Class SingleSignOnFilter
- java.lang.Object
-
- org.forgerock.openig.openam.SingleSignOnFilter
-
- All Implemented Interfaces:
Filter
public class SingleSignOnFilter extends Object implements Filter
This filter verifies the presence of a SSOToken in the given cookie name. If the request cookie header contains a SSOToken, its validity is verified before the request is forwarded to the next handler.If the SSOToken is not valid or if cookie header is not present or empty, then the user-agent is redirected to Access Management login page. Once log in has been successful, the request is forwarded.
IG appends a query parameter marker in generated redirect in order to determine, when the final redirect comes back without an iPlanetDirectoryPro (iPDP) cookie, if it should trigger a login or just fail because there is a cooke domain issue (properly authenticated on AM, but the iPDP cookie is not propagated back to IG).
{ "type": "SingleSignOnFilter", "config": { "amService" : AmService [REQUIRED] "logoutExpression" : booleanExpression [OPTIONAL - a boolean expression that if it evaluates as true, will be used to detect if a logout should be triggered.] "defaultLogoutLandingPage": uriExpression [OPTIONAL - URI to redirect after a successful logout.] "loginEndpoint" : uriExpression [OPTIONAL - URL to redirect to if the AM session is not valid or if AM cookie is not present/empty. The URL of the AmService is used when loginEndpoint is not specified.] } }
-
-
Nested Class Summary
Nested Classes Modifier and Type Class Description static class
SingleSignOnFilter.Heaplet
Creates and initialises an authentication filter in a heap environment.
-
Constructor Summary
Constructors Constructor Description SingleSignOnFilter(org.forgerock.openig.tools.am.AmService amService, org.forgerock.openig.tools.am.Realm realm, Expression<Boolean> logoutExpression, String defaultLogoutLandingPage, Expression<String> loginEndpoint)
Creates a new SingleSignOnFilter.
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description Promise<Response,NeverThrowsException>
filter(Context context, Request request, Handler next)
Filters the request and/or response of an exchange.
-
-
-
Constructor Detail
-
SingleSignOnFilter
public SingleSignOnFilter(org.forgerock.openig.tools.am.AmService amService, org.forgerock.openig.tools.am.Realm realm, Expression<Boolean> logoutExpression, String defaultLogoutLandingPage, Expression<String> loginEndpoint)
Creates a new SingleSignOnFilter.- Parameters:
amService
- TheAmService
which manages the login/logout.realm
- Realm to authenticate the user tologoutExpression
- The logout expression.defaultLogoutLandingPage
- The URI to which a request is redirected after the user logs out of AM.loginEndpoint
- The login endpoint.
-
-
Method Detail
-
filter
public Promise<Response,NeverThrowsException> filter(Context context, Request request, Handler next)
Description copied from interface:Filter
Filters the request and/or response of an exchange. To pass the request to the next filter or handler in the chain, the filter callsnext.handle(context, request)
.This method may elect not to pass the request to the next filter or handler, and instead handle the request itself. It can achieve this by merely avoiding a call to
next.handle(context, request)
and creating its own response object. The filter is also at liberty to replace a response with another of its own by intercepting the response returned by the next handler.
-
-