Skip to main content
Version: 3.14.x.x LTS

SessionFilter

Deprecated

This filter is deprecated. It will be removed with the next minor release (3.15.x.x).

Let's assume there are two nevisProxy instances: If nevisProxy proxies are used in a cascading pattern, the entry point nevisProxy usually performs authentication and is therefore able to delegate the user's identity to the cascaded nevisProxy. For this nevisProxy to use and further propagate the authentication information, the SessionFilter is used.

Instance A is acting as an entry point, i.e. an IdentityCreationFilter is deployed. Authenticated requests are routed from instance A to a nevisProxy instance B using the Http(s)ConnectorServlet. Let's assume further that instance B has to be a member of the global Nevis session. To enable that setup, the following config is required:

  • Instance A has an IdentityCreationFilter deployed with the configuration attribute 'DelegateSecToken' set to 'true'.
  • Instance A routes the authenticated requests to instance B using the Http.
  • The 'Connector' of instance B receives the request from instance A.
  • Instance B has a SessionFilter deployed.

The SessionFilter extracts the SecToken from the request HTTP header with the name 'isiwebsectoken'. The SecToken is validated and the authentication service is called with 'join'.

Classname
ch::nevis::isiweb4::filter::session::SessionFilter
Library
libSessionFilters.so.1

Configuration

NameType, Usage Constraints, DefaultsDescription
JoinSessionboolean; required, basic connectivity; default: trueDefines whether the global DSM session should be joined.
SessionServletstring required, basic connectivityThe name of a nevisAuthConnectorServlet or another authentication servlet must be configured.
SessionServletByIdstring array; optional, advancedIn the general case, the SessionFilter receives sectokens from different authentication services. Because of this, several nevis-AuthConnectorServlets must be configured. It has to be possible to configure some kind of mapping for invoking the right nevisAuthConnectorServlet.The attribute ’SessionServletById’ allows to configure a whitespace-separated list of <nevisAuthId>:<nevisAuthConnectorServlet name> mappings. During runtime, the ’SessionServletById’ mappings will be checked first. If no match or no servlet is found, the ’SessionServletByFingerprint’ mappings will be checked. As a fallback, the configured ’SessionServlet’ will be tried.
SessionServletByFingerprintstring array; optional, advancedIn the general case, the SessionFilter receives sectokens from different nevis-Auths. Because of this, several nevis-Auth ConnectorServlets must be configured and it has to be possible to configure some kind of mapping for invoking the right nevis-Auth ConnectorServlet.The attribute ’SessionServletByFingerprint’ allows a configuration of a whitespace-separated list of <nevisAuthId>:<fingerprint> mappings. See ‘SessionServletById’ for its runtime use.
SecTokenToleranceinteger; optional, troubleshooting; default: 600See ‘SecTokenTolerance’ of the component ‘IdentityCreationFIlter’.
UseSessionToStoreTokenboolean; optional, advanced; default: trueDefines whether the HTTP session is used to store the SecToken or the SecToken is stored in an internal cache. (If ‘false’ is configured, see also the attribute ‘ProviderToNotify’ of the nevisAuth4ConnectorServlet ). This is used to run the filter in a container other than navajo.
TokenCacheSizeinteger; optional, advanced; scaling default: 1000Defines the internal token cache size if the HTTP session is not used to store the SecToken.