Hi All,
My project is to add cookie based authentication for micro-gateway. This is
the approach that I have come up with. Please review and let me know what
you think and please be kind enough to suggest your suggestions.
Requirement
Provide authentication for product micro-gateway with cookie based
authentication which uses session HTTP cookies for authentication.
Suggested Approach
When an user invoke an API with a cookie, micro-gateway has to validate
that cookie prior to the response. The list of cookies included in the HTTP
request which use to authenticate, have to be extracted from the request.
>From all extracted cookies,their respective session ID value has to be
extracted properly.
The Authn filter will check incoming request to micro-gateway and determine
whether it contains header as "Authorization" or header as "Cookie". If
header is equals to "Cookie" then the cookie validation process will be
executed and cookie will be validated. If not it will execute as a normal
request which contains header as "Authorization". The session ID of the
required cookie can be provided to server as a direct key value pair at the
micro-gateway server startup.
if (request.hasHeader(authHeaderName)) {
authHeader = request.getHeader(authHeaderName);
}else if (request.hasHeader(COOKIE_HEADER)){
//Authentiction with HTTP cookies
CookieBasedAuth cookieBasedAuth = new CookieBasedAuth ();
result = cookieBasedAuth.processRequest(listener, request,
context);
}else {
log:printError("No authorization header was provided");
setErrorMessageToFilterContext(context,
API_AUTH_MISSING_CREDENTIALS);
sendErrorResponse(listener, request, untaint context);
return false;
}
Above code segment will do that identification of header type of the coming
request. Then the validation process will be done at the separate file
named as* "cookie.bal"*. In this file the extraction of session Id and
validation of that Id with given value at the server startup will be done.
For that I have implemented a new function as "*ProcessRequest*" which
returns a string or an error. If any of the cookies included in request is
not equal to given Id then the validation process will be failed. If it
fails, then it throws an error and authnFilter will be failed. If any of
session Id of a cookie matches with given one then that id will be returned
to authnFilter for further execution at authnFilter.
public function processRequest(http:Listener listener, http:Request
request, http:FilterContext context)
returns string|error {
boolean isAuthorized;
//get required cookie as config value
string requiredCookie = config:getAsString(COOKIE_HEADER, default =
"");
//extraxt cookies from the incoming request
string authHead = request.getHeader(COOKIE_HEADER);
string[] cookies = authHead.trim().split(";");
foreach cookie in cookies{
io:println(cookie);
string[] sessionIds = cookie.trim().split("=");
string sessionId = sessionIds[1];
if (sessionId == requiredCookie){
return sessionId;
}
}
error notFound = {message:"No matched cookie found"};
return notFound;
}
*Chamindu Udakara *
*Software engineering Intern*
WSO2 (University of Moratuwa)
*mobile *: *+94 755285531* | *email *: [email protected]
_______________________________________________
Architecture mailing list
[email protected]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
