Solved: FormLogin/Everyone doesn't authenticate correctly

fgrondin · ‎Dec 05, 2017

Hey,

Whenever, the user log out or get timed out, it redirects him to the FormLogin/Everyone.

However, on that FormLogin, it gets the username (not the password) and log the user as what the username is even if the password is wrong.

I have a custom authenticator, could that be it or is it a problem with the FormLogin ?

Here is my Custom Authenticator

import java.io.IOException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import com.thingworx.security.authentication.AuthenticatorException;
import com.thingworx.security.authentication.CustomAuthenticator;
public class LoginAuthenticator extends CustomAuthenticator {
    private String user;
    private String requestUrl;
    private String password;
    private boolean isFormLogin;
    private boolean isRedirect;
public LoginAuthenticator() {
        user = null;
        requestUrl = null;
        password = null;
        isFormLogin = true;
        isRedirect = false;
}
@Override
    public boolean matchesAuthRequest(HttpServletRequest httpRequest)
            throws AuthenticatorException
        {
            requestUrl = httpRequest.getRequestURL().toString();
            if((!requestUrl.contains("action-login")) & (!requestUrl.contains("FormLogin")))
            {
                isFormLogin = false;
                isRedirect = true;
                setRequiresChallenge(true);
            } else
            if(requestUrl.contains("action-login"))
            {
                user = httpRequest.getParameter("thingworx-form-userid");
                password = httpRequest.getParameter("thingworx-form-password");
            }
            return true;
        }
     
@Override
   public void authenticate(HttpServletRequest httpRequest, HttpServletResponse httpResponse)
        throws AuthenticatorException
    {
        setCredentials(user, password);
    }
@Override
   public void issueAuthenticationChallenge(HttpServletRequest httpRequest, HttpServletResponse httpResponse)
        throws AuthenticatorException
    {
        if(isRedirect)
        {
            String urlString = "/Thingworx/FormLogin/Everyone";//replace with your own organization
            try
            {
                httpResponse.sendRedirect(urlString);
            }
            catch(IOException e)
            {
                e.printStackTrace();
            }
        }
    }
}

fgrondin · ‎Dec 28, 2017

I found out that you need to validate the user in the authenticate method by doing the following

AuthenticationUtilities.validateCredentials(user, password);

View solution in original post

ttielebein · ‎Dec 06, 2017

Hey,

So one thing to note: this Authenticator is ALWAYS going to be attempted. You have "return true" at the end of your "matchesAuthRequest" method, outside of the if statements, but you never set it to false. You set "setRequiresChallenge" to true, but I think in the wrong method. This method will allow you to skip throwing an exception in your Authenticate method, not skip the Authenticate method entirely. So, this service is effectively saying, always sign this user in, no matter what. I think you need to change "setRequiresChallenge(true)" to "return false", and then this should work. I am confirming my understanding of the "setRequiresChallenge" method, so I will let you know if I need to make any corrections to this.

Thanks!

Tori

fgrondin · ‎Dec 28, 2017

I found out that you need to validate the user in the authenticate method by doing the following

AuthenticationUtilities.validateCredentials(user, password);