Extensible Authentication

 

In ViewsFlash, User Authentication is done by the Application Server, using Java's getRemoteUser() method, which normally enforces authentication and provides single sign-on.

When this is not feasible or practical, as for example when using Site Minder for authentication, ViewsFlash can be configured to use an alternative authentication method using its Extensible Authentication architecture.This allows specifying a class in the servlet parameters that will perform the same function as getRemoteUser(). The built-in OtherAuthentication class can be used, or you can even write your own.

Using the OtherAuthentication class

Include the following parameter in the ViewsFlash servlet parameters:
requestnotifierextension=com.cogix.vwf.OtherAuthentication

Include one of the following in the ViewsFlash servlet parameters. Do not include both
OtherAuthentication.HeaderName=HeaderName
OtherAuthentication.SessionAttributeName=AttributeName

Use OtherAuthentication.HeaderName if the authentication system and the web server create an HTTP header that includes the user ID, and set this parameter to the name of that header.
Use OtherAuthentication.SessionAttributeName if the authentication system and the application server create a session attribute that includes the user ID, and set this parameter to the name of that session attribute.

The OtherAuthentication class looks for the user ID as directed above. If no user ID information is present, it redirects the user to a URL specified by this servlet parameter:
#OtherAuthentication.Redirect=http://...?xxx%1....%2....%3
Set the value of this parameter to a URL. In the URL, include the values that are appropriate the authentication agent. The values %1, %2 and %3 are replaced by:

With this class, the ViewsFlash application can be protected using User Security. However, it's probably not necessary to secure the URL pattern /servlet/vfadmin with a security-constraint in ViewsFlash web.xml. It may be desirable to set up the authentication agent so that the /ViewsFlash/servlet/vfadmin URI requires authentication by the agent.

When setting up questionnaires, if the Basic Authentication is selected,this class will authenticate respondents instead of J2EE's getRemoteUser. In web.xml, it's probably not necessary to secure the URL pattern /servlet/vfauth, and it may be desirable to secure /ViewsFlash/servlet/vfauth with the authentication agent.

Extensible Authentication allows using an authentication mechanism as well as looking up Roles independently from the Application Server.

Writing your own Authentication class

The RequestNotifier Extension mechanism can be used to verify whether a user is authenticated. When using this, be sure that web.xml does not protect the ViewsFlash application or its servlets. In surveys, use Basic Authentication as the authentication method. See AuthenticationSkeleton.java for sample code.

1. Create a class com.cogix.vwf.YourExtensionClass that extends RequestNotifier, and override its OnRequest method as follows:

If the user is successfully authenticated, set:
thiscall.userid = theUserID; // a String with the User ID.

If the user is not authenticated, set:
thiscall.userid=null

If browser redirection is needed to delegate authentication to an authentication server, set:
thiscall.bRediraftersetattribute = true;
thiscall.rediraftersetattribute = reqURL; // usually will contain the original ViewsFlash query string

2. Add to viewsflash.properties:
requestnotifierextension=com.cogix.vwf.YourExtensionClass

3. If there is a severe internal error, throw new vwfException(String message). The message WILL be visible to the visitor. It is better to simply set thiscall.userid=null and use a logging function to record the error.

Role Lookup

The Role Lookup Extension mechanism can be used to verify whether an authenticated user is in a particular Role. When using this, the Application Server's role lookup method, if any, will be ignored. To activate it, add the appropriate lookuprole parameter to viewsflash.properties, as follows:

1. To use an LDAP server, see Using LDAP and add:
lookuprole=LDAPLookupRole

2. To look up roles in a properties file, add:
lookuprole=FileLookupRole

This will look for a servlet parameter
filelookuproleproperties=<path to a file>
If this parameter is not present, the file will default to /etc/cogix/fileroles.properties

This file has the following format:
user=role,role,role,role,role (no limit on how many)
Spaces are ignored.

For example:
sally=Creator,MedicalFaculty,LawFaculty
ivan= Creator,Analyst,MedicalFaculty
peter=Analyst,MedicalFaculty
tom= VFAdministrator
eric= Creator,Analyst,Examiner,MedicalFaculty
jenny=VFAdministrator,Creator,Analyst,Examiner,Producer,MedicalFaculty,LawFaculty
sandy=Examiner,LawFaculty
bob= Analyst,Examiner,MedicalFaculty
lucy= Creator,Analyst,LawFaculty
mary= Creator,Producer,LawFaculty

Role names are arbitrary. They do not need to correspond to any role or group names in the Application Server.

3. To look up user roles in a database table, add:
lookuprole=DBLookupRole

See DBLookupRole.java for sample code.
These role names are arbitrary. They do not need to correspond to any role or group names in the Application Server.

4. To use your own extension, use FileLookupRole.java as an example, and create your own class, and activate it with servlet parameter:
lookuprole=YourRoleLookup

 

 

Next: Database Storage