【发布时间】:2014-05-12 15:40:53
【问题描述】:
我们想在 Activiti BPM REST-API 5.15 中实现 SSO。我完全按照 Activiti 文档的描述禁用基本身份验证的构建:http://www.activiti.org/userguide/#N12F8B 目标是用我们自己的 SSO-Logic 替换 REST-API 的内置基本身份验证。
因此,我们需要禁用内置的基本身份验证。为了实现这一点,我创建了一个 org.activiti.rest.service.application.ActivitiRestServicesApplication 的子类,它实现了自定义 org.activiti.rest.common.filter.RestAuthenticator 接口的 boolean requestRequiresAuthentication(Request request) 方法。理论上总是返回 false 会禁用基本身份验证。另外,我看了这篇文章:http://forums.activiti.org/content/issue-custom-restauthenticator-using-rest-513
这是我的课:
package org.activiti.rest.service.application;
import org.restlet.Request;
import org.restlet.data.Form;
import javax.crypto.Cipher;
import javax.crypto.SecretKey;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.DESedeKeySpec;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;
import org.activiti.engine.identity.User;
import org.activiti.engine.impl.identity.Authentication;
import org.apache.commons.codec.binary.Base64;
import java.security.Key;
import java.security.MessageDigest;
import java.security.spec.KeySpec;
import java.util.Arrays;
import java.util.Date;
import org.activiti.rest.common.api.ActivitiUtil;
import org.activiti.rest.common.filter.RestAuthenticator;
public class CustomActivitiRestServicesApplication extends ActivitiRestServicesApplication implements RestAuthenticator {
protected String ltpaKey;
protected String ltpaPassword;
private static final String AES_DECRIPTING_ALGORITHM = "AES/CBC/PKCS5Padding";
private static final String DES_DECRIPTING_ALGORITHM = "DESede/ECB/PKCS5Padding";
private static final String LTPA_COOKIE_NAME = "LtpaToken2";
String ltpaToken = null;
@Override
public boolean requestRequiresAuthentication(Request request) {
//LTPA-Encrypt-Logic
//Authentication.setAuthenticatedUserId(user.getId());
return false;
}
@Override
public boolean isRequestAuthorized(Request request) {
// TODO Auto-generated method stub
return false;
}
}
此外,我更改了 activiti-webapp-rest2 的 web.xml,它指向我的自定义实现:
<!-- Restlet adapter -->
<servlet>
<servlet-name>RestletServlet</servlet-name>
<servlet-class>org.restlet.ext.servlet.ServerServlet</servlet-class>
<init-param>
<!-- Application class name -->
<param-name>org.restlet.application</param-name>
<param-value>org.activiti.rest.service.application.CustomActivitiRestServicesApplication</param-value>
</init-param>
</servlet>
问题是,这没有任何效果。重新部署后,rest-api 仍然希望拥有基本凭据,我不知道,为什么。
感谢任何回复。我用谷歌搜索了很多,但没有成功。
更新:也许,这个类可能有助于设置自定义 REST-Authenticator: org.activiti.rest.common.application.ActivitiRestApplication
你可以在那里找到方法:
// Set authenticator as a NON-optional filter. If certain request require no authentication, a custom RestAuthenticator
// should be used to free the request from authentication.
authenticator = new ChallengeAuthenticator(null, true, ChallengeScheme.HTTP_BASIC,
"Activiti Realm") {
@Override
protected boolean authenticate(Request request, Response response) {
// Check if authentication is required if a custom RestAuthenticator is set
if(restAuthenticator != null && !restAuthenticator.requestRequiresAuthentication(request)) {
return true;
}
if (request.getChallengeResponse() == null) {
return false;
} else {
boolean authenticated = super.authenticate(request, response);
if(authenticated && restAuthenticator != null) {
// Additional check to see if authenticated user is authorised. By default, when no RestAuthenticator
// is set, a valid user can perform any request.
authenticated = restAuthenticator.isRequestAuthorized(request);
}
return authenticated;
}
}
};
authenticator.setVerifier(verifier);
}
但我仍然不明白如何“设置”我的自定义休息身份验证器。 任何帮助都非常受欢迎 非常感谢,本
【问题讨论】:
标签: java rest authentication activiti business-process-management