2 Replies Latest reply on Jan 8, 2018 11:29 AM by fgrondin RSS
    fgrondin Explorer

    FormLogin/Everyone doesn't authenticate correctly

    Hey,

    Whenever, the user log out or get timed out, it redirects him to the FormLogin/Everyone.

     

    However, on that FormLogin, it gets the username (not the password) and log the user as what the username is even if the password is wrong.

     

    I have a custom authenticator, could that be it or is it a problem with the FormLogin ?

     

    Here is my Custom Authenticator

     

    import java.io.IOException;
    
    
    import javax.servlet.http.HttpServletRequest;
    import javax.servlet.http.HttpServletResponse;
    
    
    import com.thingworx.security.authentication.AuthenticatorException;
    import com.thingworx.security.authentication.CustomAuthenticator;
    
    
    public class LoginAuthenticator extends CustomAuthenticator {
    
    
        private String user;
        private String requestUrl;
        private String password;
        private boolean isFormLogin;
        private boolean isRedirect;
    
    public LoginAuthenticator() {
            user = null;
            requestUrl = null;
            password = null;
            isFormLogin = true;
            isRedirect = false;
    }
    
    
    @Override
        public boolean matchesAuthRequest(HttpServletRequest httpRequest)
                throws AuthenticatorException
            {
                requestUrl = httpRequest.getRequestURL().toString();
                if((!requestUrl.contains("action-login")) & (!requestUrl.contains("FormLogin")))
                {
                    isFormLogin = false;
                    isRedirect = true;
                    setRequiresChallenge(true);
                } else
                if(requestUrl.contains("action-login"))
                {
                    user = httpRequest.getParameter("thingworx-form-userid");
                    password = httpRequest.getParameter("thingworx-form-password");
                }
                return true;
            }
         
    @Override
       public void authenticate(HttpServletRequest httpRequest, HttpServletResponse httpResponse)
            throws AuthenticatorException
        {
            setCredentials(user, password);
        }
    
    @Override
       public void issueAuthenticationChallenge(HttpServletRequest httpRequest, HttpServletResponse httpResponse)
            throws AuthenticatorException
        {
            if(isRedirect)
            {
                String urlString = "/Thingworx/FormLogin/Everyone";//replace with your own organization
                try
                {
                    httpResponse.sendRedirect(urlString);
                }
                catch(IOException e)
                {
                    e.printStackTrace();
    
                }
            }
        }
    }
    
      • Re: FormLogin/Everyone doesn't authenticate correctly
        ttielebein Collaborator

        Hey,

         

        So one thing to note: this Authenticator is ALWAYS going to be attempted. You have "return true" at the end of your "matchesAuthRequest" method, outside of the if statements, but you never set it to false. You set "setRequiresChallenge" to true, but I think in the wrong method. This method will allow you to skip throwing an exception in your Authenticate method, not skip the Authenticate method entirely. So, this service is effectively saying, always sign this user in, no matter what. I think you need to change "setRequiresChallenge(true)" to "return false", and then this should work. I am confirming my understanding of the "setRequiresChallenge" method, so I will let you know if I need to make any corrections to this.

         

        Thanks!

        Tori

        • Re: FormLogin/Everyone doesn't authenticate correctly
          fgrondin Explorer

          I found out that you need to validate the user in the authenticate method by doing the following

          AuthenticationUtilities.validateCredentials(user, password);