One problem I see with this is:
How does the filter know to create a session or not? Because not every page
needs a session. Eg: in J2EE you have getSession [1], only the Servlet that
call it, it will return a session. Similarly UUF has a {{seucre}} tag that
marks which pages are secure. It's better if this plug-able security work
with that.[1] https://tomcat.apache.org/tomcat-5.5-doc/servletapi/javax/servlet/http/HttpServletRequest.html#getSession() On Sat, Jan 21, 2017 at 4:11 PM, Sagara Gunathunga <[email protected]> wrote: > > For IS portals we have a requirement to plug authentication mechanisms, at > least we have to support BasicAuth and SAML SSO OOTB. We had a meeting with > UUF folks about this requirements and identified the lack of such support > in current UUF implementation, we mainly discussed whether we should > implement an UUF specific feature once a request reach to UUF level or > whether we should perform AuthN at MSF4J level before reach to UUF level. > > After evaluating both options we concluded to reuse MSF4J's existing > security Interceptor mechanism for UUF as well, as it much clean, > consistent and pluggable. Additionally this approach work for both UUF > pages and UI specific APIs too. Following 2 diagrams illustrate 2 example > scenarios based on BasicAuth and SAML SSO. > > > > [image: Inline image 1] > > > > [image: Inline image 2] > > - in above examples, requests first hit SessionValidationInterceptor. > SessionValidationInterceptor > check whether a HTTP session exists or not, if exists set a flag to bypass > other AuthN Interceptor/s in the chain. > > - BasicAuthInterceptor/SAMLSSOInterceptor are AuthN protocol specific > and perform the AuthN based in underline protocol. > > - AuthenticationValidationInterceptor, this will hit as the last > Interceptor in the chain and won't allow any request to pass this point > without AuthN details. > > > *Improvements required form MSF4J* > > - Ability to configure Interceptors in global/service level and ability to > specify order of the Interceptors. This feature is already being developed > by Vidura based on API-M product API requirements hence no additional > effort here. > > - Unlike MSF4J Interceptors used in service, here we have to created HTTP > Session after successful AuthN. We have to design an API and implement > this feature. > > - Check how MSF4J behave with browser- based HTTP features such as > redirects. > > > *Improvements required form UUF* > > - Session created by MSF4J level should be visible to UUF level so that > UUF components can read/write values from/to session. > - We haven't discuss about AuthZ yet. > > > [1] - [Design Review] [IAM]User Portal :by - [email protected] > [2] - [Architecture][MSF4J] MSF4J Filter Configuration > > > > Thanks ! > -- > Sagara Gunathunga > > Associate Director / Architect; WSO2, Inc.; http://wso2.com > V.P Apache Web Services; http://ws.apache.org/ > Linkedin; http://www.linkedin.com/in/ssagara > Blog ; http://ssagara.blogspot.com > > > _______________________________________________ > Architecture mailing list > [email protected] > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > > -- With regards, *Manu*ranga Perera. phone : 071 7 70 20 50 mail : [email protected]
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
