| Volet | ||
|---|---|---|
| ||
The ESUP authentication layer |
| Sommaire | ||||||
|---|---|---|---|---|---|---|
|
Introduction
The ESUP authentication layer is a versatile authentication layer, to be accessed by many different clients (web browsers, operating systems,
...
applications...)
...
:
...
- Web
...
- browsers
...
- that
...
- may
...
- support
...
- only
...
- HTTP
...
- scheme
...
- (not
...
- WebDAV
...
- extensions)
...
- but
...
- redirections
...
- and
...
- HTTP
...
- basic
...
- authentication
...
- scheme
...
- (realms);
...
- Operating
...
- systems
...
- and
...
- system
...
- applications
...
- that
...
- may
...
- be
...
- fully
...
- WebDAV-compliant
...
- but
...
- do
...
- not
...
- implement
...
- redirections
...
- and/or
...
- form
...
- completion
...
- (and
...
- thus
...
- can
...
- not
...
- respond
...
- to
...
- SSO
...
- requests);
...
- Web
...
- applications
...
- that
...
- may
...
- be
...
- SSO-compliant
...
- but
...
- not
...
- always.
...
This
...
versatility
...
is
...
achieved
...
with
...
a
...
highly
...
configurable
...
authentication
...
layer
...
shown
...
in
...
figure
...
3,
...
made
...
up
...
of
...
an
...
authentication
...
router
...
that
...
chooses
...
between
...
three
...
authentication
...
filters:
...
- CAS
...
- authentication
...
- for
...
- web
...
- browsers
...
- and
...
- applications,
...
- LDAP
...
- authentication
...
- for
...
- operating
...
- systems,
...
- Trusted
...
- authentication
...
- for
...
- trusted
...
- applications
...
- (based
...
- on
...
- a
...
- secret
...
- shared
...
- between
...
- the
...
- application
...
- and
...
- the
...
- server).
...
The
...
selection
...
of
...
a
...
filter
...
is
...
performed
...
by
...
the
...
router,
...
depending
...
on
...
the
...
agent
...
(i.e.
...
the
...
type
...
of
...
the
...
client:
...
browser,
...
application...),
...
its
...
localization
...
(IP
...
address),
...
the
...
target
...
(virtual)
...
server
...
name
...
and
...
the
...
configuration
...
set
...
by
...
the
...
administrators
...
of the server.
Configuration
The router
This is probably the hardest think to configure. The configuration is defined in the web.xml file of the application. The different parameters values of the web.xml are defined in the build.properties.
Let's have a look at the configuration of the web.xml:
| Bloc de code |
|---|
<filter>
|
General configuration
Filter name and class - you DO NOT have to modify these values
| Bloc de code |
|---|
the server. \!filters.png\!h1. h1. Configuration \\ h2. The router This is probably the hardest think to configure. The configuration is defined in the *web.xml* file of the application. The different parameters values of the *web.xml* are defined in the *build.properties*. Let's have a look at the configuration of the web.xml: {code} <filter> {code} h3. General configuration \\ Filter name and class - you DO NOT have to modify these values\\ {code} <filter-name>authenticationRouter</filter-name> <filter-class>org.esupportail.filter.authenticationRouter.AuthenticationRouter</filter-class> {code}\\ Here is the * |
Here is the slide.authenticationRouter.filterList
...
which
...
determines
...
the
...
filter
...
order.
...
In
...
the
...
example
...
below
...
the
...
router
...
will
...
first
...
try
...
to
...
match
...
the
...
LDAP
...
filter
...
criteria
...
(defined
...
after
...
in
...
the
...
file)
...
then
...
the
...
CAS
...
filter
...
... up to the UNAUTHENTICATED filter.
| Bloc de code |
|---|
up to the UNAUTHENTICATED filter. \\ \\ {code} <init-param> <param-name>org.esupportail.filter.authenticationRouter.filterList</param-name> <param-value>LDAP CAS TRUSTED UNAUTHENTICATED</param-value> </init-param> {code}\\ Now you have to configure the * |
Now you have to configure the slide.authenticationRouter.defaultAuthenticationFilter
...
that
...
is
...
the
...
filter
...
used
...
by
...
default
...
if
...
no
...
filter
...
are
...
finally
...
selected
...
by
...
the
...
router
...
(in
...
other
...
words
...
if
...
-
...
for
...
each
...
filter
...
-
...
at
...
least
...
one
...
criterion
...
DOES
...
NOT
...
matches
...
the
...
request).
| Bloc de code |
|---|
\\ \\ {code} <init-param> <param-name>org.esupportail.filter.authenticationRouter.defaultAuthenticationFilter</param-name> <param-value>TRUSTED</param-value> </init-param> {code}\\ The following parameter is important and will often be let to false. If false, then ONLY ONE filter will be used - the first one matching the request in the * |
The following parameter is important and will often be let to false. If false, then ONLY ONE filter will be used - the first one matching the request in the slide.authenticationRouter.filterList
...
.
...
If
...
true
...
then
...
every
...
filter
...
matching
...
the
...
request
...
will
...
be
...
used.
...
Imagine
...
for
...
example
...
that
...
the
...
LDAP
...
and
...
TRUSTED
...
criteria
...
match
...
the
...
request,
...
then
...
the
...
request
...
will
...
be
...
first
...
forwarded
...
to
...
the
...
LDAP
...
filter
...
(for
...
an
...
LDAP
...
authentication)
...
and
...
then
...
to
...
the
...
TRUSTED
...
filter
...
(for
...
a
...
TRUSTED
...
authentication)
...
-
...
and
...
in
...
this
...
order
...
!
| Bloc de code |
|---|
} <init-param> <param-name>org.esupportail.filter.authenticationRouter.enableCascading</param-name> <param-value>false</param-value> </init-param> {code} h3. Selection criteria for each authentication filter \\ The following sections define selection criteria for each |
Selection criteria for each authentication filter
The following sections define selection criteria for each filter. There are 4 sections of 5 criteria whose names finish by an authentication filter name (LDAP - CAS - TRUSTED - UNAUTHENTICATED).
| Bloc de code |
|---|
filter. There are 4 sections of 5 criteria whose names finish by an authentication filter name (LDAP - CAS - TRUSTED - UNAUTHENTICATED).\\ {code} <!-- LDAP --> <init-param> <param-name>org.esupportail.filter.authenticationRouter.allowClientIPLDAP</param-name> <param-value></param-value> </init-param> <init-param> <param-name>org.esupportail.filter.authenticationRouter.useSecureRequestLDAP</param-name> <param-value></param-value> </init-param> <init-param> <param-name>org.esupportail.filter.authenticationRouter.agentLDAP</param-name> <param-value></param-value> </init-param> <init-param> <param-name>org.esupportail.filter.authenticationRouter.httpRequestParameterLDAP</param-name> <param-value></param-value> </init-param> <init-param> <param-name>org.esupportail.filter.authenticationRouter.destinationHostLDAP</param-name> <param-value></param-value> </init-param> {code}\\ \\ {info} A filter is selected by the router if each criterion matches |
| Info |
|---|
A filter is selected by the router if each criterion matches the request. |
Let's have a look on each criterion in more details.
allowClientIP[FilterName] : if empty then there is no restriction else only requests with one of the given client IP adresses will be forwarded to the filter [FilterName].
| Bloc de code |
|---|
the request. {info} Let's have a look on each criterion in more details. allowClientIP[FilterName] : if empty then there is no restriction else only requests with one of the given client IP adresses will be forwarded to the filter [FilterName]. {code} <!-- TRUSTED --> <init-param> <param-name>org.esupportail.filter.authenticationRouter.allowClientIPTRUSTED</param-name> <param-value>129.20.129.12 129.20.129.13</param-value> </init-param> {code} |
useSecureRequest[FilterName]
...
:
...
if
...
true
...
then
...
only
...
HTTPS
...
requests
...
will
...
be
...
forwarded
...
to
...
the
...
filter
...
[FilterName].
| Bloc de code |
|---|
\\ {code} <init-param> <param-name>org.esupportail.filter.authenticationRouter.useSecureRequestTRUSTED</param-name> <param-value>false</param-value> </init-param> {code}\\ |
agent[FilterName]
...
:
...
if
...
empty
...
then
...
there
...
is
...
no
...
restriction
...
else
...
only
...
request
...
with
...
one
...
of
...
the
...
given
...
client
...
agents
...
will
...
be
...
forwarded
...
to
...
the
...
filter
...
[FilterName].
...
The
...
agent
...
identifies
...
the
...
type
...
of
...
the
...
client
...
-
...
mozilla,
...
DAVFS...
...
-
...
*Regular
...
expressions
...
are
...
accepted*.
| Bloc de code |
|---|
\\ \\ {code} <init-param> <param-name>org.esupportail.filter.authenticationRouter.agentTRUSTED</param-name> <param-value>*mozilla*</param-value> </init-param> {code}\\ |
httpRequestParameter[FilterName]
...
:
...
if
...
empty
...
then
...
there
...
is
...
no
...
restriction
...
else
...
only
...
request
...
with
...
the
...
given
...
parameters
...
will
...
be
...
forwarded
...
to
...
the
...
given
...
filter
...
(here
...
TRUSTED).
...
*Regular
...
expressions
...
are
...
accepted*.
| Bloc de code |
|---|
\\ {code} <init-param> <param-name>org.esupportail.filter.authenticationRouter.httpRequestParameterTRUSTED</param-name> <param-value>auth=trusted authentication=trusted mode*=*secure*</param-value> </init-param> {code} |
destinationHost[FilterName_]
...
:
...
if
...
empty
...
then
...
there
...
is
...
no
...
restriction
...
else
...
only
...
request
...
with
...
the
...
given
...
destination
...
hosts
...
will
...
be
...
forwarded
...
to
...
the
...
given
...
filter
...
(here
...
TRUSTED).
...
*Regular
...
expressions
...
are
...
accepted*.
| Bloc de code |
|---|
\\ {code} <init-param> <param-name>org.esupportail.filter.authenticationRouter.destinationHostTRUSTED</param-name> <param-value>webdav-restricted.univ-rennes1.fr webdav-restricted2.univ-rennes1.fr *.univ-valenciennes.fr</param-value> </init-param> {code}\\ \\ h2. The LDAP authentication filter \\ Processes an LDAP authentication. {code} <filter> {code |
The LDAP authentication filter
Processes an LDAP authentication.
| Bloc de code |
|---|
<filter>
|
Filter name and class - you DO NOT have to modify these values
| Bloc de code |
|---|
}
Filter name and class - you DO NOT have to modify these values\\
{code}
<filter-name>LDAP</filter-name>
<filter-class>org.esupportail.filter.LDAPFilter.LDAPFilter</filter-class>
|
Let the following parameter to true.
| Bloc de code |
|---|
{code}\\ Let the following parameter to true. \\ \\ {code} <init-param> <param-name>org.esupportail.filter.LDAPFilter.useAuthenticationRouter</param-name> <param-value>true</param-value> </init-param> {code}\\ LDAP directory |
LDAP directory URL's
...
(the
...
alternate
...
URL
...
is
...
optionnal
...
-
...
usefull
...
if
...
the
...
first
...
directory
...
does
...
not
...
work)
| Bloc de code |
|---|
\\ \\ {code} <init-param> <param-name>org.esupportail.filter.LDAPFilter.connectionURL</param-name> <param-value>ldap://myLdap.univ.fr:389</param-value> </init-param> <init-param> <param-name>org.esupportail.filter.LDAPFilter.alternateURL</param-name> <param-value>ldap://myLdap2.univ.fr:389</param-value> </init-param> {code}\\ Bind type = searchbind or fastbind \\ * searchbind : The filter will first try to find the connected user, using the given *base DN*, *scope* and *filter* \- and then will execute a bind request. * fastbind : The filter will try to bind with the given *pattern* {code} |
Bind type = searchbind or fastbind
- searchbind : The filter will first try to find the connected user, using the given base DN, scope and filter - and then will execute a bind request.
- fastbind : The filter will try to bind with the given pattern
Bloc de code <init-param> <param-name>org.esupportail.filter.LDAPFilter.bindType</param-name> <param-value>SEARCHBIND</param-value> <!-- FASTBIND --> </init-param>
...
fastBindUserPattern
...
:
...
Pattern
...
used
...
to
...
build
...
a
...
DN
...
to
...
bind.
...
The
...
syntax
...
is
...
uniqueAttributeEqualsToLogin={0},baseDN
| Bloc de code |
|---|
{code} <init-param> <param-name>org.esupportail.filter.LDAPFilter.fastBindUserPattern</param-name> <param-value>uid=\{0\},ou=people,dc=univ,dc=fr</param-value> </init-param> {code} \\ The following attributes are param> |
The following attributes are optionnals and specify the credential to connect to the LDAP if needed.
| Bloc de code |
|---|
optionnals and specify the credential to connect to the LDAP if needed. {code} <init-param> <param-name>org.esupportail.filter.LDAPFilter.searchBindConnectionName</param-name> <param-value>LDAPMaster</param-value> </init-param> <init-param> <param-name>org.esupportail.filter.LDAPFilter.searchBindConnectionPassword</param-name> <param-value>whatACoolWebDAVServer\!</param-value> </init-param> {code} |
The
...
tree
...
last
...
atributes
...
are
...
classical
...
LDAP
...
configuration
...
parameters
...
-
...
you
...
won't
...
have
...
any
...
difficulties
...
to
...
understand
...
them. 
| Bloc de code |
|---|
;-) {code} <init-param> <param-name>org.esupportail.filter.LDAPFilter.searchBindBaseDN</param-name> <param-value>ou=people,dc=univ,dc=fr</param-value> </init-param> <init-param> <param-name>org.esupportail.filter.LDAPFilter.searchBindScope</param-name> <param-value>SUBTREE_SCOPE</param-value> <\!-\- SUBTREE_SCOPE \| ONELEVEL_SCOPE \| OBJECT_SCOPE \--> </init-param> <init-param> <param-name>org.esupportail.filter.LDAPFilter.searchBindFilter</param-name> <param-value>uid= {0} </param-value> </init-param> </filter> {code} h2. The TRUSTED authentication filter \\ Processes a TRUSTED authentication. The easiest filter to configure. {code} <filter> |
The TRUSTED authentication filter
Processes a TRUSTED authentication. The easiest filter to configure.
| Bloc de code |
|---|
<filter>
|
Filter name and class - you DO NOT have to modify these values
| Bloc de code |
|---|
{code} Filter name and class - you DO NOT have to modify these values {code} <filter-name>TRUSTED</filter-name> <filter-class>org.esupportail.filter.trustedFilter.TrustedFilter</filter-class> {code} |
Let
...
the
...
following
...
parameter
...
to
...
true.
| Bloc de code |
|---|
} <init-param> <param-name>org.esupportail.filter.trustedFilter.useAuthenticationRouter</param-name> <param-value>true</param-value> </init-param> {code} |
Trusted
...
password
| Bloc de code |
|---|
} <init-param> <param-name>org.esupportail.filter.trustedFilter.trustedPassword</param-name> <param-value>XXXXXXXXXX</param-value> </init-param> {code} *Optionnal* allowed user list |
Optionnal allowed user list - Let it empty for no user restriction.
| Bloc de code |
|---|
- Let it empty for no user restriction. {code} <init-param> <param-name>org.esupportail.filter.trustedFilter.trustedUsers</param-name> <param-value>tbellemb:bourges:masterYoda</param-value> </init-param> </filter> {code} h2. The UNAUTHENTICATED authentication filter \\ There is no entry for this filter in the web.xml file because this |
The UNAUTHENTICATED authentication filter
There is no entry for this filter in the web.xml file because this filter...
...
does
...
not
...
exist !
If the authentication router selects this filter then the request will be directed to a non existing filter - the consequence is that the user name will not be included in the request going to the server.
The SHIB authentication filter (only on the v5.0 and upper)
Processes an Shibboleth authentication.
| Bloc de code |
|---|
<filter>
|
Filter name and class - you DO NOT have to modify these values
| Bloc de code |
|---|
\! If the authentication router selects this filter then the request will be directed to a non existing filter - the consequence is that the user name will not be included in the request going to the server. h2. The SHIB authentication filter (only on the v5.0 and upper) \\ Processes an Shibboleth authentication. {code} <filter> {code} Filter name and class - you DO NOT have to modify these values {code} <filter-name>SHIB</filter-name> <filter-class>org.esupportail.filter.shibFilter.ShibFilter</filter-class> {code} |
Let
...
the
...
following
...
parameter
...
to
...
true.
| Bloc de code |
|---|
} <init-param> <param-name>org.esupportail.filter.shibFilter.useAuthenticationRouter</param-name> <param-value>true</param-value> </init-param> {code} The * |
The slide.shibFilter.localsDomains
...
attribute is a regular expression which describe de locals domains
| Bloc de code |
|---|
is a regular expression which describe de locals domains {code} <init-param> <param-name>org.esupportail.filter.ShibFilter.localsDomains</param-name> <param-value>.*@(univ-rennes1\|ensc-rennes\|sciencespo-rennes\|eleves.ensc-rennes\|etudiant.sciencespo-rennes\|etudiant.univ-rennes1).fr</param-value> </init-param> {code} |
The
...
value
...
of
...
the
...
slide.shibFilter.localsDomainsAttribute
...
attribute
...
is
...
the
...
attribute
...
name
...
which
...
will
...
pick
...
up
...
the
...
remote
...
user
| Bloc de code |
|---|
} <init-param> <param-name>org.esupportail.filter.ShibFilter.localsDomainsAttribute</param-name> <param-value>REMOTE_USER2</param-value> </init-param> {code} The * |
The slide.shibFilter.remoteUserAttribute
...
attribute
...
is
...
the
...
name
...
of
...
the
...
attribute
...
which
...
have
...
the
...
value
...
that
...
will
...
be
...
used
...
to
...
define
...
the
...
remote
...
user
...
value
| Bloc de code |
|---|
} <init-param> <param-name>org.esupportail.filter.ShibFilter.remoteUserAttribute</param-name> <param-value>REMOTE_USER2</param-value> </init-param> {code} The * |
The slide.shibFilter.FormatOutOfRemoteUser
...
attribute
...
is
...
a
...
regular
...
expression
...
which
...
indicate
...
de
...
format
...
of
...
the value to the remote user
| Bloc de code |
|---|
value to the remote user {code} <init-param> <param-name>org.esupportail.filter.ShibFilter.FormatOutOfRemoteUser</param-name> <param-value>(.*)@.*:</param-value> </init-param> {code} The * |
The slide.shibFilter.RegexpSeparator
...
attribute
...
is
...
a
...
separator
...
used
...
in
...
the
...
FormatOutOfRemoteUser
...
regular expression
| Bloc de code |
|---|
expression {code} <init-param> <param-name>org.esupportail.filter.ShibFilter.RegexpSeparator</param-name> <param-value>:</param-value> </init-param> {code} The \ |
The *slide.shibFilter.remoteUserAttributeOut
...
*attribute
...
is
...
the
...
name
...
of
...
the
...
attribute
...
that
...
store
...
the
...
remote
...
user
...
value
| Bloc de code |
|---|
} <init-param> <param-name>org.esupportail.filter.ShibFilter.remoteUserAttributeOut</param-name> <param-value>REMOTE_USER</param-value> </init-param> {code} |
The
...
parameter
...
slide.shibFilter.remoteUserAttributeOutSessionOrHeader
...
allow
...
to
...
choose
...
between
...
the
...
session
...
attributes
...
and
...
the
...
request attributes
| Bloc de code |
|---|
attributes {code} <init-param> <param-name>org.esupportail.filter.ShibFilter.remoteUserAttributeOutSessionOrHeader</param-name> <param-value>session</param-value> </init-param> {code} The * |
The slide.shibFilter.shibAttributePrefix
...
attribute
...
is
...
the
...
prefix
...
of
...
the
...
shibboleth
...
attributes
| Bloc de code |
|---|
} <init-param> <param-name>org.esupportail.filter.ShibFilter.shibAttributePrefix</param-name> <param-value>Shib</param-value> </init-param> {code} |
The
...
following
...
parameter
...
indicate
...
if
...
we
...
put
...
the
...
shibboleth
...
attributes
...
in
...
the
...
session
...
or
...
not
| Bloc de code |
|---|
} <init-param> <param-name>org.esupportail.filter.ShibFilter.shibAttributesInSession</param-name> <param-value>true</param-value> </init-param> </filter> {code} h2. The RedirectFilter |
The RedirectFilter (only
...
on
...
the
...
v5.1
...
and
...
upper)
...
The
...
RedirectFilter
...
is
...
a
...
filter
...
which
...
enable
...
to
...
redirect
...
an
...
url
...
into
...
another.
| Bloc de code |
|---|
} <filter> {code} |
Filter
...
name
...
and
...
class
...
-
...
you
...
DO
...
NOT
...
have
...
to
...
modify
...
these values
| Bloc de code |
|---|
values {code} <filter-name>REDIRECT</filter-name> <filter-class>org.esupportail.filter.redirectFilter.RedirectFilter</filter-class> {code} The * |
The slide.redirectFilter.DestinationHostTrigger
...
attribute
...
is
...
the
...
host
...
name
...
on
...
which
...
the
...
RedirectFilter
...
must
...
be executed
| Bloc de code |
|---|
executed {code} <init-param> <param-name>org.esupportail.filter.redirectFilter.DestinationHostTrigger</param-name> <param-value>[slide.redirectFilter.DestinationHostTrigger]</param-value> </init-param> {code} |
The
...
slide.redirectFilter.DestinationHost
...
attribute
...
is
...
the
...
host
...
name
...
which
...
must
...
used
...
for
...
an
...
indentification
| Bloc de code |
|---|
} <init-param> <param-name>org.esupportail.filter.redirectFilter.DestinationHost</param-name> <param-value>[slide.redirectFilter.DestinationHost]</param-value> </init-param> </filter> {code} {code} {code} |