Hi Kyle,
Thanks for taking a look. Indeed, I made the assumption that
SimpleCredentialsMatcher is used by default, but as part of my
troubleshooting I explicitly set it. doGetAuthenticationInfo is
invoked for sure, because my logs show it (I also stepped thru with
the debugger):
[WARN] org.tynamo.security.services.SecurityModule.RememberMeManager
(buildRememberMeManager:111) - Symbol 'security.remembermecipherkey'
is not set, using 'tapestry.hmac-passphrase' as the cipher. Beware
that changing the value will invalidate rememberMe cookies
[ERROR] org.apache.tapestry5.modules.AssetsModule.AssetSource
(invoke:237) - Packaging of classpath assets has changed in release
5.4; Assets should no longer be on the main classpath, but should be
moved to 'META-INF/assets/' or a sub-folder. Future releases of
Tapestry may no longer support assets on the main classpath.
[WARN] org.apache.tapestry5.modules.AssetsModule.AssetSource
(invoke:245) - Classpath asset '/org/tynamo/security/img/login-bg.png'
should be moved to folder
'/META-INF/assets/security/org/tynamo/security/img/'.
[DEBUG] com.foo.bar.core.engine.components.dao.UserManagementMockDao
(getUser:444) - userId: donkey
[DEBUG] com.foo.bar.core.engine.components.dao.UserManagementMockDao
(getUserPassword:451) - userId: donkey
As you can see my mock dao is correctly being called and it is
returning the correct password because I saw it in the debugger.
Am I instantiating SimpleAuthenticationInfo correctly? This API is all
new to me (never worked with Shiro) so I'm learning as I go.
Also, here is what my AppModule contribution looks like:
@Contribute(WebSecurityManager.class)
public static void addRealms(Configuration<Realm> configuration,
@Inject @FromFactory UserManagementDao dao) {
Realm realm = new FooBarCoreRealm(dao);
configuration.add(realm);
}
Obviously replaced company name with FooBar etc.
Adam
On Tue, Nov 8, 2016 at 7:55 PM, Kalle Korhonen
<kalle.o.korho...@gmail.com> wrote:
> Looks fine at a quick glance. As I recall, an AuthenticatingRealm uses
> SimpleCredentialsMatcher by so it should match plain text passwords. Are
> you sure it's not authenticating, or is doGetAuthenticationInfo invoked at
> all? Do you have any other realms configured? Get the simple, single realm
> use case working first and work from there.
>
> Kalle
>
> On Tue, Nov 8, 2016 at 10:16 AM, Adam X <vbgnm3c...@gmail.com> wrote:
>
>> Howdy !
>>
>> I followed tynamo setup guide
>> (http://www.tynamo.org/tapestry-security+guide/) combined with
>> federated accounts example
>> (https://github.com/tynamo/tynamo-federatedaccounts). I believe I have
>> the setup hooked up correctly as my annotated page with
>> @RequiresRoles("administrator") is not intercepted by tynamo and a
>> login page appears. The problem I'm having is that when I enter valid
>> credentials tynamo is not authenticating. Below is my custom realm.
>> UserManagementDao is just an interface, but the implementation I'm
>> injecting is a simple in-memory hash map impl with a unit test
>> verifyinig it's correctness (in reality we're authenticating against
>> AWS IAM but I'm usinig mock to get things working initially). However,
>> I'm not sure if I'm constructing SimpleAuthenticationInfo correctly.
>> Another thing is that my passwords (for now) are clear text and I'm
>> not sure if by default Tynamo uses clear text comparison of if it
>> hashes the passwords.
>>
>> Any help would be highly appreciated!
>>
>> public class MyCustomRealm extends AuthorizingRealm {
>>
>> private UserManagementDao dao;
>>
>>
>> public XappmCoreRealm(UserManagementDao dao) {
>>
>> super(new MemoryConstrainedCacheManager());
>> setName("awsiamaccounts");
>> setAuthenticationTokenClass(UsernamePasswordToken.class);
>> //setCredentialsMatcher(new
>> HashedCredentialsMatcher(Sha1Hash.ALGORITHM_NAME));
>>
>> this.dao = dao;
>> }
>>
>> @Override
>> protected AuthorizationInfo
>> doGetAuthorizationInfo(PrincipalCollection principals) {
>>
>> if(principals == null) throw new
>> AuthorizationException(String.format("null %s! (should not happen)",
>> PrincipalCollection.class.getSimpleName()));
>> if(principals.isEmpty()) return null;
>> if(principals.fromRealm(getName()).size() <= 0) return null;
>>
>> String username = (String)
>> principals.fromRealm(getName()).iterator().next();
>> if(username == null) return null;
>>
>> List<XapGroup> groups = dao.getUserGroups(username);
>> Set<String> roles = new HashSet<>();
>>
>> for(XapGroup group : groups) {
>> roles.add(group.getId());
>> }
>>
>> return new SimpleAuthorizationInfo(roles);
>> }
>>
>> @Override
>> protected AuthenticationInfo
>> doGetAuthenticationInfo(AuthenticationToken token) throws
>> AuthenticationException {
>>
>> UsernamePasswordToken upToken = (UsernamePasswordToken) token;
>> String userName = upToken.getUsername();
>>
>> if(userName == null) throw new AccountException("Null
>> usernames are not allowed by this realm.");
>>
>> XapUser user = dao.getUser(userName);
>> if(user == null) return null;
>>
>> // if (user.isAccountLocked()) { throw new
>> LockedAccountException("Account [" + username + "] is locked."); }
>> // if (user.isCredentialsExpired()) {
>> // String msg = "The credentials for account [" + username
>> + "] are expired";
>> // throw new ExpiredCredentialsException(msg);
>> // }
>>
>> String password = dao.getUserPassword(userName);
>>
>> return new SimpleAuthenticationInfo(userName, password,
>> getName());
>> }
>> }
>>
>> Adam
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org
>> For additional commands, e-mail: users-h...@tapestry.apache.org
>>
>>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org
For additional commands, e-mail: users-h...@tapestry.apache.org
