Wiki source code of HTTP authentication requests
Version 1.1 by wolfgang_glas@iteg_at on 2011-12-23 03.18:30
Hide last authors
| author | version | line-number | content |
|---|---|---|---|
 |
1.1 | 1 | === {{id name="HTTPloginservicebackend-requestsAPI-Motivation"/}}Motivation === |
| 2 | |||
| 3 | The http-util [[HttpLoginService>>url:http://svn.clazzes.org/svn/util/tags/http-util-1.1.0/src/main/java/org/clazzes/util/http/sec/HttpLoginService.java]] interface provides a means for registering various login mechanism to be uset by teh gwt-sec library and other using OSGi/GWT. | ||
| 4 | |||
| 5 | There are implementations of HttpLoginService, which use LDAP (gwt-ladp-login-service) or JAAS (gwt-jaas-login-service) for authentication. | ||
| 6 | |||
| 7 | In order to allow for secure distributed authentication services with user-supplied backends, another HttpLoginService (gwt-http-login-service) will be implemented, which authenticates a user using a simple HTTPS request. | ||
| 8 | |||
| 9 | === {{id name="HTTPloginservicebackend-requestsAPI-Authenticationrequest"/}}Authentication request === | ||
| 10 | |||
| 11 | A request to an authentication URL is a HTTPS POST request | ||
| 12 | |||
| 13 | {{code}} | ||
| 14 | |||
| 15 | POST /my/authentication/service HTTP/1.1 | ||
| 16 | Host: auth.my.domain | ||
| 17 | Content-Type: application/x-www-form-urlencoded | ||
| 18 | |||
| 19 | user=<user>&passwd=<passwd> | ||
| 20 | |||
| 21 | {{/code}} | ||
| 22 | |||
| 23 | The user and password fields must not be tranferred as GET variables and the use of plain HTTP is strongly discouraged, an authentication service should always use HTTPS. | ||
| 24 | |||
| 25 | === {{id name="HTTPloginservicebackend-requestsAPI-AuthenticationResponse"/}}Authentication Response === | ||
| 26 | |||
| 27 | An authentication must respond to an authentication request with an HTTP response with | ||
| 28 | |||
| 29 | {{code}} | ||
| 30 | |||
| 31 | Content-Type: text/plain; charset=utf-8 | ||
| 32 | |||
| 33 | {{/code}} | ||
| 34 | |||
| 35 | and on of the following status codes: | ||
| 36 | |||
| 37 | {{code}} | ||
| 38 | |||
| 39 | 200 OK - successful authentication | ||
| 40 | 401 Unauthorized - if no user and passwd fields are given in the POST data. | ||
| 41 | 403 Forbidden - if the user name or the password is wrong. | ||
| 42 | 406 Not Acceptable - The status, which will be returned after to many unsuccessful authentications. | ||
| 43 | |||
| 44 | {{/code}} | ||
| 45 | |||
| 46 | {{color value="#000000"}} | ||
| 47 | The body of the response \*must\* no contain more than 1024 bytes and should contain a short, information text message encoded in UTF-8. The text message will be logged by the gwt-http-login-service bundle and will not be displayed to the user. | ||
| 48 | {{/color}} | ||
| 49 | |||
| 50 | \\ |