GateIn 3.5 Authentication

Version 3

    Since Gatein 3.4, the migration of GateIn 3.5 to the usage of Servlet 3.x based containers allows to simplify the authentication process:

     

    1. The authentication is still based on the WCI project for several reasons (SSO can depend on WCI and cannot depend on GateIn / WCI is lower level and GateIn focuses on integration)
    2. The programmatic login provides a direct authentication with the servlet container and remove the abuse of the form based authentication that was used previously. Now authentication can be done directly without needing HTTP redirection and similar artifacts.

     

    Login Servlet

     

    Several servlets used to be necessary before GateIn 3.5 (InitiateLoginServlet, GateInWCIController, etc...) . Since 3.5 a single servlet can be used and performs several responsibilities:

     

    • Handle authentication when a username and password is provided
    • Setup the rememberme token when necessary
    • Show the login form when authentication cannot be performed (not enough credentials or authentication failure)

     

    The login servlets use the flow for the action and determine the status:

     

    1. If the user is unauthenticated and username parameter and password parameter are provided
      1. Authentication works : status = authenticated
        1. Bind credentials to conversation state
        2. Create remember token and cookie when rememberme is required
      2. Authentication fails : status = failed
    2. status = unauthenticated

     

    Then according to the status a reponse is sent to the client:

     

    1. Determine the initialURI
      1. If a request parameter is provided : use it
      2. Otherwise use the context path of the web application
    2. According to the status
      1. If the status is authenticated : redirect to the initialURI
      2. Otherwise display the login.jsp page
        1. Set the request attribute org.gatein.portal.login.error when status was failed
        2. Set the request attribute org.gatein.portal.login.initial_uri to the initialURI

     

    Rememberme Filter

     

    The remember me filter works is very similar to the previous version, the main difference is that it makes a direct authentication using WCI when the token is provided and continue the request. It also binds the credentials to the conversation state and cleanup the authentication token when it is not valid.

     

    Sanitization

     

    Several things are not required anymore:

     

    • Several servlets are removed
      • DoLoginServlet
      • ErrorLoginServlet
      • GateInWCIController
      • InitiateLoginServlet
      • PortalLoginController
    • The credential registry is removed
    • The token store for credentials is removed
    • The WCILoginModule is removed

     

    Web mapping configuration

     

    The web.xml has been cleaned from the removed servlets and the authentication is configured to use

     

    • LoginServlet is mapped to /login : it provides the same services than previously
    • RememberMe filter is now earlier in the call stack : before the SetCurrentIdentityFilter as it needs to perform authentication before this filter
    • Web security constraint is simplified to only retain /dologin mapped to the LoginServlet for SSO needs
    • Form based authentication remains and use /login as login and error pages

    Work In Progress

     

    Branch here : https://github.com/vietj/gatein-portal/tree/pcwci

    Todo

    • Check SSO and WS-Security (Matt and Marek)
    • Handle group and user security redirection to the login page (Trong)