FakeLoginFilter
The FakeLoginFilter performs an automatic form-based login on backend servers. Therefore, the filter parses any HTTP response and looks for a specified form in it. If it is found, the configured values are entered in the input fields and the form is submitted to the backend server.
To detect a form, all the configured fields LoginFormName, LoginFormAction and LoginFormInput must match.
If the backend sends the content compressed, you have to define a DeflateFilter after the FakeLoginFilter, or suppress the accept-encoding. The DeflateFilter only supports .gzip content.
Classname
ch::nevis::isiweb4::filter::fakelogin::FakeLoginFilter
Library
libFakeLoginFilter.so.1
Configuration
| Name | Type, Usage Constraints, Defaults | Description |
|---|---|---|
| LoginFormName | string optional | The name of the form (name parameter inside the form tag). |
| LoginFormAction | string optional | The end of the action parameter of the login form. The configured value must match the end of the action exactly. |
| LoginFormInput | list of delegation specifications required default: empty list | Describes the input fields of the login form that are to be set/replaced before the form is sent to the backend server. The format of a list entry is:<source>:<parametername>:<inputname> where: - <source> is one of 'AUTH' or 'CONST' - <parametername> describes the name used to retrieve the parameter from <source> (or the value of the delegated parameter if <source> is of type 'CONST') - <inputname> is the name of the input field where value is set/replaced. The syntax is based on DelegationFilter syntax. If an input field is not specified, its value will be the default value that is specified inside the form. All configured fields must be part of the form, otherwise the form will not be detected as the login form. |
| BufferSize | integer optional min: 1024 max: 65536 default: 8000 | The max. number of bytes that are buffered and parsed. This means that in any HTTP responses, all the data (from beginning to end of the login form) must fit into this buffer. |
| UsesFrames | boolean optional default: false | Specifies whether or not framesets are reloaded after a login. |
| ResentInitialRequest | boolean optional default: false | Defines whether the initial request should be re-submitted |
| FrameReloadLocation | string optional | Location of the page that contains the frameset that is displayed after a successful login. |
| ErrorURL | string required | If the automatic form-based login on the backend system fails, a redirect to the specified URL is sent to the client. On this (static) page, you can include background information on probable causes and what the user could do to avoid a repeated failure. The content depends heavily on your systems architecture/configuration. |
| SessionLostURL | string required | If the system detects that the session on the backend server has been lost, a redirect to the specified URL is sent to the client. It is recommended that a link be added to the login page (of the Web application) as well as an explanation of what happened. By simply clicking on the link, the user will be logged in again. The FakeLoginFIlter will assume that a loss of the backend session has occurred if there was a successful previous request, but the current request is answered with a login-screen. This additional page is required to notify the user about the session loss, otherwise he would just transparently be logged in again, probably finding himself on a different site with different context. You can also specify the entry point of the web application to have a fully transparent re-login. Note: a logout cannot be detected. This means that if a user logs into a backend server and out again, and then — within the same SSO session — logs in again, the session lost page is displayed (and a further login will succeed). |
| ForwardPolicy | enum: CHAIN, DISPATCH optional | Defines how to handle the POST for logins: CHAIN: Continue with the chain. Can be used as long as the requested path uses the same servlet as the login-path. DISPATCH: Look for the servlet using the requested login-path. Has to be set if the login path uses a different servlet than the requested path. |
| AllowEmptyAction | boolean default: false | Allow the action parameter of the form to be an empty string, or to be omitted completely. In this case, the form will be submitted to the original request URI. |
FakeLoginFilter configuration
Sample configuration:
<filter>
<filter-name>FR_LoginForm</filter-name>
<filter-class>ch::nevis::isiweb4::filter::fakelogin::FakeLoginFilter</filter-class>
<init-param>
<param-name>BufferSize</param-name>
<param-value>10000</param-value>
</init-param>
<init-param>
<param-name>ErrorURL</param-name>
<param-value>/errorpages/forbidden.html</param-value>
</init-param>
<init-param>
<param-name>LoginFormInput</param-name>
<param-value>
AUTH:ch.nevis.idm.User.email:userid
AUTH:ch.nevis.idm.prof.webmail,access.appl_usercred:password
CONST:Login:submit
</param-value>
</init-param>
<init-param>
<param-name>LoginFormName</param-name>
<param-value>login</param-value>
</init-param>
</filter>