This page last changed on Mar 05, 2007 by justen.stepka@atlassian.com.
HttpAuthenticator
The HttpAuthenticator simplifies the authentication of HTTP based clients. When an authentication or invalidation is performed, the HttpAuthenticator manages the setting and resetting of integration variables for the principals HTTP session. If the application client has little need beyond authentication and validation, the HttpAuthenticator is a simple and very straight forward integration piece, shown below is a code example of authenticating and logging off of a principal.
Example 1:
HttpAuthenticator.authenticate(request, response, username, password);
Example 2:
HttpAuthenticator.authenticate(request, response);
If there were any issues with the authentication or logoff calls, an Exception will be thrown to the application client.
The HttpAuthenticator manages the following:
- Authenticating an HTTP request, and setting the session with the correct attributes for other integration points of the IDX framework.
- Invalidating an HTTP request includes removing session related attributes.
- Obtaining a principal's authenticated token from a session or browser cookie.
- Validating an existing HTTP authentication for single sign-on. If another application in the same domain has already authenticated the principal, the HttpAuthenticator will attempt to validate the existing authentication.
- Building a standard AuthenticationContext for a principal. This can be used to assure the authentication is consistent across all clients when setting validation factors of the client.
VerifyTokenFilter
The VerifyTokenFilter is a http servlet filter that protects secured resources by verifying the session or cookie token is active and the principal has access to the requesting application. The token filter works in conjunction with the HttpAuthenticator validating and setting various session and cookie attributes. Should the principal's token become expired or invalid due to security restrictions, the principal will be redirected to the URL provided by the crowd.properties.
Using the token filter is very straight forward, simply edit your web.xml deployment descriptor to reflect the filter and desired resource mapping:
<filter>
<filter-name>VerifyTokenFilter</filter-name>
<filter-class>com.atlassian.crowd.integration.http.VerifyTokenFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>VerifyTokenFilter</filter-name>
<url-pattern>/secure/*</url-pattern>
</filter-mapping>
In this example, the verify token filter will prevent any pages on the /secure/ path from being accessed unless a valid token is found.
Should the token expire or be found invalid, the original url will be stored in the prinicpal's session at a String with the key of VerifyTokenFilter.ORIGINAL_URL. This is useful because, when the principal later authenticates, the original URL and parameters can then be used as a redirect bringing the principal back to their original POST. An example of how this can be accomplished at login is shown below:
HttpAuthenticator.authenticate(request, response, username, password);
String requestingPage = (String) getSession().getAttribute(VerifyTokenFilter.ORIGINAL_URL);
if (requestingPage != null) {
response().sendRedirect(requestingPage);
} else {
return SUCCESS;
}
Example 2 method should be logoff.

Posted by at Feb 01, 2007 10:55
|
|