Wiki source code of HTTP authentication API NG
Version 4.1 by christoph_lechleitner@iteg_at on 2012-11-08 06.51:11
Hide last authors
| author | version | line-number | content |
|---|---|---|---|
 |
2.1 | 1 | == {{id name="HTTPauthenticationAPING-Motivation"/}}Motivation == |
| |
1.1 | 2 | |
| 3 | {{code language="none"}}org.clazzes.login.http{{/code}} is a the HTTP based implementation of [[DomainPasswordLoginService>>confluencePage:page:LOGIN.(HTTP)Login Service NG: DomainPasswordLoginService]]. | ||
| 4 | |||
| 5 | While the old [[HTTP authentication request>>confluencePage:page:LOGIN.HTTP authentication requests]] is satisfying for user/password checks, new optional features like group membership queries require new handshakes for the HTTP backend API. | ||
| 6 | |||
| 7 | This document speficies the next-gen HTTP authentication API. | ||
| 8 | |||
| |
2.1 | 9 | == {{id name="HTTPauthenticationAPING-Contents"/}}Contents == |
| |
1.1 | 10 | |
| |
2.1 | 11 | {{toc depth="4" start="2"/}} |
| 12 | |||
| 13 | == {{id name="HTTPauthenticationAPING-BasicHandshakePattern"/}}Basic Handshake Pattern == | ||
| 14 | |||
| 15 | ==== {{id name="HTTPauthenticationAPING-BasicRequestPattern"/}}Basic Request Pattern ==== | ||
| 16 | |||
| |
1.1 | 17 | A request to an authentication URL is a HTTPS POST request like this: |
| 18 | |||
| 19 | {{code}} | ||
| 20 | POST /my/authentication/service HTTP/1.1 | ||
| 21 | Host: auth.my.domain | ||
| 22 | Content-Type: application/x-www-form-urlencoded | ||
| 23 | |||
| |
2.1 | 24 | op=<op>¶m1=<value1>¶m2=<value2> |
| |
1.1 | 25 | |
| 26 | {{/code}} | ||
| 27 | |||
| 28 | {{code language="none"}}<op>{{/code}} is the operation requested, usually the name of the method in [[DomainPasswordLoginService.java>>url:https://svn.clazzes.org/svn/util/trunk/clazzes-util/src/main/java/org/clazzes/util/sec/DomainPasswordLoginService.java||shape="rect"]]. | ||
| 29 | |||
| |
2.1 | 30 | To provide backwards compatibility, the {{code language="none"}}op{{/code}} parameter is optional and defaults to {{code language="none"}}tryLogin{{/code}}. |
| |
1.1 | 31 | |
| |
2.1 | 32 | See below for detailed examples. |
| |
1.1 | 33 | |
| |
2.1 | 34 | ==== {{id name="HTTPauthenticationAPING-BasicResponsepattern"/}}Basic Response pattern ==== |
| |
1.1 | 35 | |
| 36 | Every respond to an authentication request is answered with a HTTP response with | ||
| 37 | |||
| 38 | {{code}} | ||
| 39 | Content-Type: text/plain; charset=utf-8 | ||
| 40 | |||
| 41 | {{/code}} | ||
| 42 | |||
| 43 | and on of the following status codes: | ||
| 44 | |||
| 45 | {{code}} | ||
| 46 | 200 OK - login is ok, or other operation was completed successfully | ||
| 47 | 403 Forbidden - the login is invalid or the operation is not permitted | ||
| |
2.1 | 48 | 404 Not found - if a user could not be found during a search operation |
| |
1.1 | 49 | 406 Not Acceptable - too many unsuccessful authentications, or other reason to suspect a brute force attack |
| 50 | |||
| 51 | {{/code}} | ||
| 52 | |||
| |
2.1 | 53 | (% style="color: rgb(0,0,0);" %)The response body must not be empty and must be UTF-8 encoded, it's content is specified differently for each operation. |
| |
1.1 | 54 | |
| |
2.1 | 55 | (% style="color: rgb(0,0,0);" %)For most operations the reponse is either |
| |
1.1 | 56 | |
| |
2.1 | 57 | * (% style="color: rgb(0,0,0);" %)a short message for logging (not more than 1024 bytes) |
| 58 | * (% style="color: rgb(0,0,0);" %)or a list of values separated by '{{code language="none"}},{{/code}}' | ||
| 59 | * (% style="color: rgb(0,0,0);" %)or '{{code language="none"}}-{{/code}}' for "empty list"/"no data" | ||
| |
4.1 | 60 | * (% style="color: rgb(0,0,0);" %)or '{{code language="none"}}--{{/code}}' for "not supported by backend" |
| |
1.1 | 61 | |
| |
2.1 | 62 | The server may enforce the use of HTTP basic authentication in order to keep offending servers away from dictionary attacks. |
| 63 | |||
| |
4.1 | 64 | ===== {{id name="HTTPauthenticationAPING-JSONvariant"/}}JSON variant ===== |
| 65 | |||
| 66 | A backend may support to return the response in the form of small JSON documents. | ||
| 67 | |||
| 68 | To trigger json response, add the parameter {{code language="none"}}json=1{{/code}} to the request, like this: | ||
| 69 | |||
| 70 | {{code}} | ||
| 71 | POST /my/authentication/service HTTP/1.1 | ||
| 72 | Host: auth.my.domain | ||
| 73 | Content-Type: application/x-www-form-urlencoded | ||
| 74 | |||
| 75 | op=<op>&json=1¶m1=<value1>¶m2=<value2> | ||
| 76 | {{/code}} | ||
| 77 | |||
| 78 | To explicitly disable JSON response, use {{code language="none"}}json=0{{/code}} instead. | ||
| 79 | |||
| 80 | Backends might choose to support only one variant, only with or only without JSON response. | ||
| 81 | |||
| 82 | With JSON reponses on, the repsonse is either | ||
| 83 | |||
| 84 | (% style="list-style-type: square;" %) | ||
| 85 | * ((( | ||
| 86 | a short message, like | ||
| 87 | |||
| 88 | {{code language="none"}} | ||
| 89 | { "message" : "Some message to use in log files" } | ||
| 90 | {{/code}} | ||
| 91 | ))) | ||
| 92 | * (% style="color: rgb(0,0,0);" %)or a list of named values, for examples scroll down to the operation chapters | ||
| 93 | * (% style="color: rgb(0,0,0);" %)or a empty list if no data can be found | ||
| 94 | * ((( | ||
| 95 | (% style="color: rgb(0,0,0);" %)or an error message for "not supported by backend" or similar problems, like | ||
| 96 | |||
| 97 | {{code language="none"}} | ||
| 98 | { "error" : "Operation not supported by backend for specified domain" } | ||
| 99 | {{/code}} | ||
| 100 | |||
| 101 | (% style="color: rgb(0,0,0);" %)\\ | ||
| 102 | ))) | ||
| 103 | |||
| |
2.1 | 104 | == {{id name="HTTPauthenticationAPING-Requiredoperations"/}}Required operations == |
| 105 | |||
| 106 | ==== {{id name="HTTPauthenticationAPING-tryLogin"/}}tryLogin ==== | ||
| 107 | |||
| |
4.1 | 108 | ====== {{id name="HTTPauthenticationAPING-Requestbody(newformat,preferred)"/}}Request body (new format, preferred) ====== |
| |
1.1 | 109 | |
| 110 | {{code}} | ||
| |
2.1 | 111 | op=tryLogin&user=<user>&domain=<domain>&passwd=<passwd> |
| |
1.1 | 112 | |
| 113 | {{/code}} | ||
| 114 | |||
| |
2.1 | 115 | The {{code language="none"}}domain{{/code}} parameter is optional. |
| 116 | |||
| |
4.1 | 117 | ====== {{id name="HTTPauthenticationAPING-Requestbodyinoldformat,supportedforbackwardcompatibilityreasons"/}}Request body in old format, supported for backward compatibility reasons ====== |
| |
1.1 | 118 | |
| 119 | {{code}} | ||
| 120 | user=<user>&passwd=<passwd> | ||
| 121 | {{/code}} | ||
| 122 | |||
| |
4.1 | 123 | ====== {{id name="HTTPauthenticationAPING-Responsebody"/}}Response body ====== |
| |
1.1 | 124 | |
| |
4.1 | 125 | (% style="color: rgb(0, 0, 0); color: rgb(0, 0, 0)" %)Non-empty information text, not more (% style="color: rgb(0,0,0);" %)than 1024 bytes. The message may go into logfiles and should not be displayed to the user. |
| |
1.1 | 126 | |
| |
2.1 | 127 | ==== {{id name="HTTPauthenticationAPING-getSupportedOperations"/}}getSupportedOperations ==== |
| |
1.1 | 128 | |
| |
4.1 | 129 | ====== {{id name="HTTPauthenticationAPING-Requestbody"/}}Request body ====== |
| |
2.1 | 130 | |
| 131 | {{code}} | ||
| 132 | op=getSupportedFeatures | ||
| 133 | {{/code}} | ||
| 134 | |||
| |
4.1 | 135 | ====== {{id name="HTTPauthenticationAPING-Responsebody(plainnon-JSONvariant)"/}}Response body (plain non-JSON variant)(% style="color: rgb(0,0,0);" %) (%%) ====== |
| |
2.1 | 136 | |
| 137 | (% style="color: rgb(0,0,0);" %)List of suppored operations, separated by '{{code language="none"}},{{/code}}'. | ||
| 138 | |||
| 139 | (% style="color: rgb(0,0,0);" %)Example showing minimal feature set: | ||
| 140 | |||
| 141 | {{code language="none"}} | ||
| 142 | getSupportedOperations,tryLogin | ||
| 143 | {{/code}} | ||
| 144 | |||
| 145 | (% style="color: rgb(0,0,0);" %)Example specifying maximum feature set: | ||
| 146 | |||
| 147 | {{code language="none"}} | ||
| 148 | getSupportedOperations,tryLogin,changePassword,deactivateUser,getDefaultDomain,getGroups,sendPassword,searchUser | ||
| 149 | {{/code}} | ||
| 150 | |||
| |
4.1 | 151 | ====== {{id name="HTTPauthenticationAPING-Responsebody(JSONvariant)"/}}Response body (JSON variant) ====== |
| 152 | |||
| 153 | {{code language="none"}} | ||
| 154 | { "operations": [ "getSupportedOperations", "tryLogin" ] } | ||
| 155 | {{/code}} | ||
| 156 | |||
| |
2.1 | 157 | == {{id name="HTTPauthenticationAPING-OptionalOperations"/}}(% style="color: rgb(0,0,0);" %)Optional Operations(%%) == |
| 158 | |||
| 159 | ==== {{id name="HTTPauthenticationAPING-changePassword"/}}changePassword ==== | ||
| 160 | |||
| 161 | Changes the password of the user. | ||
| 162 | |||
| |
4.1 | 163 | ====== {{id name="HTTPauthenticationAPING-Requestbody"/}}Request body ====== |
| |
2.1 | 164 | |
| 165 | {{code}} | ||
| 166 | op=changePassword&user=<user>&domain=<domain>&oldPassword=<oldPassword>&newPassword=<newPassword>&newPasswordConfirmed=<newPassword> | ||
| 167 | |||
| 168 | {{/code}} | ||
| 169 | |||
| 170 | The {{code language="none"}}domain{{/code}} parameter is optional. | ||
| 171 | |||
| 172 | The {{code language="none"}}newPasswordConfirmed{{/code}} parameter is optional and available only to simplify writing web interfaces. If it is specified and does not match {{code language="none"}}newPassword{{/code}}, the password is not changed. | ||
| 173 | |||
| |
4.1 | 174 | ====== {{id name="HTTPauthenticationAPING-Responsebody"/}}Response body ====== |
| |
2.1 | 175 | |
| 176 | (% style="color: rgb(0,0,0);" %)Non-empty information text, not more than 1024 bytes. The message may go into logfiles and should not be displayed to the user. | ||
| 177 | |||
| 178 | ==== {{id name="HTTPauthenticationAPING-deactivateUser"/}}deactivateUser ==== | ||
| 179 | |||
| 180 | Deactivates a user, prevents him for logging in again. | ||
| 181 | |||
| |
4.1 | 182 | ====== {{id name="HTTPauthenticationAPING-Requestbody"/}}Request body ====== |
| |
2.1 | 183 | |
| 184 | {{code}} | ||
| 185 | op=deactivateUser&user=<user>&domain=<domain> | ||
| 186 | {{/code}} | ||
| 187 | |||
| 188 | The {{code language="none"}}domain{{/code}} parameter is optional. | ||
| 189 | |||
| |
4.1 | 190 | ====== {{id name="HTTPauthenticationAPING-Responsebody"/}}Response body ====== |
| |
2.1 | 191 | |
| 192 | (% style="color: rgb(0,0,0);" %)Non-empty information text, not more than 1024 bytes. The message may go into logfiles and should not be displayed to the user. | ||
| 193 | |||
| 194 | ==== {{id name="HTTPauthenticationAPING-getDefaultDomain"/}}getDefaultDomain ==== | ||
| 195 | |||
| 196 | Returns the default domain, if there is any. | ||
| 197 | |||
| |
4.1 | 198 | ====== {{id name="HTTPauthenticationAPING-Requestbody"/}}Request body ====== |
| |
2.1 | 199 | |
| 200 | {{code}} | ||
| 201 | op=getDefaultDomain | ||
| 202 | |||
| 203 | {{/code}} | ||
| 204 | |||
| |
4.1 | 205 | ====== {{id name="HTTPauthenticationAPING-Responsebody(plainnon-JSONvariant)"/}}Response body(% style="color: rgb(0,0,0);" %) (plain non-JSON variant) (%%) ====== |
| |
2.1 | 206 | |
| 207 | Default authentication domain, or '{{code language="none"}}-{{/code}}' if there is no default domain, or '{{code language="none"}}--{{/code}}' if there is no domain support at all. | ||
| 208 | |||
| |
4.1 | 209 | ====== {{id name="HTTPauthenticationAPING-Responsebody(JSONvariant)"/}}Response body (JSON variant) ====== |
| 210 | |||
| 211 | {{code language="none"}} | ||
| 212 | { "defaultDomain": [ "SOMEDOMAIN" ] } | ||
| 213 | {{/code}} | ||
| 214 | |||
| |
2.1 | 215 | ==== {{id name="HTTPauthenticationAPING-getGroups"/}}getGroups ==== |
| 216 | |||
| 217 | Returns the groups the user is a member of. | ||
| 218 | |||
| |
4.1 | 219 | ====== {{id name="HTTPauthenticationAPING-Requestbody"/}}Request body ====== |
| |
2.1 | 220 | |
| 221 | {{code}} | ||
| |
3.1 | 222 | op=getGroups&user=<user>&domain=<domain> |
| |
2.1 | 223 | {{/code}} |
| 224 | |||
| 225 | The {{code language="none"}}domain{{/code}} parameter is optional. | ||
| 226 | |||
| |
4.1 | 227 | ====== {{id name="HTTPauthenticationAPING-Responsebody(plainnon-JSONvariant)"/}}(% style="color: rgb(0, 0, 0); color: rgb(0, 0, 0)" %)Response body (plain non-JSON variant)(%%) ====== |
| |
2.1 | 228 | |
| |
4.1 | 229 | (% style="color: rgb(0, 0, 0); color: rgb(0, 0, 0)" %) (% style="color: rgb(0,0,0);" %)List of group names, separated by '(% style="color: rgb(0,0,0);" %){{code language="none"}},{{/code}}' or just '(% style="color: rgb(0,0,0);" %){{code language="none"}}-{{/code}}' if the user is not member of any group, or '(% style="color: rgb(0,0,0);" %){{code language="none"}}--{{/code}}' if there is no group support. |
| |
2.1 | 230 | |
| |
3.1 | 231 | ==== {{id name="HTTPauthenticationAPING-getGroupMembers"/}}getGroupMembers ==== |
| 232 | |||
| 233 | Returns the users the are a member of the specified group. | ||
| 234 | |||
| |
4.1 | 235 | ====== {{id name="HTTPauthenticationAPING-Requestbody"/}}Request body ====== |
| |
3.1 | 236 | |
| 237 | {{code}} | ||
| 238 | op=getGroupMembers&group=<group>&domain=<domain> | ||
| 239 | {{/code}} | ||
| 240 | |||
| 241 | The {{code language="none"}}domain{{/code}} parameter is optional. | ||
| 242 | |||
| |
4.1 | 243 | ====== {{id name="HTTPauthenticationAPING-Responsebody(plainnon-JSONvariant)"/}}(% style="color: rgb(0,0,0);" %)Response body (plain non-JSON variant)(%%) ====== |
| |
3.1 | 244 | |
| 245 | (% style="color: rgb(0,0,0);" %)List of group names, separated by '{{code language="none"}},{{/code}}' or just '{{code language="none"}}-{{/code}}' if the user is not member of any group, or '{{code language="none"}}--{{/code}}' if there is no group support. | ||
| 246 | |||
| |
2.1 | 247 | ==== {{id name="HTTPauthenticationAPING-sendPassword"/}}sendPassword ==== |
| 248 | |||
| 249 | Generates a new password or send a "new password" link to the user. | ||
| 250 | |||
| |
4.1 | 251 | ====== {{id name="HTTPauthenticationAPING-Requestbody"/}}Request body ====== |
| |
2.1 | 252 | |
| 253 | {{code}} | ||
| 254 | op=sendPassword&user=<user>&domain=<domain> | ||
| 255 | |||
| 256 | {{/code}} | ||
| 257 | |||
| 258 | The {{code language="none"}}domain{{/code}} parameter is optional. | ||
| 259 | |||
| |
4.1 | 260 | ====== {{id name="HTTPauthenticationAPING-Responsebody"/}}Response body ====== |
| |
2.1 | 261 | |
| 262 | (% style="color: rgb(0,0,0);" %)Non-empty information text, not more than 1024 bytes. The message may go into logfiles and should not be displayed to the user. | ||
| 263 | |||
| 264 | ==== {{id name="HTTPauthenticationAPING-searchUser"/}}searchUser ==== | ||
| 265 | |||
| 266 | Searches a user in the database, sets response code to 200 if the user is there, 404 if the user could not be found. | ||
| 267 | |||
| |
4.1 | 268 | ====== {{id name="HTTPauthenticationAPING-Requestbody"/}}Request body ====== |
| |
2.1 | 269 | |
| 270 | {{code}} | ||
| 271 | op=searchUser&user=<user>&domain=<domain> | ||
| 272 | {{/code}} | ||
| 273 | |||
| 274 | The {{code language="none"}}domain{{/code}} parameter is optional. | ||
| 275 | |||
| |
4.1 | 276 | ====== {{id name="HTTPauthenticationAPING-Responsebody"/}}Response body ====== |
| |
2.1 | 277 | |
| 278 | (% style="color: rgb(0,0,0);" %)Non-empty information text, not more than 1024 bytes. The message may go into logfiles and should not be displayed to the user. | ||
| 279 | |||
| 280 |