Extending NexusSecureHttpAuthenticationFilter in Nexus 2.1

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

Extending NexusSecureHttpAuthenticationFilter in Nexus 2.1

Eric Dalquist
We have a plugin that allows for using the REMOTE_USER header from
Apache for AuthN into Nexus. In 2.0 and earlier we would modify web.xml
and replace the
org.sonatype.nexus.security.filter.authc.NexusSecureHttpAuthenticationFilter
with an extended version of it that changed the behavior of the
createToken method:


    protected AuthenticationToken createToken(String username, String
password, ServletRequest request, ServletResponse response) {
        HttpServletRequest httpServletRequest = (HttpServletRequest)request;
       
        final String remoteUser = httpServletRequest.getRemoteUser();
        if (remoteUser != null) {
            return new RemoteUserAuthenticationToken(remoteUser);
        }

        //Fall back to normal auth
        return super.createToken(username, password, request, response);
    }



In 2.1 the web.xml doesn't have the filterconfig inline anymore. I did
find NexusSecurityFilterModule which appears to do the same thing that
the text config in web.xml used to do but I don't see an obvious way to
effect the same change. Any tips/pointers on how I can go about doing
this? I'm not really tied to this approach but what I need to do is
create a custom AuthenticationToken instance if REMOTE_USER is set.

Thanks,
-Eric


smime.p7s (8K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Extending NexusSecureHttpAuthenticationFilter in Nexus 2.1

Eric Dalquist
Any help/hope here? I'm hoping we're not stuck with staying on 2.0 or
forking nexus itself.

-Eric

On 09/11/2012 11:04 AM, Eric Dalquist wrote:

> We have a plugin that allows for using the REMOTE_USER header from
> Apache for AuthN into Nexus. In 2.0 and earlier we would modify web.xml
> and replace the
> org.sonatype.nexus.security.filter.authc.NexusSecureHttpAuthenticationFilter
> with an extended version of it that changed the behavior of the
> createToken method:
>
>
>     protected AuthenticationToken createToken(String username, String
> password, ServletRequest request, ServletResponse response) {
>         HttpServletRequest httpServletRequest = (HttpServletRequest)request;
>        
>         final String remoteUser = httpServletRequest.getRemoteUser();
>         if (remoteUser != null) {
>             return new RemoteUserAuthenticationToken(remoteUser);
>         }
>
>         //Fall back to normal auth
>         return super.createToken(username, password, request, response);
>     }
>
>
>
> In 2.1 the web.xml doesn't have the filterconfig inline anymore. I did
> find NexusSecurityFilterModule which appears to do the same thing that
> the text config in web.xml used to do but I don't see an obvious way to
> effect the same change. Any tips/pointers on how I can go about doing
> this? I'm not really tied to this approach but what I need to do is
> create a custom AuthenticationToken instance if REMOTE_USER is set.
>
> Thanks,
> -Eric
>


smime.p7s (8K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Extending NexusSecureHttpAuthenticationFilter in Nexus 2.1

Tamás Cservenák

Will take a peek tomorrow (my) morning but am afraid that module you found is not extensible in way you need.

Thanks,
~t~ mobile

On Sep 12, 2012 7:57 PM, "Eric Dalquist" <[hidden email]> wrote:
Any help/hope here? I'm hoping we're not stuck with staying on 2.0 or
forking nexus itself.

-Eric

On 09/11/2012 11:04 AM, Eric Dalquist wrote:
> We have a plugin that allows for using the REMOTE_USER header from
> Apache for AuthN into Nexus. In 2.0 and earlier we would modify web.xml
> and replace the
> org.sonatype.nexus.security.filter.authc.NexusSecureHttpAuthenticationFilter
> with an extended version of it that changed the behavior of the
> createToken method:
>
>
>     protected AuthenticationToken createToken(String username, String
> password, ServletRequest request, ServletResponse response) {
>         HttpServletRequest httpServletRequest = (HttpServletRequest)request;
>
>         final String remoteUser = httpServletRequest.getRemoteUser();
>         if (remoteUser != null) {
>             return new RemoteUserAuthenticationToken(remoteUser);
>         }
>
>         //Fall back to normal auth
>         return super.createToken(username, password, request, response);
>     }
>
>
>
> In 2.1 the web.xml doesn't have the filterconfig inline anymore. I did
> find NexusSecurityFilterModule which appears to do the same thing that
> the text config in web.xml used to do but I don't see an obvious way to
> effect the same change. Any tips/pointers on how I can go about doing
> this? I'm not really tied to this approach but what I need to do is
> create a custom AuthenticationToken instance if REMOTE_USER is set.
>
> Thanks,
> -Eric
>


Reply | Threaded
Open this post in threaded view
|

Re: Extending NexusSecureHttpAuthenticationFilter in Nexus 2.1

Eric Dalquist
Thanks,

If it ends up not being possible I'd be very interested in providing a patch to allow for REMOTE_USER based authentication into Nexus. So if it isn't extensible right now some ideas on how to make it so would be appreciated.

-Eric


On 09/12/2012 02:10 PM, Tamás Cservenák wrote:

Will take a peek tomorrow (my) morning but am afraid that module you found is not extensible in way you need.

Thanks,
~t~ mobile

On Sep 12, 2012 7:57 PM, "Eric Dalquist" <[hidden email]> wrote:
Any help/hope here? I'm hoping we're not stuck with staying on 2.0 or
forking nexus itself.

-Eric

On 09/11/2012 11:04 AM, Eric Dalquist wrote:
> We have a plugin that allows for using the REMOTE_USER header from
> Apache for AuthN into Nexus. In 2.0 and earlier we would modify web.xml
> and replace the
> org.sonatype.nexus.security.filter.authc.NexusSecureHttpAuthenticationFilter
> with an extended version of it that changed the behavior of the
> createToken method:
>
>
>     protected AuthenticationToken createToken(String username, String
> password, ServletRequest request, ServletResponse response) {
>         HttpServletRequest httpServletRequest = (HttpServletRequest)request;
>
>         final String remoteUser = httpServletRequest.getRemoteUser();
>         if (remoteUser != null) {
>             return new RemoteUserAuthenticationToken(remoteUser);
>         }
>
>         //Fall back to normal auth
>         return super.createToken(username, password, request, response);
>     }
>
>
>
> In 2.1 the web.xml doesn't have the filterconfig inline anymore. I did
> find NexusSecurityFilterModule which appears to do the same thing that
> the text config in web.xml used to do but I don't see an obvious way to
> effect the same change. Any tips/pointers on how I can go about doing
> this? I'm not really tied to this approach but what I need to do is
> create a custom AuthenticationToken instance if REMOTE_USER is set.
>
> Thanks,
> -Eric
>




smime.p7s (8K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Extending NexusSecureHttpAuthenticationFilter in Nexus 2.1

Brian Demers
This is an old thread, but John Casey did some work with this a while back https://github.com/jdcasey/nx-sec/



On Wed, Sep 12, 2012 at 3:57 PM, Eric Dalquist <[hidden email]> wrote:
Thanks,

If it ends up not being possible I'd be very interested in providing a patch to allow for REMOTE_USER based authentication into Nexus. So if it isn't extensible right now some ideas on how to make it so would be appreciated.

-Eric



On 09/12/2012 02:10 PM, Tamás Cservenák wrote:

Will take a peek tomorrow (my) morning but am afraid that module you found is not extensible in way you need.

Thanks,
~t~ mobile

On Sep 12, 2012 7:57 PM, "Eric Dalquist" <[hidden email]> wrote:
Any help/hope here? I'm hoping we're not stuck with staying on 2.0 or
forking nexus itself.

-Eric

On 09/11/2012 11:04 AM, Eric Dalquist wrote:
> We have a plugin that allows for using the REMOTE_USER header from
> Apache for AuthN into Nexus. In 2.0 and earlier we would modify web.xml
> and replace the
> org.sonatype.nexus.security.filter.authc.NexusSecureHttpAuthenticationFilter
> with an extended version of it that changed the behavior of the
> createToken method:
>
>
>     protected AuthenticationToken createToken(String username, String
> password, ServletRequest request, ServletResponse response) {
>         HttpServletRequest httpServletRequest = (HttpServletRequest)request;
>
>         final String remoteUser = httpServletRequest.getRemoteUser();
>         if (remoteUser != null) {
>             return new RemoteUserAuthenticationToken(remoteUser);
>         }
>
>         //Fall back to normal auth
>         return super.createToken(username, password, request, response);
>     }
>
>
>
> In 2.1 the web.xml doesn't have the filterconfig inline anymore. I did
> find NexusSecurityFilterModule which appears to do the same thing that
> the text config in web.xml used to do but I don't see an obvious way to
> effect the same change. Any tips/pointers on how I can go about doing
> this? I'm not really tied to this approach but what I need to do is
> create a custom AuthenticationToken instance if REMOTE_USER is set.
>
> Thanks,
> -Eric
>




Reply | Threaded
Open this post in threaded view
|

Re: Extending NexusSecureHttpAuthenticationFilter in Nexus 2.1

Eric Dalquist
Just curious if this feature has ever been fixed? We are still stuck on Nexus 2.0 due to the lack of ability to configure custom auth filters from 2.1 on.

I've improved the docs for the rut-auth-plugin if that helps at all: https://github.com/UW-Madison-DoIT/nexus-rut-auth-plugin

-Eric

On 10/15/12 3:20 PM, Brian Demers wrote:
This is an old thread, but John Casey did some work with this a while back https://github.com/jdcasey/nx-sec/



On Wed, Sep 12, 2012 at 3:57 PM, Eric Dalquist <[hidden email]> wrote:
Thanks,

If it ends up not being possible I'd be very interested in providing a patch to allow for REMOTE_USER based authentication into Nexus. So if it isn't extensible right now some ideas on how to make it so would be appreciated.

-Eric



On 09/12/2012 02:10 PM, Tamás Cservenák wrote:

Will take a peek tomorrow (my) morning but am afraid that module you found is not extensible in way you need.

Thanks,
~t~ mobile

On Sep 12, 2012 7:57 PM, "Eric Dalquist" <[hidden email]> wrote:
Any help/hope here? I'm hoping we're not stuck with staying on 2.0 or
forking nexus itself.

-Eric

On 09/11/2012 11:04 AM, Eric Dalquist wrote:
> We have a plugin that allows for using the REMOTE_USER header from
> Apache for AuthN into Nexus. In 2.0 and earlier we would modify web.xml
> and replace the
> org.sonatype.nexus.security.filter.authc.NexusSecureHttpAuthenticationFilter
> with an extended version of it that changed the behavior of the
> createToken method:
>
>
>     protected AuthenticationToken createToken(String username, String
> password, ServletRequest request, ServletResponse response) {
>         HttpServletRequest httpServletRequest = (HttpServletRequest)request;
>
>         final String remoteUser = httpServletRequest.getRemoteUser();
>         if (remoteUser != null) {
>             return new RemoteUserAuthenticationToken(remoteUser);
>         }
>
>         //Fall back to normal auth
>         return super.createToken(username, password, request, response);
>     }
>
>
>
> In 2.1 the web.xml doesn't have the filterconfig inline anymore. I did
> find NexusSecurityFilterModule which appears to do the same thing that
> the text config in web.xml used to do but I don't see an obvious way to
> effect the same change. Any tips/pointers on how I can go about doing
> this? I'm not really tied to this approach but what I need to do is
> create a custom AuthenticationToken instance if REMOTE_USER is set.
>
> Thanks,
> -Eric
>






smime.p7s (8K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Extending NexusSecureHttpAuthenticationFilter in Nexus 2.1

Jason Dillon-3
I do not believe so.  The filter impl instances are not configurable.  The configuration here probably has to be redesigned, unclear how ATM though.

Maybe a set of specific provider components to replace the pragmatic instance configuration that is being done presently?

Actually I think NexusSecureHttpAuthenticationFilter could probably just implement an interceptor (or similar interloper-style) pattern, or rather perhaps be wrapped with a filter impl that implements this pattern.  This wrapper would inject an interceptor chain, where the last item is the present impl of NexusSecureHttpAuthenticationFilter.  Interceptors would implement specific logic, like your remote-user handling returning the result if applicable, or calling the next in the chain if not.

Perhaps could also consider a custom FilterChainResolver as well?

Need to understand this a bit more before I could suggest a strategy:

https://github.com/sonatype/nexus-oss/blob/d010fe4259129fbdcb2538d672e1b94d17e8cecf/plugins/restlet1x/nexus-restlet1x-plugin/src/main/java/org/sonatype/nexus/security/filter/NexusSecurityFilterModule.java#L108

--jason

On July 17, 2013 at 8:48:35 PM, Eric Dalquist ([hidden email]) wrote:

Just curious if this feature has ever been fixed? We are still stuck on Nexus 2.0 due to the lack of ability to configure custom auth filters from 2.1 on.

I've improved the docs for the rut-auth-plugin if that helps at all: https://github.com/UW-Madison-DoIT/nexus-rut-auth-plugin

-Eric

On 10/15/12 3:20 PM, Brian Demers wrote:
This is an old thread, but John Casey did some work with this a while back https://github.com/jdcasey/nx-sec/



On Wed, Sep 12, 2012 at 3:57 PM, Eric Dalquist <[hidden email]> wrote:
Thanks,

If it ends up not being possible I'd be very interested in providing a patch to allow for REMOTE_USER based authentication into Nexus. So if it isn't extensible right now some ideas on how to make it so would be appreciated.

-Eric



On 09/12/2012 02:10 PM, Tamás Cservenák wrote:

Will take a peek tomorrow (my) morning but am afraid that module you found is not extensible in way you need.

Thanks,
~t~ mobile

On Sep 12, 2012 7:57 PM, "Eric Dalquist" <[hidden email]> wrote:
Any help/hope here? I'm hoping we're not stuck with staying on 2.0 or
forking nexus itself.

-Eric

On 09/11/2012 11:04 AM, Eric Dalquist wrote:
> We have a plugin that allows for using the REMOTE_USER header from
> Apache for AuthN into Nexus. In 2.0 and earlier we would modify web.xml
> and replace the
> org.sonatype.nexus.security.filter.authc.NexusSecureHttpAuthenticationFilter
> with an extended version of it that changed the behavior of the
> createToken method:
>
>
>     protected AuthenticationToken createToken(String username, String
> password, ServletRequest request, ServletResponse response) {
>         HttpServletRequest httpServletRequest = (HttpServletRequest)request;
>
>         final String remoteUser = httpServletRequest.getRemoteUser();
>         if (remoteUser != null) {
>             return new RemoteUserAuthenticationToken(remoteUser);
>         }
>
>         //Fall back to normal auth
>         return super.createToken(username, password, request, response);
>     }
>
>
>
> In 2.1 the web.xml doesn't have the filterconfig inline anymore. I did
> find NexusSecurityFilterModule which appears to do the same thing that
> the text config in web.xml used to do but I don't see an obvious way to
> effect the same change. Any tips/pointers on how I can go about doing
> this? I'm not really tied to this approach but what I need to do is
> create a custom AuthenticationToken instance if REMOTE_USER is set.
>
> Thanks,
> -Eric
>






---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Extending NexusSecureHttpAuthenticationFilter in Nexus 2.1

Harish Kayarohanam
This post has NOT been accepted by the mailing list yet.
Hi ,
  I saw this thread today . I am facing the same problem . Did any one find a way out . Can you please help me with that . I am struggling to find a solution . Please help.

Thanks