Configuring authentication
To configure authentication for the CKFinder 3 for Java connector you need to create a class that implements the Authenticator interface. Thanks to the path scan mechanism, the authenticator will be automatically registered in the CKFinder’s internal dependency injection container.
A basic implementation that returns true from the authenticate() method (which is obviously not secure) can look like below:
package com.cksource.ckfinder.authentication;
import com.cksource.ckfinder.authentication.Authenticator;
import jakarta.inject.Named;
@Named
public class AlwaysTrueAuthenticator implements Authenticator {
@Override
public boolean authenticate() {
return true;
}
}
Your authenticator should never simply return true. By doing so, you are allowing anyone to upload and list the files on your server. In a real life scenario you should implement some kind of request validation mechanism to make sure that only trusted users can upload or delete your files.
In the next example, it is assumed that the session attribute named allowedToAccessCKFinder has been set for the authenticated user by the host application, and only a user with the allowedToAccessCKFinder attribute present in the session should be allowed to access CKFinder.
package com.cksource.ckfinder.authentication;
import com.cksource.ckfinder.authentication.Authenticator;
import jakarta.inject.Inject;
import jakarta.inject.Named;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpSession;
@Named
public class CustomAuthenticator implements Authenticator {
@Inject
private HttpServletRequest request;
@Override
public boolean authenticate() {
HttpSession session = request.getSession();
return session.getAttribute("allowedToAccessCKFinder") == Boolean.TRUE;
}
}
As you can see in the example, the current HttpServletRequest instance can be autowired to the authenticator instance. To read more about the CKFiner DI container, refer to the Dependency injection article.