Wiki source code of HTTP authentication API NG
Version 4.1 by christoph_lechleitner@iteg_at on 2012-11-08 06.51:11
Show last authors
| author | version | line-number | content |
|---|---|---|---|
| 1 | == {{id name="HTTPauthenticationAPING-Motivation"/}}Motivation == | ||
| 2 | |||
| 3 | {{code language="none"}}org.clazzes.login.http{{/code}} is a the HTTP based implementation of [[DomainPasswordLoginService>>confluencePage:page:LOGIN.(HTTP)Login Service NG: DomainPasswordLoginService]]. | ||
| 4 | |||
| 5 | While the old [[HTTP authentication request>>confluencePage:page:LOGIN.HTTP authentication requests]] is satisfying for user/password checks, new optional features like group membership queries require new handshakes for the HTTP backend API. | ||
| 6 | |||
| 7 | This document speficies the next-gen HTTP authentication API. | ||
| 8 | |||
| 9 | == {{id name="HTTPauthenticationAPING-Contents"/}}Contents == | ||
| 10 | |||
| 11 | {{toc depth="4" start="2"/}} | ||
| 12 | |||
| 13 | == {{id name="HTTPauthenticationAPING-BasicHandshakePattern"/}}Basic Handshake Pattern == | ||
| 14 | |||
| 15 | ==== {{id name="HTTPauthenticationAPING-BasicRequestPattern"/}}Basic Request Pattern ==== | ||
| 16 | |||
| 17 | A request to an authentication URL is a HTTPS POST request like this: | ||
| 18 | |||
| 19 | {{code}} | ||
| 20 | POST /my/authentication/service HTTP/1.1 | ||
| 21 | Host: auth.my.domain | ||
| 22 | Content-Type: application/x-www-form-urlencoded | ||
| 23 | |||
| 24 | op=<op>¶m1=<value1>¶m2=<value2> | ||
| 25 | |||
| 26 | {{/code}} | ||
| 27 | |||
| 28 | {{code language="none"}}<op>{{/code}} is the operation requested, usually the name of the method in [[DomainPasswordLoginService.java>>url:https://svn.clazzes.org/svn/util/trunk/clazzes-util/src/main/java/org/clazzes/util/sec/DomainPasswordLoginService.java||shape="rect"]]. | ||
| 29 | |||
| 30 | To provide backwards compatibility, the {{code language="none"}}op{{/code}} parameter is optional and defaults to {{code language="none"}}tryLogin{{/code}}. | ||
| 31 | |||
| 32 | See below for detailed examples. | ||
| 33 | |||
| 34 | ==== {{id name="HTTPauthenticationAPING-BasicResponsepattern"/}}Basic Response pattern ==== | ||
| 35 | |||
| 36 | Every respond to an authentication request is answered with a HTTP response with | ||
| 37 | |||
| 38 | {{code}} | ||
| 39 | Content-Type: text/plain; charset=utf-8 | ||
| 40 | |||
| 41 | {{/code}} | ||
| 42 | |||
| 43 | and on of the following status codes: | ||
| 44 | |||
| 45 | {{code}} | ||
| 46 | 200 OK - login is ok, or other operation was completed successfully | ||
| 47 | 403 Forbidden - the login is invalid or the operation is not permitted | ||
| 48 | 404 Not found - if a user could not be found during a search operation | ||
| 49 | 406 Not Acceptable - too many unsuccessful authentications, or other reason to suspect a brute force attack | ||
| 50 | |||
| 51 | {{/code}} | ||
| 52 | |||
| 53 | (% style="color: rgb(0,0,0);" %)The response body must not be empty and must be UTF-8 encoded, it's content is specified differently for each operation. | ||
| 54 | |||
| 55 | (% style="color: rgb(0,0,0);" %)For most operations the reponse is either | ||
| 56 | |||
| 57 | * (% style="color: rgb(0,0,0);" %)a short message for logging (not more than 1024 bytes) | ||
| 58 | * (% style="color: rgb(0,0,0);" %)or a list of values separated by '{{code language="none"}},{{/code}}' | ||
| 59 | * (% style="color: rgb(0,0,0);" %)or '{{code language="none"}}-{{/code}}' for "empty list"/"no data" | ||
| 60 | * (% style="color: rgb(0,0,0);" %)or '{{code language="none"}}--{{/code}}' for "not supported by backend" | ||
| 61 | |||
| 62 | The server may enforce the use of HTTP basic authentication in order to keep offending servers away from dictionary attacks. | ||
| 63 | |||
| 64 | ===== {{id name="HTTPauthenticationAPING-JSONvariant"/}}JSON variant ===== | ||
| 65 | |||
| 66 | A backend may support to return the response in the form of small JSON documents. | ||
| 67 | |||
| 68 | To trigger json response, add the parameter {{code language="none"}}json=1{{/code}} to the request, like this: | ||
| 69 | |||
| 70 | {{code}} | ||
| 71 | POST /my/authentication/service HTTP/1.1 | ||
| 72 | Host: auth.my.domain | ||
| 73 | Content-Type: application/x-www-form-urlencoded | ||
| 74 | |||
| 75 | op=<op>&json=1¶m1=<value1>¶m2=<value2> | ||
| 76 | {{/code}} | ||
| 77 | |||
| 78 | To explicitly disable JSON response, use {{code language="none"}}json=0{{/code}} instead. | ||
| 79 | |||
| 80 | Backends might choose to support only one variant, only with or only without JSON response. | ||
| 81 | |||
| 82 | With JSON reponses on, the repsonse is either | ||
| 83 | |||
| 84 | (% style="list-style-type: square;" %) | ||
| 85 | * ((( | ||
| 86 | a short message, like | ||
| 87 | |||
| 88 | {{code language="none"}} | ||
| 89 | { "message" : "Some message to use in log files" } | ||
| 90 | {{/code}} | ||
| 91 | ))) | ||
| 92 | * (% style="color: rgb(0,0,0);" %)or a list of named values, for examples scroll down to the operation chapters | ||
| 93 | * (% style="color: rgb(0,0,0);" %)or a empty list if no data can be found | ||
| 94 | * ((( | ||
| 95 | (% style="color: rgb(0,0,0);" %)or an error message for "not supported by backend" or similar problems, like | ||
| 96 | |||
| 97 | {{code language="none"}} | ||
| 98 | { "error" : "Operation not supported by backend for specified domain" } | ||
| 99 | {{/code}} | ||
| 100 | |||
| 101 | (% style="color: rgb(0,0,0);" %)\\ | ||
| 102 | ))) | ||
| 103 | |||
| 104 | == {{id name="HTTPauthenticationAPING-Requiredoperations"/}}Required operations == | ||
| 105 | |||
| 106 | ==== {{id name="HTTPauthenticationAPING-tryLogin"/}}tryLogin ==== | ||
| 107 | |||
| 108 | ====== {{id name="HTTPauthenticationAPING-Requestbody(newformat,preferred)"/}}Request body (new format, preferred) ====== | ||
| 109 | |||
| 110 | {{code}} | ||
| 111 | op=tryLogin&user=<user>&domain=<domain>&passwd=<passwd> | ||
| 112 | |||
| 113 | {{/code}} | ||
| 114 | |||
| 115 | The {{code language="none"}}domain{{/code}} parameter is optional. | ||
| 116 | |||
| 117 | ====== {{id name="HTTPauthenticationAPING-Requestbodyinoldformat,supportedforbackwardcompatibilityreasons"/}}Request body in old format, supported for backward compatibility reasons ====== | ||
| 118 | |||
| 119 | {{code}} | ||
| 120 | user=<user>&passwd=<passwd> | ||
| 121 | {{/code}} | ||
| 122 | |||
| 123 | ====== {{id name="HTTPauthenticationAPING-Responsebody"/}}Response body ====== | ||
| 124 | |||
| 125 | (% style="color: rgb(0, 0, 0); color: rgb(0, 0, 0)" %)Non-empty information text, not more (% style="color: rgb(0,0,0);" %)than 1024 bytes. The message may go into logfiles and should not be displayed to the user. | ||
| 126 | |||
| 127 | ==== {{id name="HTTPauthenticationAPING-getSupportedOperations"/}}getSupportedOperations ==== | ||
| 128 | |||
| 129 | ====== {{id name="HTTPauthenticationAPING-Requestbody"/}}Request body ====== | ||
| 130 | |||
| 131 | {{code}} | ||
| 132 | op=getSupportedFeatures | ||
| 133 | {{/code}} | ||
| 134 | |||
| 135 | ====== {{id name="HTTPauthenticationAPING-Responsebody(plainnon-JSONvariant)"/}}Response body (plain non-JSON variant)(% style="color: rgb(0,0,0);" %) (%%) ====== | ||
| 136 | |||
| 137 | (% style="color: rgb(0,0,0);" %)List of suppored operations, separated by '{{code language="none"}},{{/code}}'. | ||
| 138 | |||
| 139 | (% style="color: rgb(0,0,0);" %)Example showing minimal feature set: | ||
| 140 | |||
| 141 | {{code language="none"}} | ||
| 142 | getSupportedOperations,tryLogin | ||
| 143 | {{/code}} | ||
| 144 | |||
| 145 | (% style="color: rgb(0,0,0);" %)Example specifying maximum feature set: | ||
| 146 | |||
| 147 | {{code language="none"}} | ||
| 148 | getSupportedOperations,tryLogin,changePassword,deactivateUser,getDefaultDomain,getGroups,sendPassword,searchUser | ||
| 149 | {{/code}} | ||
| 150 | |||
| 151 | ====== {{id name="HTTPauthenticationAPING-Responsebody(JSONvariant)"/}}Response body (JSON variant) ====== | ||
| 152 | |||
| 153 | {{code language="none"}} | ||
| 154 | { "operations": [ "getSupportedOperations", "tryLogin" ] } | ||
| 155 | {{/code}} | ||
| 156 | |||
| 157 | == {{id name="HTTPauthenticationAPING-OptionalOperations"/}}(% style="color: rgb(0,0,0);" %)Optional Operations(%%) == | ||
| 158 | |||
| 159 | ==== {{id name="HTTPauthenticationAPING-changePassword"/}}changePassword ==== | ||
| 160 | |||
| 161 | Changes the password of the user. | ||
| 162 | |||
| 163 | ====== {{id name="HTTPauthenticationAPING-Requestbody"/}}Request body ====== | ||
| 164 | |||
| 165 | {{code}} | ||
| 166 | op=changePassword&user=<user>&domain=<domain>&oldPassword=<oldPassword>&newPassword=<newPassword>&newPasswordConfirmed=<newPassword> | ||
| 167 | |||
| 168 | {{/code}} | ||
| 169 | |||
| 170 | The {{code language="none"}}domain{{/code}} parameter is optional. | ||
| 171 | |||
| 172 | The {{code language="none"}}newPasswordConfirmed{{/code}} parameter is optional and available only to simplify writing web interfaces. If it is specified and does not match {{code language="none"}}newPassword{{/code}}, the password is not changed. | ||
| 173 | |||
| 174 | ====== {{id name="HTTPauthenticationAPING-Responsebody"/}}Response body ====== | ||
| 175 | |||
| 176 | (% style="color: rgb(0,0,0);" %)Non-empty information text, not more than 1024 bytes. The message may go into logfiles and should not be displayed to the user. | ||
| 177 | |||
| 178 | ==== {{id name="HTTPauthenticationAPING-deactivateUser"/}}deactivateUser ==== | ||
| 179 | |||
| 180 | Deactivates a user, prevents him for logging in again. | ||
| 181 | |||
| 182 | ====== {{id name="HTTPauthenticationAPING-Requestbody"/}}Request body ====== | ||
| 183 | |||
| 184 | {{code}} | ||
| 185 | op=deactivateUser&user=<user>&domain=<domain> | ||
| 186 | {{/code}} | ||
| 187 | |||
| 188 | The {{code language="none"}}domain{{/code}} parameter is optional. | ||
| 189 | |||
| 190 | ====== {{id name="HTTPauthenticationAPING-Responsebody"/}}Response body ====== | ||
| 191 | |||
| 192 | (% style="color: rgb(0,0,0);" %)Non-empty information text, not more than 1024 bytes. The message may go into logfiles and should not be displayed to the user. | ||
| 193 | |||
| 194 | ==== {{id name="HTTPauthenticationAPING-getDefaultDomain"/}}getDefaultDomain ==== | ||
| 195 | |||
| 196 | Returns the default domain, if there is any. | ||
| 197 | |||
| 198 | ====== {{id name="HTTPauthenticationAPING-Requestbody"/}}Request body ====== | ||
| 199 | |||
| 200 | {{code}} | ||
| 201 | op=getDefaultDomain | ||
| 202 | |||
| 203 | {{/code}} | ||
| 204 | |||
| 205 | ====== {{id name="HTTPauthenticationAPING-Responsebody(plainnon-JSONvariant)"/}}Response body(% style="color: rgb(0,0,0);" %) (plain non-JSON variant) (%%) ====== | ||
| 206 | |||
| 207 | Default authentication domain, or '{{code language="none"}}-{{/code}}' if there is no default domain, or '{{code language="none"}}--{{/code}}' if there is no domain support at all. | ||
| 208 | |||
| 209 | ====== {{id name="HTTPauthenticationAPING-Responsebody(JSONvariant)"/}}Response body (JSON variant) ====== | ||
| 210 | |||
| 211 | {{code language="none"}} | ||
| 212 | { "defaultDomain": [ "SOMEDOMAIN" ] } | ||
| 213 | {{/code}} | ||
| 214 | |||
| 215 | ==== {{id name="HTTPauthenticationAPING-getGroups"/}}getGroups ==== | ||
| 216 | |||
| 217 | Returns the groups the user is a member of. | ||
| 218 | |||
| 219 | ====== {{id name="HTTPauthenticationAPING-Requestbody"/}}Request body ====== | ||
| 220 | |||
| 221 | {{code}} | ||
| 222 | op=getGroups&user=<user>&domain=<domain> | ||
| 223 | {{/code}} | ||
| 224 | |||
| 225 | The {{code language="none"}}domain{{/code}} parameter is optional. | ||
| 226 | |||
| 227 | ====== {{id name="HTTPauthenticationAPING-Responsebody(plainnon-JSONvariant)"/}}(% style="color: rgb(0, 0, 0); color: rgb(0, 0, 0)" %)Response body (plain non-JSON variant)(%%) ====== | ||
| 228 | |||
| 229 | (% style="color: rgb(0, 0, 0); color: rgb(0, 0, 0)" %) (% style="color: rgb(0,0,0);" %)List of group names, separated by '(% style="color: rgb(0,0,0);" %){{code language="none"}},{{/code}}' or just '(% style="color: rgb(0,0,0);" %){{code language="none"}}-{{/code}}' if the user is not member of any group, or '(% style="color: rgb(0,0,0);" %){{code language="none"}}--{{/code}}' if there is no group support. | ||
| 230 | |||
| 231 | ==== {{id name="HTTPauthenticationAPING-getGroupMembers"/}}getGroupMembers ==== | ||
| 232 | |||
| 233 | Returns the users the are a member of the specified group. | ||
| 234 | |||
| 235 | ====== {{id name="HTTPauthenticationAPING-Requestbody"/}}Request body ====== | ||
| 236 | |||
| 237 | {{code}} | ||
| 238 | op=getGroupMembers&group=<group>&domain=<domain> | ||
| 239 | {{/code}} | ||
| 240 | |||
| 241 | The {{code language="none"}}domain{{/code}} parameter is optional. | ||
| 242 | |||
| 243 | ====== {{id name="HTTPauthenticationAPING-Responsebody(plainnon-JSONvariant)"/}}(% style="color: rgb(0,0,0);" %)Response body (plain non-JSON variant)(%%) ====== | ||
| 244 | |||
| 245 | (% style="color: rgb(0,0,0);" %)List of group names, separated by '{{code language="none"}},{{/code}}' or just '{{code language="none"}}-{{/code}}' if the user is not member of any group, or '{{code language="none"}}--{{/code}}' if there is no group support. | ||
| 246 | |||
| 247 | ==== {{id name="HTTPauthenticationAPING-sendPassword"/}}sendPassword ==== | ||
| 248 | |||
| 249 | Generates a new password or send a "new password" link to the user. | ||
| 250 | |||
| 251 | ====== {{id name="HTTPauthenticationAPING-Requestbody"/}}Request body ====== | ||
| 252 | |||
| 253 | {{code}} | ||
| 254 | op=sendPassword&user=<user>&domain=<domain> | ||
| 255 | |||
| 256 | {{/code}} | ||
| 257 | |||
| 258 | The {{code language="none"}}domain{{/code}} parameter is optional. | ||
| 259 | |||
| 260 | ====== {{id name="HTTPauthenticationAPING-Responsebody"/}}Response body ====== | ||
| 261 | |||
| 262 | (% style="color: rgb(0,0,0);" %)Non-empty information text, not more than 1024 bytes. The message may go into logfiles and should not be displayed to the user. | ||
| 263 | |||
| 264 | ==== {{id name="HTTPauthenticationAPING-searchUser"/}}searchUser ==== | ||
| 265 | |||
| 266 | Searches a user in the database, sets response code to 200 if the user is there, 404 if the user could not be found. | ||
| 267 | |||
| 268 | ====== {{id name="HTTPauthenticationAPING-Requestbody"/}}Request body ====== | ||
| 269 | |||
| 270 | {{code}} | ||
| 271 | op=searchUser&user=<user>&domain=<domain> | ||
| 272 | {{/code}} | ||
| 273 | |||
| 274 | The {{code language="none"}}domain{{/code}} parameter is optional. | ||
| 275 | |||
| 276 | ====== {{id name="HTTPauthenticationAPING-Responsebody"/}}Response body ====== | ||
| 277 | |||
| 278 | (% style="color: rgb(0,0,0);" %)Non-empty information text, not more than 1024 bytes. The message may go into logfiles and should not be displayed to the user. | ||
| 279 | |||
| 280 |