public class CrossDomainSingleSignOnFilter extends Object implements Filter
Once the user is authenticated, AM calls back to IG via the configured CDSSO redirect endpoint ("redirectEndpoint"). This callback request includes the required authentication as a JWT. With this, access to the protected resource is granted.
The JWT is stored in the configured cookie name and the request is further redirected to the original URI (of the
protected resource), together with session information. The JWT is furthermore stored in a CdSsoContext
,
while the SSO token contained within it is stored in a SsoTokenContext
.
{
"type": "CrossDomainSingleSignOnFilter",
"config": {
"amService" : AmService [REQUIRED]
"redirectEndpoint" : IG redirect URI [REQUIRED]
"failureHandler" : Failure handler to be invoked when authentication fails. Defaults to
{@link #defaultFailureHandler()}.
"authCookie": {
"name" : Name of cookie containing the IG auth token. Defaults to
{@literal IG_DEFAULT_AUTH_COOKIE_NAME}.
"domain" : Domain that cookie is applicable to. If unset, defaults to domain of IG host.
"path" : Path protected by this authentication. Defaults to
{@literal IG_DEFAULT_AUTH_PATH}.
}
}
}
Modifier and Type | Class and Description |
---|---|
static class |
CrossDomainSingleSignOnFilter.Heaplet
Creates and initialises an authentication filter in a heap environment.
|
Constructor and Description |
---|
CrossDomainSingleSignOnFilter(AmService amService,
String clientId,
String redirectEndpoint,
org.forgerock.openig.openam.CookieInfo cookieInfo,
Supplier<String> idSupplier,
JwtValidator validator,
Handler failureHandler)
Creates a new CrossDomainSingleSignOnFilter.
|
Modifier and Type | Method and Description |
---|---|
Promise<Response,NeverThrowsException> |
filter(Context context,
Request request,
Handler next)
Filters the request and/or response of an exchange.
|
public CrossDomainSingleSignOnFilter(AmService amService, String clientId, String redirectEndpoint, org.forgerock.openig.openam.CookieInfo cookieInfo, Supplier<String> idSupplier, JwtValidator validator, Handler failureHandler)
amService
- The AmService
which manages the login/logoutclientId
- The client id to use to register this IG instance as an AM clientredirectEndpoint
- The IG redirect endpoint to callback to after authenticationcookieInfo
- The IG authentication cookie configidSupplier
- Supplier of unique identifiersvalidator
- JwtValidator
instance supporting JWT validationfailureHandler
- The failure handler to be invoked when authentication failspublic Promise<Response,NeverThrowsException> filter(Context context, Request request, Handler next)
Filter
next.handle(context, request)
.
This method may elect not to pass the request to the next filter or
handler, and instead handle the request itself. It can achieve this by
merely avoiding a call to next.handle(context, request)
and creating its own response object. The filter is also at liberty to
replace a response with another of its own by intercepting the response
returned by the next handler.
Copyright 2011-2017 ForgeRock AS.