The HttpAuthenticationLoginModule provider authenticates the user with given credentials (user name and password) against the secured Web server (SWS) using a GET against a URL that requires basic authentication, and can be configured to retrieve a cookie with the configured name and add it to the JAAS subject to facilitate single sign-on (SSO) or network edge authentication.
Configuration Option | Default Value | Description |
---|---|---|
URL | None | The HTTP(S) URL that authenticates the user. For single sign-on, this is the server URL from which Unwired Server acquires the SSO cookie/token. |
Disable certificate validation | False | (Optional) The default is false. If set to true , disables certificate validation when establishing an HTTPS connection to the SWS using the configured URL. Set to true only for configuration debugging. |
SSO cookie name | None | (Optional)
A
name of the cookie that is set in the session
between
the LoginModule and the SWS and holds the SSO
token for single sign-on.
The
provider looks for this cookie in the connection to the SWS. If
found, it is added to the authenticated subject as a named
credential. The authentication provider ignores the status code when a SSO cookie is found in the session. If the cookie is found, authentication succeeds regardless of the return status code. |
Roles HTTP header | None | (Optional) The name of an HTTP header that the server may return. The header value contains a comma-separated list of roles to be granted. |
Successful connection status code | 200 | HTTP status code interpreted as success when connection is established to the SWS. |
HTTP connection timeout interval | 1 minute | The value, in seconds, after which an HTTP(s) connection request to the Web-based authentication service times out. If the HTTP connection made in this module (for either user authentication or configuration validation) does not have a time out set, and attempts to connect to a Web-based authentication service that is unresponsive, the connection hangs, which could potentially cause Unwired Server to hang. Setting the timeout interval ensures authentication failure is reported without waiting for ever for the server to respond. |
SendClientHttpValuesAs | None | Comma separated list of strings that indicate
how the ClientHttpValuesToSend should be sent to the HTTP
server. For example:
SendClientHttpValuesAs=header:header_name, cookie: cookie_name Note: If
the user should be authenticated only using the supplied
username/password, then this property does not
apply.
|
ClientHttpValuesToSend | A comma separated list of client HTTP values that should be
sent to the HTTP server. For
example: ClientHttpValuesToSend=client_personalization_key, client_cookie_name This property should be set if token authentication is used. Setting the property "ClientHttpValuesToSend" triggers token authentication. Unless TryBasicAuthIfTokenAuthFails is configured to true in conjunction with ClientHttpValuesToSend, only token authentication will be attempted. Note: If the user
should be authenticated only using the supplied
username/password, then this property does not
apply.
|
|
SendPasswordAsCookie | None | Sends the password to the URL as a cookie with this name. If not specified, the password is not sent in a cookie. This property is normally used when there is a cookie-based SSO mechanism in use (for example, SiteMinder), and the client has put an SSO token into the password. The token can be propagated from the personalization keys and HTTP header/cookies to the SWS without impacting the password field. |
TryBasicAuthIfTokenAuthFails | False | Option that specifies if the provider should
attempt basic authentication using the specified
username/password credentials if token authentication is
configured and it
fails.
This property is applicable only if token authentication is
enabled. Note: If the user should be authenticated only using
the supplied username/password, then this property does not
apply.
|
UsernameHttpHeader | None | Http response header name that is sent back
by the HTTP server with the username retrieved from the token.
The retrieved username is added as a SecNamePrincipal upon
successful authentication.
Note: If
the user should be authenticated only using the supplied
username/password, then this property does not
apply.
|
regexForUsernameMatch | None | Regular expression to use for matching the
supplied username with the username returned by the HTTP server
in the UsernameHttpHeader. The string "{username}" in the regex
is replaced with the specified username before using it. If
specified, it is used to match the username retrieved from the
UsernameHttpHeader to the username specified in the callback
handler. It they do not match, it results in authentication
failure. If they match, both the specified username and the
retrieved username are added as SecNamePrincipals to the
authenticated subject.
Note: If
the user should be authenticated only using the supplied
username/password, then this property does not
apply.
|
TokenExpirationTimeHttpHeader | None | HTTP
response header name that is sent back by the HTTP server with
the
validity
period of the token in milliseconds from the start of January 1,
1970. If the header is returned in the
HTTP
response from the
SWS,
the token is cached for the duration it remains valid unless
TokenExpirationInterval is also configured. If this response
header is not returned with the token, it might result in
unintended use of the token attached to the authenticated
context even after it has
expired. Note: If
the user should be authenticated only using the supplied
username/password, then this property does not
apply.
|
TokenExpirationInterval | 0 | Property
to specify the interval in milliseconds to be deducted from the
actual expiration time returned in
TokenExpirationTimeHttpHeader. This ensures that the token
credential retrieved from the authenticated session remains
valid until it is passed to the
SWS
for
single
sign-on
to access
MBOs. Note: If
the TokenExpirationTimeHttpHeader value returned by the SWS
is less than the value configured for the
TokenExpirationInterval property, it results in
authentication failure.
Note: If the user should be
authenticated only using the supplied username/password,
then this property does not
apply.
|
CredentialName | None | Name to set in the authentication credential that contains the token returned in SSOCookieName. If this property is not configured, the SSOCookieName is set as the name of the token credential. |