Wiki source code of HTTP authentication requests towardshttp-util's HttpLoginService
Version 5.1 by christoph_lechleitner@iteg_at on 2013-02-02 05.17:43
Hide last authors
| author | version | line-number | content |
|---|---|---|---|
 |
1.1 | 1 | === {{id name="HTTPloginservicebackend-requestsAPI-Motivation"/}}Motivation === |
| 2 | |||
| |
2.1 | 3 | The http-util [[HttpLoginService>>url:http://svn.clazzes.org/svn/util/tags/http-util-1.1.0/src/main/java/org/clazzes/util/http/sec/HttpLoginService.java||shape="rect"]] interface provides a means for registering various login mechanism to be uset by teh gwt-sec library and other using OSGi/GWT. |
| |
1.1 | 4 | |
| 5 | There are implementations of HttpLoginService, which use LDAP (gwt-ladp-login-service) or JAAS (gwt-jaas-login-service) for authentication. | ||
| 6 | |||
| 7 | In order to allow for secure distributed authentication services with user-supplied backends, another HttpLoginService (gwt-http-login-service) will be implemented, which authenticates a user using a simple HTTPS request. | ||
| 8 | |||
| 9 | === {{id name="HTTPloginservicebackend-requestsAPI-Authenticationrequest"/}}Authentication request === | ||
| 10 | |||
| 11 | A request to an authentication URL is a HTTPS POST request | ||
| 12 | |||
| 13 | {{code}} | ||
| 14 | POST /my/authentication/service HTTP/1.1 | ||
| 15 | Host: auth.my.domain | ||
| 16 | Content-Type: application/x-www-form-urlencoded | ||
| 17 | |||
| 18 | user=<user>&passwd=<passwd> | ||
| 19 | |||
| 20 | {{/code}} | ||
| 21 | |||
| |
2.1 | 22 | The user and password fields *must* not be tranferred as GET variables and the use of plain HTTP is strongly discouraged, an authentication service should always use HTTPS. |
| |
1.1 | 23 | |
| 24 | === {{id name="HTTPloginservicebackend-requestsAPI-AuthenticationResponse"/}}Authentication Response === | ||
| 25 | |||
| 26 | An authentication must respond to an authentication request with an HTTP response with | ||
| 27 | |||
| 28 | {{code}} | ||
| 29 | Content-Type: text/plain; charset=utf-8 | ||
| 30 | |||
| 31 | {{/code}} | ||
| 32 | |||
| 33 | and on of the following status codes: | ||
| 34 | |||
| 35 | {{code}} | ||
| 36 | 200 OK - successful authentication | ||
| |
3.1 | 37 | 403 Forbidden - if the user name or the password is wrong or no user and passwd field ist given. |
| |
1.1 | 38 | 406 Not Acceptable - The status, which will be returned after to many unsuccessful authentications. |
| 39 | |||
| 40 | {{/code}} | ||
| 41 | |||
| |
3.1 | 42 | (% style="color: rgb(0,0,0);" %)The body of the response *must* no contain more than 1024 bytes and should contain a short, information text message encoded in UTF-8. The text message will be logged by the gwt-http-login-service bundle and will not be displayed to the user. |
| 43 | |||
| 44 | (% style="color: rgb(0,0,0);" %) (%%)The server may enforce the use of HTTP basic authentication in order to keep offending servers away from dictionary attacks. |