...
Front-end - Back-end interaction:
Logic-flow:
Basic HybridRealm authentication. The PASOE validates the provided credentials (username & password) directly, through HybridRealm, using the ISwatAuthenticationService.
...
Front-end - Back-end interaction:
Logic-flow:
- The client sends POST request with AD credentials to the "/web/Login/Login.html" access-point on the PASOE (swat-backend).
- PASOE forwards AD credentials to the "/auth/ad/login" on the NodeJS (node-main).
- NodeJS handles AD authentication, using passport with passport-ldapauth strategy. Then responds with ssoSessionId & ssoUserId.
- PASOES passes back to Client the ssoSessionId & ssoUserId.
- Client logins into PASOE, with ssoUserId & ssoSessionId, through HybridRealm.
- PASOE HybridRealm handles login using ISwatAuthenticationService, which sends POST request to "/sessions", with ssoSessionId & ssoUserId, on the NodeJS.
- NodeJs responds back to PASOE with the session's validity.
- PASOE finalizes authentication process.
- Client is authenticated.
...
In order to use HybridRealm as the authentication provider of spring.security, the following configuration settings must be set:
...
...
oeablSecurity.properties
- http.all.authmanager
...
- - Authentication manager to use,
...
- in
...
- our
...
- case:
...
- oerealm
...
- client.login.model
...
- - Authentication
...
- model
...
- to
...
- use,
...
- in
...
- our
...
- case:
...
- form
...
- OERealm.UserDetails.
...
- realmClass - OERealm (HybridRealm) class to use, in our case: Akioma.Security.HybridRealm
Unauthenticated routes
To define routes that do not require authentication, modify the oeablSecurity.csv configuration file and set the desired URIs to permitAll():
Example for LoginWebHandler /web/Login/ routes:
| Code Block | ||||
|---|---|---|---|---|
| ||||
# "url-pattern","<method>","<spring-access-expression>" ?? # Permit HybridRealmunauthenticated classaccess to use, in our case: Akioma.Security.HybridRealm ?? ?? /web/Login/** "/web/Login/**","*","permitAll()" ?? # Authentication for /web/** "/web/**","*","hasAnyRole('ROLE_PSCUser')" ?? # Best practice - deny anything not explicitly granted "/**","*","denyAll()" |
Note: To override access for a specific/sub-route: have the override setting before the parent setting. Example: /web/Login sub-route config overrides /web route config, thus it is set before.
| Anchor | ||||
|---|---|---|---|---|
|
...