Class CrossDomainSingleSignOnFilter
- java.lang.Object
-
- org.forgerock.openig.openam.CrossDomainSingleSignOnFilter
-
- All Implemented Interfaces:
Filter
public class CrossDomainSingleSignOnFilter extends Object implements Filter
This filter verifies the presence of a JWT authentication token in the configured cookie name:- If the JWT is present then its validity is checked and the request is forwarded to the next handler.
- If the JWT is not present, then the user-agent is redirected to Access Management via its OAuth2 authorization endpoint, to obtain user authentication.
Once the user is authenticated, AM calls back to IG via the configured CDSSO redirect endpoint ("redirectEndpoint"). This callback request includes the required authentication as a JWT. With this, access to the protected resource is granted.
The JWT is stored in the configured cookie name and the request is further redirected to the original URI (of the protected resource), together with session information. The JWT is furthermore stored in a
CdSsoContext
, while the SSO token contained within it is stored in aSsoTokenContext
.{ "type": "CrossDomainSingleSignOnFilter", "config": { "amService" : AmService [REQUIRED] "redirectEndpoint" : expression<IG redirect URI> [REQUIRED] "verificationSecretId" : expression<Secret ID> [OPTIONAL - to verify the signature of the CDSSO token.] "secretsProvider" : SecretsProvider [OPTIONAL - secrets provider used to obtain secrets. REQUIRED if 'verificationSecretId' is used.] "failureHandler" : Failure handler to be invoked when authentication fails. Defaults to {@link Heaplet#defaultFailureHandler()}. "authCookie": { "name" : Name of cookie containing the IG auth token. Defaults to {@literal IG_DEFAULT_AUTH_COOKIE_NAME}. "domain" : Domain that cookie is applicable to. If unset, defaults to domain of IG host. "path" : Path protected by this authentication. Defaults to {@literal IG_DEFAULT_AUTH_PATH}. "secure" : Determines if the cookie should be set to be secure. Defaults to {@code false}. "httpOnly" : Determines if the cookie should be set to be httpOnly. Defaults to {@code true}. "sameSite" : SameSite cookie configuration. Default is {@code null}. } "logoutExpression" : booleanExpression [OPTIONAL - a boolean expression that if it evaluates as true, will be used to detect if a logout should be triggered.] "defaultLogoutLandingPage" : uriExpression [OPTIONAL - URI to redirect to after a successful logout.] "authenticationService" : stringExpression [OPTIONAL - The name of the AM authentication service to use to authenticate the user. If not supplied then the AM-configured default service is used.] } }
-
-
Nested Class Summary
Nested Classes Modifier and Type Class Description static class
CrossDomainSingleSignOnFilter.Heaplet
Creates and initialises an authentication filter in a heap environment.
-
Constructor Summary
Constructors Constructor Description CrossDomainSingleSignOnFilter(AmService amService, String clientId, String redirectEndpoint, CookieBuilder cookieBuilder, Supplier<String> idSupplier, JwsSignatureVerifier verifier, Clock clock, Handler failureHandler, Expression<Boolean> logoutExpression, String defaultLogoutLandingPage, String authnService)
Creates a new CrossDomainSingleSignOnFilter.
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description Promise<Response,NeverThrowsException>
filter(Context context, Request request, Handler next)
Filters the request and/or response of an exchange.
-
-
-
Constructor Detail
-
CrossDomainSingleSignOnFilter
public CrossDomainSingleSignOnFilter(AmService amService, String clientId, String redirectEndpoint, CookieBuilder cookieBuilder, Supplier<String> idSupplier, JwsSignatureVerifier verifier, Clock clock, Handler failureHandler, Expression<Boolean> logoutExpression, String defaultLogoutLandingPage, String authnService)
Creates a new CrossDomainSingleSignOnFilter.- Parameters:
amService
- TheAmService
which manages the login/logoutclientId
- The client id to use to register this IG instance as an AM clientredirectEndpoint
- The IG redirect endpoint to callback to after authenticationcookieBuilder
- The IG authentication cookie config builderidSupplier
- Supplier of unique identifiersverifier
-JwsSignatureVerifier
to use to verify the signature of the IdToken - may benull
clock
- The clock to usefailureHandler
- The failure handler to be invoked when authentication failslogoutExpression
- The logout expressiondefaultLogoutLandingPage
- The URI to which a request is redirected after the user logs out of AMauthnService
- The AM authentication service to use to authenticate the user - may benull
-
-
Method Detail
-
filter
public Promise<Response,NeverThrowsException> filter(Context context, Request request, Handler next)
Description copied from interface:Filter
Filters the request and/or response of an exchange. To pass the request to the next filter or handler in the chain, the filter callsnext.handle(context, request)
.This method may elect not to pass the request to the next filter or handler, and instead handle the request itself. It can achieve this by merely avoiding a call to
next.handle(context, request)
and creating its own response object. The filter is also at liberty to replace a response with another of its own by intercepting the response returned by the next handler.
-
-