Hi Mike, Thank you for the explanation! I'll continue with JSON, it suites my needs fine!
- Perre Den tis 3 okt. 2023 kl 20:40 skrev Michael Jumper <[email protected]>: > On 10/3/2023 1:17 AM, Per-Erik Gustafsson wrote: > > Hi, > > I am using JSON authentication and now it would be nice if I could hide > > the actual JSON authentication string in a keystore, and send login as > > GET myserver/?key=abc-123. > > The actual value would the be fetched from keystore and in Nginx the > > proxy_pass call would be like proxy_pass .../?data=$actualjson > > > > I have tested a solution like this but can not get it working. > > The log says > > http-nio-8080-exec-5] DEBUG o.a.g.r.auth.AuthenticationService - > > Anonymous authentication attempt from [10.x.x.x, 10.x.x] failed. > > > > When I copy the ?data=xxx from tomcat log and run it in my browser I get > > logged in. > > Any suggestions how to get it working? > > The "#/?data=THEJSON" portion of the URL has to be visible to JavaScript > to be passed on during the authentication process. Attempting to pass > things through "proxy_pass" will not have the same effect; it has to be > visible to the user's browser so that the client side of the webapp can > hand it off to the authentications service. > > Part of the reason the JSON is encrypted and signed is to allow it to be > safely included in the URL. I would suggest doing so if intending to > dynamically authenticate and authorize users using the JSON extension. > The alternative would be to write your own authentication extension that > authenticates and authorizes users however you wish. > > - Mike > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > >
