Build.One Documentation
Page tree

Versions Compared

Old Version 28

changes.mady.by.user Cosmin Ichim

Saved on

compared with

New Version Current

changes.mady.by.user Cosmin Ichim

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Front-end - Back-end interaction:

 

Logic-flow:

Image Added

 

Basic HybridRealm authentication. The PASOE validates the provided credentials (username & password) directly, through HybridRealm, using the ISwatAuthenticationService.

...

Front-end - Back-end interaction:

 

 

Logic-flow:



  1. The client sends POST request with AD credentials to the "/web/Login/Login.html" access-point on the PASOE (swat-backend).
  2. PASOE forwards AD credentials to the "/auth/ad/login" on the NodeJS (node-main).
  3. NodeJS handles AD authentication, using passport with passport-ldapauth strategy. Then responds with ssoSessionId & ssoUserId.
  4. PASOES passes back to Client the ssoSessionId & ssoUserId.
  5. Client logins into PASOE, with ssoUserId & ssoSessionId, through HybridRealm.
  6. PASOE HybridRealm handles login using ISwatAuthenticationService, which sends POST request to "/sessions", with ssoSessionId & ssoUserId, on the NodeJS.
  7. NodeJs responds back to PASOE with the session's validity.
  8. PASOE finalizes authentication process.
  9. Client is authenticated.

...

In order to use HybridRealm as the authentication provider of spring.security, the following configuration settings must be set:

...

oeablSecurity.properties

...

  • http.all.authmanager - Authentication manager to use, in our case: oerealm
  • client.login.model - Authentication model to use, in our case: form
  • OERealm.UserDetails.realmClass - OERealm (HybridRealm) class to use, in our case: Akioma.Security.HybridRealm 

Unauthenticated routes

To define routes that do not require authentication, modify the oeablSecurity.csv configuration file and set the desired URIs to permitAll():

Example for LoginWebHandler /web/Login/ routes:

Code Block
languagetext
titleoeablSecurity.csv
# "url-pattern","<method>","<spring-access-expression>"
??
# AuthenticationPermit unauthenticated modelaccess to use, in our case: form
client.login.model=form /web/Login/**
"/web/Login/**","*","permitAll()"
??
# Authentication for /web/**
"/web/**","*","hasAnyRole('ROLE_PSCUser')"
??
# HybridRealmBest classpractice to- use,deny inanything ournot case: Akioma.Security.HybridRealm
OERealm.UserDetails.realmClass=Akioma.Security.HybridRealm
??
??explicitly granted
"/**","*","denyAll()"


Note: To override access for a specific/sub-route: have the override setting before the parent setting. Example: /web/Login sub-route config overrides /web route config, thus it is set before.

 

Anchor
AllowedAuthentication
AllowedAuthentication
Enable/Disable authentication methods

...