For IS portals we have a requirement to plug authentication mechanisms, at least we have to support BasicAuth and SAML SSO OOTB. We had a meeting with UUF folks about this requirements and identified the lack of such support in current UUF implementation, we mainly discussed whether we should implement an UUF specific feature once a request reach to UUF level or whether we should perform AuthN at MSF4J level before reach to UUF level.
After evaluating both options we concluded to reuse MSF4J's existing security Interceptor mechanism for UUF as well, as it much clean, consistent and pluggable. Additionally this approach work for both UUF pages and UI specific APIs too. Following 2 diagrams illustrate 2 example scenarios based on BasicAuth and SAML SSO. [image: Inline image 1] [image: Inline image 2] - in above examples, requests first hit SessionValidationInterceptor. SessionValidationInterceptor check whether a HTTP session exists or not, if exists set a flag to bypass other AuthN Interceptor/s in the chain. - BasicAuthInterceptor/SAMLSSOInterceptor are AuthN protocol specific and perform the AuthN based in underline protocol. - AuthenticationValidationInterceptor, this will hit as the last Interceptor in the chain and won't allow any request to pass this point without AuthN details. *Improvements required form MSF4J* - Ability to configure Interceptors in global/service level and ability to specify order of the Interceptors. This feature is already being developed by Vidura based on API-M product API requirements hence no additional effort here. - Unlike MSF4J Interceptors used in service, here we have to created HTTP Session after successful AuthN. We have to design an API and implement this feature. - Check how MSF4J behave with browser- based HTTP features such as redirects. *Improvements required form UUF* - Session created by MSF4J level should be visible to UUF level so that UUF components can read/write values from/to session. - We haven't discuss about AuthZ yet. [1] - [Design Review] [IAM]User Portal :by - [email protected] [2] - [Architecture][MSF4J] MSF4J Filter Configuration Thanks ! -- Sagara Gunathunga Associate Director / Architect; WSO2, Inc.; http://wso2.com V.P Apache Web Services; http://ws.apache.org/ Linkedin; http://www.linkedin.com/in/ssagara Blog ; http://ssagara.blogspot.com
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
