Uploaded image for project: 'Nuxeo Platform'
  1. Nuxeo Platform
  2. NXP-19143

Allow to configure the returned status code when a request is unauthenticated

    Details

    • Tags:
    • Sprint:
      nxDM 8.2.1

      Description

      The problem

      Currently, when a user is not authenticated, it's up to one of the authentication plugin to handle the login prompt if needed. It means that it may redirect the user to a login page or present a Basic challenge.
      When browsing the web application (JSF), it's not a problem because we want to offer the user a seamless experience.

      When dealing with REST base applications, this is a problem since the client application is responsible of the authentication. The client app can't allow blindly a redirect onto the login page for instance. For that reaseon, the authentication filter should sometimes block the flow and return a 401 response code instead of letting the authentication plugin handle the whole flow.

      Authentication chains should specify if they let the plugins handle the login prompt

      At the authentication chain layer, we should be able to configure if the authentication filter delegates the login prompt to its plugins or if it returns a 401 response code. This is done by the handlePrompt parameter

      <?xml version="1.0"?>
      <component name="org.nuxeo.ecm.platform.ui.web.auth.specificchain.handlePrompt">
      
        <extension
          target="org.nuxeo.ecm.platform.ui.web.auth.service.PluggableAuthenticationService"
          point="specificChains">
      
          <specificAuthenticationChain name="sampleChain" handlePrompt="false">
            <urlPatterns>
              <url>(.*)/site/admin.*</url>
            </urlPatterns>
      
            <replacementChain>
              <plugin>FORM_AUTH</plugin>
              <plugin>ANONYMOUS_AUTH</plugin>
            </replacementChain>
          </specificAuthenticationChain>
        </extension>
      

      Add a login API to force the authentication plugins handle the login prompt

      When using a client REST API, the client may decide to follow the plugins prompt. Since the mecanism is pluggable, the client has no way to know which prompt it has to follow. For that we introduce a /nuxeo/login API that just continues the login flow and let plugin do their "handle login prompt" job.

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  PagerDuty

                  Error rendering 'com.pagerduty.jira-server-plugin:PagerDuty'. Please contact your Jira administrators.