Go to new doc!

+49 228 5552576-0


info@predic8.com

login

Description

The login interceptor can be used to restrict and secure end user access to an arbitrary web application.

Users firstly have to authenticate themselves against a directory server using a username and password. Secondly, a numeric token is then sent to the user's cell phone using a text message service. After token verification, access to the web application is granted for the user's session. Single Sign On can easily be realized using a small source code extension or modification of a web application.

Can be used in

spring:beans, if, internalProxy, proxy, registration, request, response, serviceProxy, soapProxy, stompProxy, swaggerProxy, transport and wsStompReassembler

Syntax

				<login path="string" location="string" >
					user data provider
					[session manager]
					[account blocker]
					token provider
				</rest2Soap>
			
Listing 1: login Syntax

Sample

           <login path="/login/" location="file:c:/work/login/">
           
                <ldapUserDataProvider
                     url="ldap://192.168.2.100"
                     base="dc=predic8,dc=de"
                     searchPattern="(cn=%LOGIN%)">
                     <map>
                        <attribute from="telephoneNumber" to="sms" />
                        <attribute from="uidNumber" to="header-X-Security-UID" />
                     </map>
                </ldapUserDataProvider>

                <telekomSMSTokenProvider
                     user="predic8"
                     password="secret" />

           </login>
			
Listing 2: login Example
           <login path="/login/" location="file:c:/work/login/">
           
                <ldapUserDataProvider
                     url="ldap://192.168.2.100"
                     base="dc=predic8,dc=de"
                     binddn="cn=Manager,dc=predic8,dc=de"
                     bindpw="secret"
                     searchPattern="(cn=%LOGIN%)"
                     searchScope="subtree"
                     timeout="1000"
                     connectTimeout="1000"
                     readAttributesAsSelf="true" >
                     <map>
                        <attribute from="telephoneNumber" to="sms" />
                        <attribute from="uidNumber" to="header-X-Security-UID" />
                     </map>
                </ldapUserDataProvider>

                <sessionManager
                    cookieName="SESSIONID"
                    timeout="300000" />                
                
                <accountBlocker 
                     afterFailedLogins="5"
                     afterFailedLoginsWithin="9223372036854775807"
                     blockFor="3600000" 
                     blockWholeSystemAfter="1000000" />
                     
                <telekomSMSTokenProvider
                     user="predic8"
                     password="secret"
                     prefixText="Token: "
                     normalizeTelephoneNumber="true" />

           </login>
			
Listing 3: login Full Example

Attributes

Name Required Default Description Example
exposeUserCredentialsToSession false - Whether the user's credentials should be copied over to the session. This means they will stay in memory and will be available to all Membrane components.
location true - location of the login dialog template (a directory containing the index.html file as well as possibly other resources) See here for a description of the format. file:c:/work/login/
message false - Set the message displayed during redirect.
path true - context path of the login dialog /login/

Explanation

The login interceptor combines 4 modules to implement its functionality. One implementation of each of the 4 module types is required. (The session manager and account blocker have default implementations.)

login interceptor workflow

(Whether text messages and LDAP is actually used depends on the configuration. Alternatives are possible.)

The login interceptor realizes the login workflow. If all information entered by the user is valid, the workflow is as follows:

Child Elements

Position Cardinality Description Element
1 1..1 The user data provider verifying a combination of a username with a password. cachingUserDataProvider, customStatementJdbcUserDataProvider, jdbcUserDataProvider, ldapUserDataProvider, staticUserDataProvider or unifyingUserDataProvider
2 0..1 The sessionManager. (Default values will be used, if the element is not specified.) sessionManager
3 0..1 The accountBlocker. (Default values will be used, if the element is not specified.) accountBlocker
4 0..1 The token provider computing or generating a numeric value used for two-factor authentication. emailTokenProvider, emptyTokenProvider, telekomSMSTokenProvider, totpTokenProvider or whateverMobileSMSTokenProvider

Configuration of the Login Dialog

The login dialog uses the context path specified by the path attribute of the login interceptor.

The location attribute points to a location (for example, a directory) where a template of the login dialog is located in a file called index.html. This file should at least contain a snippet similar to the following code:

${if error}
<p> Fehler: <span style="color:red;">
${if error='INVALID_PASSWORD'}
Ung&uuml;ltiges Passwort.
${else}
${if error='INTERNAL_SERVER_ERROR'}
Interner Fehler.
${else}
${if error='INVALID_TOKEN'}
Ung&uuml;ltiges Token.
${else}
${if error='ACCOUNT_BLOCKED'}
Ihr Zugang ist tempor&auml;r gesperrt.
${else}
${error}
${end}
${end}
${end}
${end}
</span></p>
${end}

<form method="post" action="${action}" accept-charset="UTF-8">
<input type="hidden" name="target" value="${target}" />

${if token}

Bitte geben Sie Ihr Token ein:<br/>
<input type="text" name="token" autofocus /><br/>
<br/>
<input type="submit" value="Verifizieren" /><br/>

${else}

Benutzername:<br/>
<input type="text" name="username" autofocus /><br/>
Passwort:<br/>
<input type="password" name="password" /><br/>
<br/>
<input type="submit" value="Login" /><br/>

${end}

</form>
			
Listing 4: Sample Login Dialog

As you might have guessed, this one file is used to create

  • the login dialog,
  • the token input dialog and
  • pages displaying error messages.

Example

The login example contained in the distribution demonstrates a simple setup usind the staticUserDataProvider and the totpTokenProvider.