Custom
Authentication
See also: User Authentication
Custom Authentication can
be used to authenticate users where some sort of user-related information is
available from the HTTP request e.g. as a URL parameter containing a user name
or a token, an HTTP header or a cookie. This option cannot be used to pop-up
any sort of dialog where the user enters their credentials, it can only be used
where this information is already available. Once the user-related details have
been extracted, they are passed to a Logon Service
where they can be checked and any additional roles, credentials and
authorizations can be added.
Custom Authentication is
configured on the User
Authentication page of the Server Admin App.
The XILogonExit program
intercepts all HTTP requests, extracts user related information from the
request and passes it to the specified Logon Service to be authenticated.
User related information can be extracted from the
request URL – this might be a userid or some sort of
token representing the userid. The following options
are supported as standard:
·
Extract
information from a request parameter
·
Extract
information from the request header
·
Extract
information from a cookie.
As a special case,
information from the HttpServletRequest object can be
queried using request header variables. This can be used for all get… methods
on HttpServletRequest that return a String. For
example:
See Javadoc
on HttpServletRequest for details of additional get.. methods.
The steps to implement XILogonExit to meet the security requirements of your
organisation are:
Click here for details.
The parameter properties
represent 3 parameters where each parameter is a name/source combination. Each
one of these 3 parameters controls where a specific piece of information about
the user can be found. The source
properties must be one of URL, HEADER or COOKIE. The system extracts the value for each parameter from the HTTP
request and passes this to the Logon Service as
shown in the examples below:
Example 1: User information passed on
the URL:
This assumes that the usertoken
parameter has been added to the URL. The script implementing the logon exit
does the job of translating this into a userid.
URL: http://www.mycorp.com/ebase/MyForm.eb?usertoken=973765AB34
Logonexit.ParameterName1=usertoken
Logonexit.ParameterSource1=URL
This will result in the
following input fields to the web service (see request document format below):
PARAM1_VALUE=973765AB34
PARAM1_SOURCE=URL
Example 2: User information passed as
request header variable:
Here we are extracting the
userid set by the application server. This can be
configured to contain the Windows domain userid.
Logonexit.ParameterName1=remoteUser
Logonexit.ParameterSource1=HEADER
This will result in the
following input fields to the web service – where the userid
is jxsmith
(see request document format below):
PARAM1_VALUE= jxsmith
PARAM1_SOURCE=HEADER
Example 3: User information passed
using cookies:
In this example we will
assume that 2 cookies have been created:
Officeloc :
provides the usual office location of the user, and has the value
Userref : provides a
personnel number or some other user reference, and has the value 753864
In this example we have an
imaginary company that has implemented different security systems for different
parts of the organisation (represented by cookie officeloc).
Userref might represent a userid
for one office location or a personnel number for another location.
Logonexit.ParameterName1=Officeloc
Logonexit.ParameterSource1=COOKIE
Logonexit.ParameterName1= Userref
Logonexit.ParameterSource1=COOKIE
This will result in the
following input fields to the web service (see request document format below):
PARAM1_VALUE=
PARAM1_SOURCE=COOKIE
PARAM1_VALUE=753864
PARAM1_SOURCE=COOKIE