HTTP Basic Authentication Properties

The HttpAuthenticationLoginModule provider authenticates the user with given credentials (user name and password) against the secured Web server (SWS) using a GET against a URL that requires basic authentication, and can be configured to retrieve a cookie with the configured name and add it to the JAAS subject to facilitate single sign-on (SSO) or network edge authentication.

This provider can be configured for authenticating the user when:

using only the specified username/password
using only the specified client value(s)
first attempting token authentication and if it fails, reverting to basic authentication using the supplied username/password. This could be helpful when using the same security configuration for authenticating users with a token, such as device users hitting network edge, and when DCN requests from within a firewall present only the username/password but no token.

Note: The HttpAuthenticationLoginModule allows token validation by connecting to an HTTP server capable of validating the token specified in the HTTP header and cookie set in the session.

HttpAuthenticationLoginModule configuration options
Configuration Option	Default Value	Description
URL	None	The HTTP(S) URL that authenticates the user. For single sign-on, this is the server URL from which Unwired Server acquires the SSO cookie/token.
Disable certificate validation	False	(Optional) The default is false. If set to true , disables certificate validation when establishing an HTTPS connection to the SWS using the configured URL. Set to true only for configuration debugging.
SSO cookie name	None	(Optional) A name of the cookie that is set in the session between the LoginModule and the SWS and holds the SSO token for single sign-on. The provider looks for this cookie in the connection to the SWS. If found, it is added to the authenticated subject as a named credential. The authentication provider ignores the status code when a SSO cookie is found in the session. If the cookie is found, authentication succeeds regardless of the return status code.
Roles HTTP header	None	(Optional) The name of an HTTP header that the server may return. The header value contains a comma-separated list of roles to be granted.
Successful connection status code	200	HTTP status code interpreted as success when connection is established to the SWS.
HTTP connection timeout interval	1 minute	The value, in seconds, after which an HTTP(s) connection request to the Web-based authentication service times out. If the HTTP connection made in this module (for either user authentication or configuration validation) does not have a time out set, and attempts to connect to a Web-based authentication service that is unresponsive, the connection hangs, which could potentially cause Unwired Server to hang. Setting the timeout interval ensures authentication failure is reported without waiting for ever for the server to respond.
SendClientHttpValuesAs	None	Comma separated list of strings that indicate how the ClientHttpValuesToSend should be sent to the HTTP server. For example: `SendClientHttpValuesAs=header:header_name, cookie: cookie_name` Note: If the user should be authenticated only using the supplied username/password, then this property does not apply.
ClientHttpValuesToSend		A comma separated list of client HTTP values that should be sent to the HTTP server. For example: `ClientHttpValuesToSend=client_personalization_key, client_cookie_name` This property should be set if token authentication is used. Setting the property "ClientHttpValuesToSend" triggers token authentication. Unless TryBasicAuthIfTokenAuthFails is configured to true in conjunction with ClientHttpValuesToSend, only token authentication will be attempted. Note: If the user should be authenticated only using the supplied username/password, then this property does not apply.
SendPasswordAsCookie	None	Sends the password to the URL as a cookie with this name. If not specified, the password is not sent in a cookie. This property is normally used when there is a cookie-based SSO mechanism in use (for example, SiteMinder), and the client has put an SSO token into the password. The token can be propagated from the personalization keys and HTTP header/cookies to the SWS without impacting the password field.
TryBasicAuthIfTokenAuthFails	False	Option that specifies if the provider should attempt basic authentication using the specified username/password credentials if token authentication is configured and it fails. This property is applicable only if token authentication is enabled. Note: If the user should be authenticated only using the supplied username/password, then this property does not apply.
UsernameHttpHeader	None	Http response header name that is sent back by the HTTP server with the username retrieved from the token. The retrieved username is added as a SecNamePrincipal upon successful authentication. Note: If the user should be authenticated only using the supplied username/password, then this property does not apply.
regexForUsernameMatch	None	Regular expression to use for matching the supplied username with the username returned by the HTTP server in the UsernameHttpHeader. The string "{username}" in the regex is replaced with the specified username before using it. If specified, it is used to match the username retrieved from the UsernameHttpHeader to the username specified in the callback handler. It they do not match, it results in authentication failure. If they match, both the specified username and the retrieved username are added as SecNamePrincipals to the authenticated subject. Note: If the user should be authenticated only using the supplied username/password, then this property does not apply.
TokenExpirationTimeHttpHeader	None	HTTP response header name that is sent back by the HTTP server with the validity period of the token in milliseconds from the start of January 1, 1970. If the header is returned in the HTTP response from the SWS, the token is cached for the duration it remains valid unless TokenExpirationInterval is also configured. If this response header is not returned with the token, it might result in unintended use of the token attached to the authenticated context even after it has expired. Note: If the user should be authenticated only using the supplied username/password, then this property does not apply.
TokenExpirationInterval	0	Property to specify the interval in milliseconds to be deducted from the actual expiration time returned in TokenExpirationTimeHttpHeader. This ensures that the token credential retrieved from the authenticated session remains valid until it is passed to the SWS for single sign-on to access MBOs. Note: If the TokenExpirationTimeHttpHeader value returned by the SWS is less than the value configured for the TokenExpirationInterval property, it results in authentication failure. Note: If the user should be authenticated only using the supplied username/password, then this property does not apply.
CredentialName	None	Name to set in the authentication credential that contains the token returned in SSOCookieName. If this property is not configured, the SSOCookieName is set as the name of the token credential.