Package org.silverpeas.core.webapi.base

Class HTTPAuthentication

  • @Service
public class HTTPAuthentication
extends Object
    An HTTP authentication mechanism for Silverpeas. It implements the authentication mechanism in Silverpeas from an incoming HTTP request. This HTTP request can be as well an explicit authentication call as a Silverpeas API consume. The HTTP request is expected either to contain the HTTP header Authorization valued with the authentication scheme and the user credentials as expected by the IETF RFC 2617 or to target an URI with the query parameter access_token (see IETF RFC 6750).

    Actually, Silverpeas supports two HTTP authentication schemes: the Basic one (covered by the IETF RFC 2617) and the Bearer one (covered by the IETF RFC 6750). The API token of the users must be passed with the Bearer scheme to access the REST API of Silverpeas.

    The authentication opens a new session when succeeded, otherwise a WebApplicationException exception is thrown with the status Response.Status.UNAUTHORIZED.

    Author:
    mmoquillon

    • Constructor Detail

      • HTTPAuthentication

        protected HTTPAuthentication()

    • Method Detail

      • authenticate

        public SessionInfo authenticate​(HTTPAuthentication.AuthenticationContext context)
        Authenticates the user behind the incoming HTTP request according to the specified authentication context.

        The context is defined for the incoming HTTP request and for the HTTP response to send. The HTTP request contains the elements required to authenticate the user at the source of the request. The mandatory element is either the Authorization HTTP header that must be valued with an authentication scheme and with the credentials of the user or the access_token URI query parameter or the access_token form-encoded body parameter.

        A WebApplicationException is thrown with the status Response.Status.UNAUTHORIZED in the following case:

        • No Authentication header and no access_token parameter
        • The authentication scheme isn't supported
        • the credentials passed in the Authentication header are invalid
        • the user API token passed in the access_token parameter is invalid
        • the user account in Silverpeas isn't valid (blocked, deactivated, ...)

        If the authentication process succeeds, then a session is created and returned. For a basic authentication scheme, the session comes from a session opening in Silverpeas by the SessionManagement subsystem and its unique identifier is set in the UserPrivilegeValidation.HTTP_SESSIONKEY header of the HTTP response; the session life will span over several HTTP requests and it will be closed either explicitly or by the default session timeout. For a bearer authentication scheme and for an authentication from the access_token parameter, the session is just created for the specific incoming request and will expire at the end of it.

        At the end of the authentication, the context is alimented with the user credentials and with the authentication scheme that were fetched from the HTTP request. They can then be retrieved for further operation by the invoker of this method. In the case of an authentication from the access_token parameter, the authentication scheme is in the context is set as a bearer authentication scheme.

        Parameters:
        context - the context of the authentication with the HTTP request and with the HTTP response.
        Returns:
        the created session for the request if the authentication succeeds or throws a WebApplicationException with as status Response.Status.UNAUTHORIZED.