Class CrossDomainSingleSignOnFilter
- All Implemented Interfaces:
Filter
- If the JWT is present then its validity is checked and the request is forwarded to the next handler.
- If the JWT is not present, then the user-agent is redirected to Access Management via its OAuth2 authorization endpoint, to obtain user authentication.
Once the user is authenticated, AM calls back to IG via the configured CDSSO redirect endpoint ("redirectEndpoint"). This callback request includes the required authentication as a JWT. With this, access to the protected resource is granted.
The JWT is stored in the configured cookie name and the request is further redirected to the original URI (of the
protected resource), together with session information. The JWT is furthermore stored in a CdSsoContext,
while the SSO token contained within it is stored in a SsoTokenContext.
{
"type": "CrossDomainSingleSignOnFilter",
"config": {
"amService" : AmService [REQUIRED]
"redirectEndpoint" : expression<IG redirect URI> [REQUIRED]
"verificationSecretId" : expression<Secret ID> [OPTIONAL - to verify the signature of the CDSSO token.]
"secretsProvider" : SecretsProvider [OPTIONAL - secrets provider used to obtain secrets.
REQUIRED if 'verificationSecretId' is used.]
"failureHandler" : Failure handler to be invoked when authentication fails. Defaults to
{@link Heaplet#defaultFailureHandler()}.
"authCookie": {
"name" : Name of cookie containing the IG auth token. Defaults to
{@literal IG_DEFAULT_AUTH_COOKIE_NAME}.
"domain" : Domain that cookie is applicable to. If unset, defaults to domain of IG host.
"path" : Path protected by this authentication. Defaults to
{@literal IG_DEFAULT_AUTH_PATH}.
"secure" : Determines if the cookie should be set to be secure. Defaults to {@code false}.
"httpOnly" : Determines if the cookie should be set to be httpOnly. Defaults to {@code true}.
"sameSite" : SameSite cookie configuration. Default is {@code null}.
}
"redirectionMarker": { : [OPTIONAL - Configure the redirectionMarker, added by default
without having to specify this configuration item.]
"enabled" : Boolean [OPTIONAL - if true, the redirection marker will be used to
protect against infinite authentication loops.
Defaults to true.]
"name" : String [OPTIONAL - The name of the redirectionMarker query parameter
to use when the redirectionMarker is enabled.
defaults to "_ig".]
}
"logoutExpression" : booleanExpression [OPTIONAL - a boolean expression that if it evaluates as
true, will be used to detect if a logout
should be triggered.]
"defaultLogoutLandingPage" : uriExpression [OPTIONAL - URI to redirect to after a successful logout.]
"authenticationService" : stringExpression [OPTIONAL - The name of the AM authentication service to use
to authenticate the user. If not supplied then the
AM-configured default service is used.]
}
}
-
Nested Class Summary
Nested ClassesModifier and TypeClassDescriptionstatic classCreates and initialises an authentication filter in a heap environment. -
Method Summary
-
Method Details
-
filter
public Promise<Response,NeverThrowsException> filter(Context context, Request request, Handler next) Description copied from interface:FilterFilters the request and/or response of an exchange. To pass the request to the next filter or handler in the chain, the filter callsnext.handle(context, request).This method may elect not to pass the request to the next filter or handler, and instead handle the request itself. It can achieve this by merely avoiding a call to
next.handle(context, request)and creating its own response object. The filter is also at liberty to replace a response with another of its own by intercepting the response returned by the next handler.
-