Class CrossDomainSingleSignOnFilter

  • All Implemented Interfaces:
    Filter

    public class CrossDomainSingleSignOnFilter
    extends Object
    implements Filter
    This filter verifies the presence of a JWT authentication token in the configured cookie name:
    • If the JWT is present then its validity is checked and the request is forwarded to the next handler.
    • If the JWT is not present, then the user-agent is redirected to Access Management via its OAuth2 authorization endpoint, to obtain user authentication.

    Once the user is authenticated, AM calls back to IG via the configured CDSSO redirect endpoint ("redirectEndpoint"). This callback request includes the required authentication as a JWT. With this, access to the protected resource is granted.

    The JWT is stored in the configured cookie name and the request is further redirected to the original URI (of the protected resource), together with session information. The JWT is furthermore stored in a CdSsoContext, while the SSO token contained within it is stored in a SsoTokenContext.

     {
        "type": "CrossDomainSingleSignOnFilter",
        "config": {
          "amService"                 : AmService              [REQUIRED]
          "redirectEndpoint"          : expression<IG redirect URI> [REQUIRED]
          "verificationSecretId"      : expression<Secret ID>  [OPTIONAL - to verify the signature of the CDSSO token.]
          "secretsProvider"           : SecretsProvider        [OPTIONAL - secrets provider used to obtain secrets.
                                                                           REQUIRED if 'verificationSecretId' is used.]
          "failureHandler"            : Failure handler to be invoked when authentication fails. Defaults to
                                        {@link Heaplet#defaultFailureHandler()}.
          "authCookie": {
            "name"                    : Name of cookie containing the IG auth token. Defaults to
                                        {@literal IG_DEFAULT_AUTH_COOKIE_NAME}.
            "domain"                  : Domain that cookie is applicable to. If unset, defaults to domain of IG host.
            "path"                    : Path protected by this authentication. Defaults to
                                        {@literal IG_DEFAULT_AUTH_PATH}.
            "secure"                  : Determines if the cookie should be set to be secure. Defaults to {@code false}.
            "httpOnly"                : Determines if the cookie should be set to be httpOnly. Defaults to {@code true}.
            "sameSite"                : SameSite cookie configuration. Default is {@code null}.
           }
           "logoutExpression"         : booleanExpression  [OPTIONAL - a boolean expression that if it evaluates as
                                                                       true, will be used to detect if a logout
                                                                       should be triggered.]
           "defaultLogoutLandingPage" : uriExpression      [OPTIONAL - URI to redirect to after a successful logout.]
           "authenticationService"    : stringExpression   [OPTIONAL - The name of the AM authentication service to use
                                                                       to authenticate the user. If not supplied then the
                                                                       AM-configured default service is used.]
        }
      }
      
     
    See Also:
    Access Management Cross-domain Single-sign-on documentation, Blog discussing the Access Management OIDC Flow
    • Constructor Detail

      • CrossDomainSingleSignOnFilter

        public CrossDomainSingleSignOnFilter​(AmService amService,
                                             String clientId,
                                             String redirectEndpoint,
                                             CookieBuilder cookieBuilder,
                                             Supplier<String> idSupplier,
                                             JwsSignatureVerifier verifier,
                                             Clock clock,
                                             Handler failureHandler,
                                             Expression<Boolean> logoutExpression,
                                             String defaultLogoutLandingPage,
                                             String authnService)
        Creates a new CrossDomainSingleSignOnFilter.
        Parameters:
        amService - The AmService which manages the login/logout
        clientId - The client id to use to register this IG instance as an AM client
        redirectEndpoint - The IG redirect endpoint to callback to after authentication
        cookieBuilder - The IG authentication cookie config builder
        idSupplier - Supplier of unique identifiers
        verifier - JwsSignatureVerifier to use to verify the signature of the IdToken - may be null
        clock - The clock to use
        failureHandler - The failure handler to be invoked when authentication fails
        logoutExpression - The logout expression
        defaultLogoutLandingPage - The URI to which a request is redirected after the user logs out of AM
        authnService - The AM authentication service to use to authenticate the user - may be null
    • Method Detail

      • filter

        public Promise<Response,​NeverThrowsException> filter​(Context context,
                                                                   Request request,
                                                                   Handler next)
        Description copied from interface: Filter
        Filters the request and/or response of an exchange. To pass the request to the next filter or handler in the chain, the filter calls next.handle(context, request).

        This method may elect not to pass the request to the next filter or handler, and instead handle the request itself. It can achieve this by merely avoiding a call to next.handle(context, request) and creating its own response object. The filter is also at liberty to replace a response with another of its own by intercepting the response returned by the next handler.

        Specified by:
        filter in interface Filter
        Parameters:
        context - The request context.
        request - The request.
        next - The next filter or handler in the chain to handle the request.
        Returns:
        A Promise representing the response to be returned to the client.