Community Tip - Learn all about the Community Ranking System, a fun gamification element of the PTC Community. X
Hey,
Whenever, the user log out or get timed out, it redirects him to the FormLogin/Everyone.
However, on that FormLogin, it gets the username (not the password) and log the user as what the username is even if the password is wrong.
I have a custom authenticator, could that be it or is it a problem with the FormLogin ?
Here is my Custom Authenticator
import java.io.IOException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import com.thingworx.security.authentication.AuthenticatorException;
import com.thingworx.security.authentication.CustomAuthenticator;
public class LoginAuthenticator extends CustomAuthenticator {
private String user;
private String requestUrl;
private String password;
private boolean isFormLogin;
private boolean isRedirect;
public LoginAuthenticator() {
user = null;
requestUrl = null;
password = null;
isFormLogin = true;
isRedirect = false;
}
@Override
public boolean matchesAuthRequest(HttpServletRequest httpRequest)
throws AuthenticatorException
{
requestUrl = httpRequest.getRequestURL().toString();
if((!requestUrl.contains("action-login")) & (!requestUrl.contains("FormLogin")))
{
isFormLogin = false;
isRedirect = true;
setRequiresChallenge(true);
} else
if(requestUrl.contains("action-login"))
{
user = httpRequest.getParameter("thingworx-form-userid");
password = httpRequest.getParameter("thingworx-form-password");
}
return true;
}
@Override
public void authenticate(HttpServletRequest httpRequest, HttpServletResponse httpResponse)
throws AuthenticatorException
{
setCredentials(user, password);
}
@Override
public void issueAuthenticationChallenge(HttpServletRequest httpRequest, HttpServletResponse httpResponse)
throws AuthenticatorException
{
if(isRedirect)
{
String urlString = "/Thingworx/FormLogin/Everyone";//replace with your own organization
try
{
httpResponse.sendRedirect(urlString);
}
catch(IOException e)
{
e.printStackTrace();
}
}
}
}
Solved! Go to Solution.
I found out that you need to validate the user in the authenticate method by doing the following
AuthenticationUtilities.validateCredentials(user, password);
Hey,
So one thing to note: this Authenticator is ALWAYS going to be attempted. You have "return true" at the end of your "matchesAuthRequest" method, outside of the if statements, but you never set it to false. You set "setRequiresChallenge" to true, but I think in the wrong method. This method will allow you to skip throwing an exception in your Authenticate method, not skip the Authenticate method entirely. So, this service is effectively saying, always sign this user in, no matter what. I think you need to change "setRequiresChallenge(true)" to "return false", and then this should work. I am confirming my understanding of the "setRequiresChallenge" method, so I will let you know if I need to make any corrections to this.
Thanks!
Tori
I found out that you need to validate the user in the authenticate method by doing the following
AuthenticationUtilities.validateCredentials(user, password);