login - Membrane API Gateway Reference

The login interceptor can be used to restrict and secure end user access to an arbitrary web application.

Users firstly have to authenticate themselves against a directory server using a username and password. Secondly, a numeric token is then sent to the user's cell phone using a text message service. After token verification, access to the web application is granted for the user's session. Single Sign On can easily be realized using a small source code extension or modification of a web application.

<h3>Explanation:</h3>

The login interceptor combines 4 modules to implement its functionality. One implementation of each of the 4 module types is required. (The session manager and account blocker have default implementations.)

The user data provider checks user passwords and provides additional data for each user (e.g. cell phone number, Single Sign On data, etc.).
The session manager tracks the users' sessions across different HTTP requests (e.g. using a session cookie).
The account blocker tracks the number of failed login attempts and might block future login attempts for a specified amount of time.
The token provider generates the numeric token (possibly transmitting it to the user via a secondary channel like text messaging).

(Whether text messages and LDAP is actually used depends on the configuration. Alternatives are possible.)

The login interceptor realizes the login workflow. If all information entered by the user is valid, the workflow is as follows:

The unauthenticated user is redirected to a login dialog.
The user enters her username and password. (Step 1.)
(A numeric token is sent to the user via text message, in case the telekomSMSTokenProvider is used. Steps 5 and 6.)
The user enters her token. (Step 7.)
The user is redirected to the originally requested URL (or a generic URL, in case the login dialog was directly requested). (Step 8.)

Can be used in:

Syntax

Sample

<login path="/login/" location="file:c:/work/login/">
  <ldapUserDataProvider
     url="ldap://192.168.2.100"
     base="dc=predic8,dc=de"
     searchPattern="(cn=%LOGIN%)">
     <map>
        <attribute from="telephoneNumber" to="sms" />
        <attribute from="uidNumber" to="header-X-Security-UID" />
     </map>
  </ldapUserDataProvider>

  <telekomSMSTokenProvider
     user="predic8"
     password="secret" />
</login>

<login path="/login/" location="file:c:/work/login/">
  <ldapUserDataProvider
     url="ldap://192.168.2.100"
     base="dc=predic8,dc=de"
     binddn="cn=Manager,dc=predic8,dc=de"
     bindpw="secret"
     searchPattern="(cn=%LOGIN%)"
     searchScope="subtree"
     timeout="1000"
     connectTimeout="1000"
     readAttributesAsSelf="true" >
     <map>
        <attribute from="telephoneNumber" to="sms" />
        <attribute from="uidNumber" to="header-X-Security-UID" />
     </map>
  </ldapUserDataProvider>

  <sessionManager
    cookieName="SESSIONID"
    timeout="300000" />

  <accountBlocker
     afterFailedLogins="5"
     afterFailedLoginsWithin="9223372036854775807"
     blockFor="3600000"
     blockWholeSystemAfter="1000000" />

  <telekomSMSTokenProvider
     user="predic8"
     password="secret"
     prefixText="Token: "
     normalizeTelephoneNumber="true" />
</login>

Attributes

Child Elements

Name	Required	Default	Description	Example
path	true	-	context path of the login dialog	/login/
location	true	-	location of the login dialog template (a directory containing the index.html file as well as possibly other resources) See here for a description of the format.	file:c:/work/login/
exposeUserCredentialsToSession	false	-	Whether the user's credentials should be copied over to the session. This means they will stay in memory and will be available to all Membrane components.	-
message	false	-	Set the message displayed during redirect.	-

Elements	Description	Cardinality
unifyingUserDataProvider	The user data provider verifying a combination of a username with a password.	0..1
cachingUserDataProvider	The user data provider verifying a combination of a username with a password.	0..1
staticUserDataProvider	The user data provider verifying a combination of a username with a password.	0..1
ldapUserDataProvider	The user data provider verifying a combination of a username with a password.	0..1
customStatementJdbcUserDataProvider	The user data provider verifying a combination of a username with a password.	0..1
fileUserDataProvider	The user data provider verifying a combination of a username with a password.	0..1
jdbcUserDataProvider	The user data provider verifying a combination of a username with a password.	0..1
sessionManager	The sessionManager. (Default values will be used, if the element is not specified.)	0..1
accountBlocker	The accountBlocker. (Default values will be used, if the element is not specified.)	0..1
emailTokenProvider	The token provider computing or generating a numeric value used for two-factor authentication.	0..1
totpTokenProvider	The token provider computing or generating a numeric value used for two-factor authentication.	0..1
whateverMobileSMSTokenProvider	The token provider computing or generating a numeric value used for two-factor authentication.	0..1
emptyTokenProvider	The token provider computing or generating a numeric value used for two-factor authentication.	0..1
telekomSMSTokenProvider	The token provider computing or generating a numeric value used for two-factor authentication.	0..1

Configuration of the Login Dialog

The login dialog uses the context path specified by the path attribute of the login interceptor.

The location attribute points to a location (for example, a directory) where a template of the login dialog is located in a file called index.html. This file should at least contain a snippet similar to the following code:

${if error}
<p> Fehler: <span style="color:red;">
${if error='INVALID_PASSWORD'}
Ung&amp;uuml;ltiges Passwort.
${else}
${if error='INTERNAL_SERVER_ERROR'}
Interner Fehler.
${else}
${if error='INVALID_TOKEN'}
Ung&amp;uuml;ltiges Token.
${else}
${if error='ACCOUNT_BLOCKED'}
Ihr Zugang ist tempor&amp;auml;r gesperrt.
${else}
${error}
${end}
${end}
${end}
${end}
</span></p>
${end}

<form method="post" action="${action}" accept-charset="UTF-8">
<input type="hidden" name="target" value="${target}" />

${if token}

Bitte geben Sie Ihr Token ein:<br/>
<input type="text" name="token" autofocus /><br/>
<br/>
<input type="submit" value="Verifizieren" /><br/>

${else}

Benutzername:<br/>
<input type="text" name="username" autofocus /><br/>
Passwort:<br/>
<input type="password" name="password" /><br/>
<br/>
<input type="submit" value="Login" /><br/>

${end}

</form>

Sample Login Dialog

As you might have guessed, this one file is used to create

the login dialog,
the token input dialog and
pages displaying error messages.

Example

The login example contained in the distribution demonstrates a simple setup usind the staticUserDataProvider and the totpTokenProvider.