>org.restlet.ext.servlet.ServerServlet</servlet-class>
    <init-param>
      <!– Application class name –>
      <param-name>org.restlet.application</param-name>
      <param-value>org.activiti.rest.service.application.CustomActivitiRestServicesApplication</param-value>
    </init-param>
  </servlet>


The Problem is, that this takes no effekt. After redeploying, the rest-api still wants to have basic credentials and I have no idea, why.

Any reply is appreciated. I googled a lot but without success.

Thank you very much and best regards
Ben

Outcomes