Wiki source code of HTTP authentication requests towardshttp-util's HttpLoginService
Version 6.1 by christoph_lechleitner@iteg_at on 2013-02-02 05.17:43
Show last authors
| author | version | line-number | content |
|---|---|---|---|
| 1 | === {{id name="HTTPloginservicebackend-requestsAPI-Motivation"/}}Motivation === | ||
| 2 | |||
| 3 | The http-util [[HttpLoginService>>url:http://svn.clazzes.org/svn/util/tags/http-util-1.1.0/src/main/java/org/clazzes/util/http/sec/HttpLoginService.java||shape="rect"]] interface provides a means for registering various login mechanism to be uset by teh gwt-sec library and other using OSGi/GWT. | ||
| 4 | |||
| 5 | There are implementations of HttpLoginService, which use LDAP (gwt-ladp-login-service) or JAAS (gwt-jaas-login-service) for authentication. | ||
| 6 | |||
| 7 | In order to allow for secure distributed authentication services with user-supplied backends, another HttpLoginService (gwt-http-login-service) will be implemented, which authenticates a user using a simple HTTPS request. | ||
| 8 | |||
| 9 | === {{id name="HTTPloginservicebackend-requestsAPI-Authenticationrequest"/}}Authentication request === | ||
| 10 | |||
| 11 | A request to an authentication URL is a HTTPS POST request | ||
| 12 | |||
| 13 | {{code}} | ||
| 14 | POST /my/authentication/service HTTP/1.1 | ||
| 15 | Host: auth.my.domain | ||
| 16 | Content-Type: application/x-www-form-urlencoded | ||
| 17 | |||
| 18 | user=<user>&passwd=<passwd> | ||
| 19 | |||
| 20 | {{/code}} | ||
| 21 | |||
| 22 | The user and password fields *must* not be tranferred as GET variables and the use of plain HTTP is strongly discouraged, an authentication service should always use HTTPS. | ||
| 23 | |||
| 24 | === {{id name="HTTPloginservicebackend-requestsAPI-AuthenticationResponse"/}}Authentication Response === | ||
| 25 | |||
| 26 | An authentication must respond to an authentication request with an HTTP response with | ||
| 27 | |||
| 28 | {{code}} | ||
| 29 | Content-Type: text/plain; charset=utf-8 | ||
| 30 | |||
| 31 | {{/code}} | ||
| 32 | |||
| 33 | and on of the following status codes: | ||
| 34 | |||
| 35 | {{code}} | ||
| 36 | 200 OK - successful authentication | ||
| 37 | 403 Forbidden - if the user name or the password is wrong or no user and passwd field ist given. | ||
| 38 | 406 Not Acceptable - The status, which will be returned after to many unsuccessful authentications. | ||
| 39 | |||
| 40 | {{/code}} | ||
| 41 | |||
| 42 | (% style="color: rgb(0,0,0);" %)The body of the response *must* no contain more than 1024 bytes and should contain a short, information text message encoded in UTF-8. The text message will be logged by the gwt-http-login-service bundle and will not be displayed to the user. | ||
| 43 | |||
| 44 | (% style="color: rgb(0,0,0);" %) (%%)The server may enforce the use of HTTP basic authentication in order to keep offending servers away from dictionary attacks. |