...
Front-end - Back-end interaction:
Logic-flow:
Basic HybridRealm authentication. The PASOE validates the provided credentials (username & password) directly, through HybridRealm, using the ISwatAuthenticationService.
...
Front-end - Back-end interaction:
Logic-flow:
- The client sends POST request with AD credentials to the "/web/Login/Login.html" access-point on the PASOE (swat-backend).
- PASOE forwards AD credentials to the "/auth/ad/login" on the NodeJS (node-main).
- NodeJS handles AD authentication, using passport with passport-ldapauth strategy. Then responds with ssoSessionId & ssoUserId.
- PASOES passes back to Client the ssoSessionId & ssoUserId.
- Client logins into PASOE, with ssoUserId & ssoSessionId, through HybridRealm.
- PASOE HybridRealm handles login using ISwatAuthenticationService, which sends POST request to "/sessions", with ssoSessionId & ssoUserId, on the NodeJS.
- NodeJs responds back to PASOE with the session's validity.
- PASOE finalizes authentication process.
- Client is authenticated.
...
To define routes that do not require authentication, by-passing altogether HybridRealm, modify the oeablSecurity.csv configuration file and set the desired URIs to permitAll():
Example for LoginWebHandler /web/Login/ routes:
| Code Block | ||||
|---|---|---|---|---|
| ||||
# "url-pattern","<method>","<spring-access-expression>"
??
# Permit unauthenticated access to /web/Login/**
"/web/Login/**","*","permitAll()"
??
# Authentication for /web/**
"/web/**","*","hasAnyRole('ROLE_PSCUser')"
??
# Best practice - deny anything not explicitly granted
"/**","*","denyAll()" |
...