Wiki source code of HTTP authentication API NG
Version 1.1 by christoph_lechleitner@iteg_at on 2012-09-21 11.47:16
Show last authors
| author | version | line-number | content |
|---|---|---|---|
| 1 | === {{id name="HTTPauthenticationAPING-Motivation"/}}Motivation === | ||
| 2 | |||
| 3 | {{code language="none"}}org.clazzes.login.http{{/code}} is a the HTTP based implementation of [[DomainPasswordLoginService>>confluencePage:page:LOGIN.(HTTP)Login Service NG: DomainPasswordLoginService]]. | ||
| 4 | |||
| 5 | While the old [[HTTP authentication request>>confluencePage:page:LOGIN.HTTP authentication requests]] is satisfying for user/password checks, new optional features like group membership queries require new handshakes for the HTTP backend API. | ||
| 6 | |||
| 7 | This document speficies the next-gen HTTP authentication API. | ||
| 8 | |||
| 9 | === {{id name="HTTPauthenticationAPING-BasicRequestpattern"/}}Basic Request pattern === | ||
| 10 | |||
| 11 | A request to an authentication URL is a HTTPS POST request like this: | ||
| 12 | |||
| 13 | {{code}} | ||
| 14 | POST /my/authentication/service HTTP/1.1 | ||
| 15 | Host: auth.my.domain | ||
| 16 | Content-Type: application/x-www-form-urlencoded | ||
| 17 | |||
| 18 | [op=<op>&]param1=<value1>¶m2=<value2> | ||
| 19 | |||
| 20 | {{/code}} | ||
| 21 | |||
| 22 | {{code language="none"}}<op>{{/code}} is the operation requested, usually the name of the method in [[DomainPasswordLoginService.java>>url:https://svn.clazzes.org/svn/util/trunk/clazzes-util/src/main/java/org/clazzes/util/sec/DomainPasswordLoginService.java||shape="rect"]]. | ||
| 23 | |||
| 24 | To provide backwards compatibility, the op parameter is optional and defaults to {{code language="none"}}tryLogin{{/code}}. | ||
| 25 | |||
| 26 | See below for examples. | ||
| 27 | |||
| 28 | === {{id name="HTTPauthenticationAPING-BasicResponsepattern"/}}Basic Response pattern === | ||
| 29 | |||
| 30 | Every respond to an authentication request is answered with a HTTP response with | ||
| 31 | |||
| 32 | {{code}} | ||
| 33 | Content-Type: text/plain; charset=utf-8 | ||
| 34 | |||
| 35 | {{/code}} | ||
| 36 | |||
| 37 | and on of the following status codes: | ||
| 38 | |||
| 39 | {{code}} | ||
| 40 | 200 OK - login is ok, or other operation was completed successfully | ||
| 41 | 403 Forbidden - the login is invalid or the operation is not permitted | ||
| 42 | 406 Not Acceptable - too many unsuccessful authentications, or other reason to suspect a brute force attack | ||
| 43 | |||
| 44 | {{/code}} | ||
| 45 | |||
| 46 | (% style="color: rgb(0,0,0);" %)The response body must not be empty, it's content is specified differently for each operation. | ||
| 47 | |||
| 48 | (% style="color: rgb(0,0,0);" %) (%%)The server may enforce the use of HTTP basic authentication in order to keep offending servers away from dictionary attacks. | ||
| 49 | |||
| 50 | === {{id name="HTTPauthenticationAPING-Authenticationoperation:tryLogin"/}}Authentication operation: tryLogin === | ||
| 51 | |||
| 52 | Request body (new format, preferred): | ||
| 53 | |||
| 54 | {{code}} | ||
| 55 | op=tryLogin&user=<user>&passwd=<passwd> | ||
| 56 | |||
| 57 | {{/code}} | ||
| 58 | |||
| 59 | Request body in old format, supported for backward compatibility reasons: | ||
| 60 | |||
| 61 | {{code}} | ||
| 62 | user=<user>&passwd=<passwd> | ||
| 63 | {{/code}} | ||
| 64 | |||
| 65 | Response body: | ||
| 66 | |||
| 67 | (% style="color: rgb(0, 0, 0); color: rgb(0, 0, 0)" %)Non-empty information text encoded in UTF-8, not more (% style="color: rgb(0,0,0);" %)than 1024 bytes. The message may go into logfiles and should not be displayed to the user. | ||
| 68 | |||
| 69 | === {{id name="HTTPauthenticationAPING-Furtheroperations:TBD"/}}(% style="color: rgb(0,0,0);" %)Further operations: TBD(%%) === | ||
| 70 | |||
| 71 | (% style="color: rgb(0,0,0);" %)\\ |