login
Description
The login interceptor can be used to restrict and secure end user access to an arbitrary web application.
Users firstly have to authenticate themselves against a directory server using a username and password. Secondly, a numeric token is then sent to the user's cell phone using a text message service. After token verification, access to the web application is granted for the user's session. Single Sign On can easily be realized using a small source code extension or modification of a web application.
Can be used in
spring:beans, api, bean, if, interceptor, internalProxy, proxy, registration, request, response, serviceProxy, soapProxy, stompProxy, swaggerProxy, transport and wsStompReassembler
Syntax
<login path="string" location="string" > user data provider [session manager] [account blocker] token provider </rest2Soap>
Sample
<login path="/login/" location="file:c:/work/login/"> <ldapUserDataProvider url="ldap://192.168.2.100" base="dc=predic8,dc=de" searchPattern="(cn=%LOGIN%)"> <map> <attribute from="telephoneNumber" to="sms" /> <attribute from="uidNumber" to="header-X-Security-UID" /> </map> </ldapUserDataProvider> <telekomSMSTokenProvider user="predic8" password="secret" /> </login>
<login path="/login/" location="file:c:/work/login/"> <ldapUserDataProvider url="ldap://192.168.2.100" base="dc=predic8,dc=de" binddn="cn=Manager,dc=predic8,dc=de" bindpw="secret" searchPattern="(cn=%LOGIN%)" searchScope="subtree" timeout="1000" connectTimeout="1000" readAttributesAsSelf="true" > <map> <attribute from="telephoneNumber" to="sms" /> <attribute from="uidNumber" to="header-X-Security-UID" /> </map> </ldapUserDataProvider> <sessionManager cookieName="SESSIONID" timeout="300000" /> <accountBlocker afterFailedLogins="5" afterFailedLoginsWithin="9223372036854775807" blockFor="3600000" blockWholeSystemAfter="1000000" /> <telekomSMSTokenProvider user="predic8" password="secret" prefixText="Token: " normalizeTelephoneNumber="true" /> </login>
Attributes
Name | Required | Default | Description | Example |
---|---|---|---|---|
exposeUserCredentialsToSession | false | - | Whether the user's credentials should be copied over to the session. This means they will stay in memory and will be available to all Membrane components. | |
location | true | - | location of the login dialog template (a directory containing the index.html file as well as possibly other resources) See here for a description of the format. | file:c:/work/login/ |
message | false | - | Set the message displayed during redirect. | |
path | true | - | context path of the login dialog | /login/ |
Explanation
The login interceptor combines 4 modules to implement its functionality. One implementation of each of the 4 module types is required. (The session manager and account blocker have default implementations.)
The user data provider checks user passwords and provides additional data for each user (e.g. cell phone number, Single Sign On data, etc.).
The session manager tracks the users' sessions across different HTTP requests (e.g. using a session cookie).
The account blocker tracks the number of failed login attempts and might block future login attempts for a specified amount of time.
The token provider generates the numeric token (possibly transmitting it to the user via a secondary channel like text messaging).
(Whether text messages and LDAP is actually used depends on the configuration. Alternatives are possible.)
The login interceptor realizes the login workflow. If all information entered by the user is valid, the workflow is as follows:
- The unauthenticated user is redirected to a login dialog.
- The user enters her username and password. (Step 1.)
- (A numeric token is sent to the user via text message, in case the telekomSMSTokenProvider is used. Steps 5 and 6.)
- The user enters her token. (Step 7.)
- The user is redirected to the originally requested URL (or a generic URL, in case the login dialog was directly requested). (Step 8.)
Child Elements
Position | Cardinality | Description | Element |
---|---|---|---|
1 | 1..1 | The user data provider verifying a combination of a username with a password. | cachingUserDataProvider, customStatementJdbcUserDataProvider, fileUserDataProvider, jdbcUserDataProvider, ldapUserDataProvider, staticUserDataProvider or unifyingUserDataProvider |
2 | 0..1 | The sessionManager . (Default values will be used, if the element is not specified.) | sessionManager |
3 | 0..1 | The accountBlocker . (Default values will be used, if the element is not specified.) | accountBlocker |
4 | 0..1 | The token provider computing or generating a numeric value used for two-factor authentication . | emailTokenProvider, emptyTokenProvider, telekomSMSTokenProvider, totpTokenProvider or whateverMobileSMSTokenProvider |
Configuration of the Login Dialog
The login dialog uses the context path specified by the path attribute of the login interceptor.
The location attribute points to a location (for example, a directory) where a template of the login dialog is located in a file called index.html. This file should at least contain a snippet similar to the following code:
${if error} <p> Fehler: <span style="color:red;"> ${if error='INVALID_PASSWORD'} Ungültiges Passwort. ${else} ${if error='INTERNAL_SERVER_ERROR'} Interner Fehler. ${else} ${if error='INVALID_TOKEN'} Ungültiges Token. ${else} ${if error='ACCOUNT_BLOCKED'} Ihr Zugang ist temporär gesperrt. ${else} ${error} ${end} ${end} ${end} ${end} </span></p> ${end} <form method="post" action="${action}" accept-charset="UTF-8"> <input type="hidden" name="target" value="${target}" /> ${if token} Bitte geben Sie Ihr Token ein:<br/> <input type="text" name="token" autofocus /><br/> <br/> <input type="submit" value="Verifizieren" /><br/> ${else} Benutzername:<br/> <input type="text" name="username" autofocus /><br/> Passwort:<br/> <input type="password" name="password" /><br/> <br/> <input type="submit" value="Login" /><br/> ${end} </form>
As you might have guessed, this one file is used to create
- the login dialog,
- the token input dialog and
- pages displaying error messages.
Example
The login example contained in the distribution demonstrates a simple setup usind the staticUserDataProvider and the totpTokenProvider.