The service's role is to authenticate a user and, if the authentication is successful, deliver a JWT to them.
Using the JWT, and throughout the token's validity period, the user can authenticate him/herself with the resource server and access the resources he/she is authorized to access.
The authentication service is accessible via the Servlet called JWTServlet. The connexion identifiers (Credentials) are passed in the request parameters.
Example:
https://host:port/yourapplication/JWTServlet?login=user&password=pwd
Note: You can also call the authentication servlet in POST mode and send the credentials in the body of the query (payload), as with an HTML form.
For obvious security reasons, the use of the HTTPS protocol is strongly recommended for accessing the JWTServlet.
The authentication part offers different modules: an LDAP authentication module, a Java EE authentication module, and an Adelia authentication module.
Several authentication modules can be chained.
The module(s) is (are) chosen via the jwtLoginModuleName property of the JwtProviderConfig object described in the /WEB-INF/beans.xml configuration file of the application hosting the authentication service.
If the authentication module recognizes the user, the JWT creation phase begins.
This is based on:
- Information returned by the authentication module (name of authenticated user, additional optional attributes relating to the user).
- Information from the JwtProviderConfig object described in the application's /WEB-INF/beans.xml configuration file.
- An encryption key needed to digitally sign the token.
This encryption key is provided by a Keystore in JKS format called RSJwtSecurity.key; the keystore must be available either in the application's WEB-INF/conf directory, or externalized in the form of a URL-type jndi resource using the com.hardis.common.JndiURLFactory factory via the url/adelRSJwtSecurity alias.
Note: a keystore is provided by default in the /WEB-INF/conf directory.
If authentication fails, the service no longer returns a JWT but a string beginning with [ERROR] followed by an explanatory message in the body of its response.
Click below for more information about: