Package org.forgerock.openig.openam

Class SingleSignOnFilter

java.lang.Object

org.forgerock.openig.openam.SingleSignOnFilter

All Implemented Interfaces:

Filter

public class SingleSignOnFilter
extends Object
implements Filter

This filter verifies the presence of a SSOToken in the given cookie name. If the request cookie header contains a SSOToken, its validity is verified before the request is forwarded to the next handler.

If the SSOToken is not valid or if cookie header is not present or empty, then the user-agent is redirected to Access Management login page. Once log in has been successful, the request is forwarded.

IG appends a query parameter marker in generated redirect in order to determine, when the final redirect comes back without an iPlanetDirectoryPro (iPDP) cookie, if it should trigger a login or just fail because there is a cooke domain issue (properly authenticated on AM, but the iPDP cookie is not propagated back to IG).

 {
    "type": "SingleSignOnFilter",
    "config": {
        "amService"               :    AmService          [REQUIRED]
        "logoutExpression"        :    booleanExpression  [OPTIONAL - a boolean expression that if it evaluates as
                                                                      true, will be used to detect if a logout
                                                                      should be triggered.]
        "defaultLogoutLandingPage":    uriExpression      [OPTIONAL - URI to redirect after a successful logout.]
        "loginEndpoint"           :    uriExpression      [OPTIONAL - URL to redirect to if the AM session is not
                                                                      valid or if AM cookie is not present/empty.
                                                                      The URL of the AmService is used when
                                                                      loginEndpoint is not specified.]
        "authenticationService"   : stringExpression      [OPTIONAL - The name of the AM authentication service to use
                                                                      to authenticate the user. If not supplied then
                                                                      the AM-configured default service is used.]
        "redirectionMarker"       : object                [OPTIONAL - Configure the redirectionMarker, added by
                                                                      default without having to specify this
                                                                      configuration item.]
        {
            "enabled"             : booleanExpression     [OPTIONAL - a boolean expression that if it evaluates as
                                                                      true, the redirection marker will be used to
                                                                      protect against infinite authentication loops.
                                                                      Defaults to true.]
            "name"                : stringExpression      [OPTIONAL - The name of the redirectionMarker query
                                                                      parameter to use when the redirectionMarker is
                                                                      enabled, defaults to _ig.]
        }
    }
  }
  
 

Nested Class Summary

Nested Classes

Modifier and Type	Class	Description
static class	SingleSignOnFilter.Heaplet	Creates and initialises an authentication filter in a heap environment.

Method Summary

Modifier and Type	Method	Description
Promise<Response,NeverThrowsException>	filter(Context context, Request request, Handler next)	Filters the request and/or response of an exchange.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Method Details

filter

public Promise<Response,NeverThrowsException> filter(Context context,
 Request request,
 Handler next)

Description copied from interface: Filter

Filters the request and/or response of an exchange. To pass the request to the next filter or handler in the chain, the filter calls next.handle(context, request).

This method may elect not to pass the request to the next filter or handler, and instead handle the request itself. It can achieve this by merely avoiding a call to next.handle(context, request) and creating its own response object. The filter is also at liberty to replace a response with another of its own by intercepting the response returned by the next handler.

Specified by:

filter in interface Filter

Parameters:

context - The request context.

request - The request.

next - The next filter or handler in the chain to handle the request.

Returns:

A Promise representing the response to be returned to the client.