Overview
[fleXive] stores its accounts in the database and authentication is performed against these accounts.
An issue that often arises is authentication against other sources like LDAP or ActiveDirectory.
The preferred and easiest way to do this in [fleXive] is to use the event based scripting engine.
Using events to log on and off
[fleXive] provides two event types to allow for script execution when users log in and log off:
FxScriptEvent.AccountLogin and FxScriptEvent.AccountLogout.
If no scripts with these event types exist, [fleXive] performs the default authentication against the database.
Scripts of type FxScriptEvent.AccountLogin have these variables available to use:
| Variable |
Description |
| loginname |
Name used to log on |
| password |
Plaintext password |
| callback |
An FxCallback instance providing a DataSource to access the database, the EJB context and a flag if user already logged in with this account should be logged off |
The expected result is an initialized UserTicket
All available scripts of type FxScriptEvent.AccountLogin will be executed until a UserTicket is returned. If no UserTicket is returned from any script, authentication will be performed against the database.
Scripts of type FxScriptEvent.AccountLogout have this variable available to use:
| Variable |
Description |
| ticket |
The UserTicket of the user that is being logged off |
The purpose of this event is to perform any action that is required when a user signs off like telling the database when and that he logged off.
 |
Once at least one script has been called, [fleXive] will no longer perform a log off from the database!
So please make sure you call it at least in one script. |
A simple example:
println "Logging off "+ticket.loginName
com.flexive.core.security.FxDBAuthentication.logout(ticket)
Example
Using scripts for dynamic authentication is easy. The following example checks if an account for the user wishing to log on exists and creates an Account which will be assigned the role GlobalSupervisor if it does not exist. This example shows how simple it could be to authenticate against LDAP or ActiveDirectory.
Create this script using the event type FxScriptEvent.AccountLogin and it will be executed automatically.
import com.flexive.shared.security.*
import com.flexive.core.security.*
import com.flexive.shared.*
import com.flexive.shared.exceptions.*
println "Groovy is performing a login for "+loginname
try{
EJBLookup.accountEngine.load(loginname)
} catch(FxNotFoundException nf) {
println "User "+loginname+" does not exist! Creating ..."
Date end = new Date(System.currentTimeMillis() + 365 * 24 * 3600 * 1000)
final AccountEdit account = new AccountEdit()
.setName(loginname)
.setLoginName(loginname)
.setEmail("newuser@flexive.com")
.setActive(true)
.setValidated(true)
.setValidTo(end)
FxContext.get().runAsSystem()
long acct = EJBLookup.accountEngine.create(account, password)
EJBLookup.accountEngine.setRoles(acct, Role.GlobalSupervisor.id)
FxContext.get().stopRunAsSystem()
}
UserTicket ticket = FxDBAuthentication.login(loginname, password, callback)
println "logged in account #"+ticket.userId+" for "+loginname
return ticket
An even simpler example shows how to perform auditing or send emails when a user logs in.
Note that if no UserTicket is returned from the script, all other available scripts for FxScriptEvent.AccountLogin will be executed until a UserTicket is returned or the default database based authentication is called as final fallback. This allows for easy chaining of such scripts.
println "User "+loginname+" is logging in ..."
