Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add RequestAttributeAuthenticationFilter #3978

Closed
wants to merge 2 commits into from
Closed

Add RequestAttributeAuthenticationFilter #3978

wants to merge 2 commits into from

Conversation

Majlen
Copy link

@Majlen Majlen commented Jul 15, 2016

This style is used in many SSO implementations, such as Stanford WebAuth and Shibboleth. Even though in many uses it can be avoided by forcing the HTTP server/proxy to store the principal in header instead of environment variable, this approach is much more secure (you cannot set it without having better access to the server).

@pivotal-issuemaster
Copy link

@Majlen Please sign the Contributor License Agreement!

Click here to manually synchronize the status of this Pull Request.

See the FAQ for frequently asked questions.

@pivotal-issuemaster
Copy link

@Majlen Thank you for signing the Contributor License Agreement!

@rwinch
Copy link
Member

rwinch commented Aug 15, 2016

@Majlen Thanks for the Pull Request.

I haven't seen this approach. How do you setup your container (i.e. Tomcat) to populate the request attribute?

@rwinch rwinch added the status: waiting-for-feedback We need additional information before we can continue label Aug 15, 2016
@rwinch rwinch self-assigned this Aug 15, 2016
@rwinch rwinch modified the milestone: 4.2.0 M1 Aug 15, 2016
@Majlen
Copy link
Author

Majlen commented Aug 18, 2016

This approach is used by SSO implementations which are implemented as modules of Apache HTTPd.

Basically the container is hidden behind reverse proxy by using mod_jk, which can be set up to pass environment variables. These variables can then be accessed by ServletRequest.getAttribute() method.

@rwinch
Copy link
Member

rwinch commented Aug 30, 2016

@Majlen Thanks for the response. I suppose I should have been more detailed in my ask. Can you provide me a link to a specific SSO implementation that does this? I'd really like some instructions on how to set this up so I can try it.

A few improvements before this gets merged:

  • Add links to the SSO implementations that use this approach along with links to the setup required
  • Add tests

@Majlen
Copy link
Author

Majlen commented Sep 7, 2016

OK, 2 SSOs that I know of are Shibboleth and WebAuth, links are provided below. In case of WebAuth, you would also have to set up a Kerberos environment, since it is used as authentication backend.

I will provide test suite probably tommorow.

Shibboleth:

WebAuth:

@rwinch rwinch modified the milestones: 4.2.0 M2, 4.2.0 M1 Sep 21, 2016
@rwinch
Copy link
Member

rwinch commented Sep 21, 2016

Moved this back to M2 since there are no tests yet and M1 is getting released today

Milan Ševčík added 2 commits September 22, 2016 08:56
Added authentication filter reading environment variables.
70520a5 
This style is used in many SSO implementations, such as Stanford WebAuth
and Shibboleth.
Enviornment variable authentication filter tests.
e095a8a
@Majlen
Copy link
Author

Majlen commented Sep 22, 2016

Aah, I forgot, sorry about that. Tests are now included.

rwinch pushed a commit that referenced this pull request Sep 22, 2016
Rename to RequestAttributeAuthenticationFilter
9ae163e 
Rename EnvironmentVariableAuthenticationFilter to
RequestAttributeAuthenticationFilterTests

Polish gh-3978
@rwinch rwinch changed the title Added authentication filter reading environment variables. Add RequestAttributeAuthenticationFilter Sep 22, 2016
@rwinch rwinch removed the status: waiting-for-feedback We need additional information before we can continue label Sep 22, 2016
@rwinch rwinch modified the milestones: 4.2.0 M1, 4.2.0 M2 Sep 22, 2016
@rwinch rwinch added in: web An issue in web modules (web, webmvc) type: enhancement A general enhancement labels Sep 22, 2016
@rwinch
Copy link
Member

rwinch commented Sep 22, 2016

Thanks for the PR!

This is now merged via a8120e7 I applied some polish via 9ae163e Summary:

  • Rename to RequestAttributeAuthenticationFilter
  • Move the test out of the envvariable package to preauth
  • Formatting changes

@rwinch rwinch closed this Sep 22, 2016
rwinch pushed a commit that referenced this pull request Sep 23, 2016
Polish RequestAttributeAuthenticationFilter
8b89e80 
Issue gh-3978
@valtri valtri mentioned this pull request Dec 17, 2018
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@rwinch rwinch

Labels
in: web An issue in web modules (web, webmvc) type: enhancement A general enhancement
Projects
None yet
Milestone
4.2.0 M1
Development

Successfully merging this pull request may close these issues.
3 participants
@Majlen @pivotal-issuemaster @rwinch