Hi all, The apporach i used while implementing $subject was implementing a cache within authentication framework. This cache is being shared by few other components including the following components.
org.wso2.carbon.identity.oauth.endpoint org.wso2.carbon.identity.sso.saml org.wso2.carbon.identity.sts.passive.ui org.wso2.carbon.identity.provider Before sending a request to authentication framework, The relevant component removes all query parameters and headers of the request. All those information is stored within the shared cache (AuthenticationRequestCache) and only the session data key is sent as a query parameter (session data key is also used as the cache key for AuthenticationRequestCache). At the authentication framework, on request arrival, it checks whether a request cache entry is available for the particular session data key. If available the request is wrapped with a new HttpServletRequestWrapper. This wrapper will wrap the original request with all the information in relevant cache entry. On that point onward the wrapped request is used as the HttpServletRequest. Even though with new implementation, the call to authentication framework does not contain any query params (including sensitive information such encoded usernames and passwords which were there in request path authentication previously) the request to authentication endpoint may still contain those information as query params. As a solution, When building query parameters from the wrapped HttpServeletRequest, assential parameter names are read from a configuration. This configuration is added to application-authentication.xml. Therefore only configured parameters will be sent to Authentication endpoint web app. The reason behind not using shared cache within Authentication endpoint web app is, it should be a standalone web app which can be hosted somewhere else.
_______________________________________________ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture