cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Showing results for 
Search instead for 
Did you mean: 

FormLogin/Everyone doesn't authenticate correctly

SOLVED
Highlighted
Participant

FormLogin/Everyone doesn't authenticate correctly

Hey,

Whenever, the user log out or get timed out, it redirects him to the FormLogin/Everyone.

However, on that FormLogin, it gets the username (not the password) and log the user as what the username is even if the password is wrong.

I have a custom authenticator, could that be it or is it a problem with the FormLogin ?

Here is my Custom Authenticator

import java.io.IOException;

import javax.servlet.http.HttpServletRequest;

import javax.servlet.http.HttpServletResponse;

import com.thingworx.security.authentication.AuthenticatorException;

import com.thingworx.security.authentication.CustomAuthenticator;

public class LoginAuthenticator extends CustomAuthenticator {

    private String user;

    private String requestUrl;

    private String password;

    private boolean isFormLogin;

    private boolean isRedirect;

public LoginAuthenticator() {

        user = null;

        requestUrl = null;

        password = null;

        isFormLogin = true;

        isRedirect = false;

}

@Override

    public boolean matchesAuthRequest(HttpServletRequest httpRequest)

            throws AuthenticatorException

        {

            requestUrl = httpRequest.getRequestURL().toString();

            if((!requestUrl.contains("action-login")) & (!requestUrl.contains("FormLogin")))

            {

                isFormLogin = false;

                isRedirect = true;

                setRequiresChallenge(true);

            } else

            if(requestUrl.contains("action-login"))

            {

                user = httpRequest.getParameter("thingworx-form-userid");

                password = httpRequest.getParameter("thingworx-form-password");

            }

            return true;

        }

    

@Override

   public void authenticate(HttpServletRequest httpRequest, HttpServletResponse httpResponse)

        throws AuthenticatorException

    {

        setCredentials(user, password);

    }

@Override

   public void issueAuthenticationChallenge(HttpServletRequest httpRequest, HttpServletResponse httpResponse)

        throws AuthenticatorException

    {

        if(isRedirect)

        {

            String urlString = "/Thingworx/FormLogin/Everyone";//replace with your own organization

            try

            {

                httpResponse.sendRedirect(urlString);

            }

            catch(IOException e)

            {

                e.printStackTrace();

            }

        }

    }

}

Tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions

Re: FormLogin/Everyone doesn't authenticate correctly

I found out that you need to validate the user in the authenticate method by doing the following

AuthenticationUtilities.validateCredentials(user, password);

2 REPLIES 2

Re: FormLogin/Everyone doesn't authenticate correctly

Hey,

So one thing to note: this Authenticator is ALWAYS going to be attempted. You have "return true" at the end of your "matchesAuthRequest" method, outside of the if statements, but you never set it to false. You set "setRequiresChallenge" to true, but I think in the wrong method. This method will allow you to skip throwing an exception in your Authenticate method, not skip the Authenticate method entirely. So, this service is effectively saying, always sign this user in, no matter what. I think you need to change "setRequiresChallenge(true)" to "return false", and then this should work. I am confirming my understanding of the "setRequiresChallenge" method, so I will let you know if I need to make any corrections to this.

Thanks!

Tori

Re: FormLogin/Everyone doesn't authenticate correctly

I found out that you need to validate the user in the authenticate method by doing the following

AuthenticationUtilities.validateCredentials(user, password);