EsAuth4ConnectorServlet
The EsAuth4ConnectorServlet works in combination with the IdentityCreationFilter and/or the SecurityRoleFilter to enable client authentication in nevisProxy. Its role is to connect nevisProxy to the remote nevisAuth authentication service via HTTP/SOAP. If explicitly configured to do so, the EsAuth4ConnectorServlet is also responsible for polling the authentication service to fetch the list of sessions that were terminated by nevisAuth.
It is possible that this polling mechanism decreases the system performance. This can happen if several nevisProxy instances share a single nevisAuth instance or if a nevisProxy instance contains several Esauth4ConnectorServlets that are connected to the same nevisAuth instance. To reduce the load on nevisAuth, the polling mechanism is disabled by default. To enable the polling mechanism, set the servlet's parameter EnablePollTerminatedCalls to true
.
Classname:
ch::nevis::isiweb4::servlet::connector::soap::esauth4::Esauth4ConnectorServlet
Library:
libEsauth4SOAPConnectorServlet.so.1
Configuration
TargetURI
Type: URI
Usage Constraints: optional, basic
Default: /nevisauth/services/AuthenticationService
This attribute references the target URI of the nevisAuth Web service. A possible change of the deployment context path may require changing of this value.
Encoding
Type: String
Usage Constraints: optional, advanced
Default: UTF-8
This attribute specifies the default encoding to use for SOAP document encoding.
EnablePollTerminatedCalls
Type: Boolean
Usage Constraints: optional
Default: false
Enables the pollTerminatedSession feature. If you set this parameter to "true", nevisProxy calls nevisAuth for terminated sessions.
This polling feature is required only if your nevisAuth is configured to terminate sessions on its own. Otherwise enabling it will unnecessarily increase the load on nevisAuth and can degrade terminated sessions. Then enabling this parameter, it is recommended that you:
- Configure a single EsAuth4ConnectorServlet for all IdentityCreationFilters and SecurityRoleFilters that connect to the same nevisAuth instance in a web.xml file, or alternatively disable the polling for all Esauth4ConnectorServlets but one.
- Stick to the default value of the Transport.RequestTimeout parameter whenever possible, since lowering this value will increase the polling frequency.
In case several nevisProxy instances share their sessions in a remote session store and connect to the same nevisAuth instance, we also suggest that you enable the polling in a single EsAuth4ConnectorServlet for all the proxy instances. However, in this configuration the polling will stop if the corresponding instance gets down.
ReplaceIllegalXmlCharacters
Type: String
Usage Constraints: optional, advanced
Syntax: /<character[s]>/
Some application frontends can send emojis containing characters that are not allowed by XML. This will cause an error because the request cannot be sent to nevisAuth. If you set this parameter, nevisProxy will replace all illegal XML characters with the configured character(s). Illegal characters are: 0x01 to 0x1f, except 0x09, 0x0a, and 0x0d.
Example: The following example replaces all special characters by a space: / /
.
Transport.*
You can use the following configuration attributes of the HttpsConnectorServlet with the Transport.
prefix. The list contains the default values if there is one.
Transport.Protocol=HTTP/1.1
Transport.URLEncoding=true
Transport.DNSCache=true
Transport.DNSCache.ttl=3600
Transport.InetAddress=, Required
Transport.HostName=, Optional
Transport.HostName.StripDefaultPort=true
Transport.KeepAlive=true
Transport.KeepAlive.LifeTime=600
Transport.KeepAlive.InactiveInterval=60
Transport.KeepAlive.ConnectionPoolSize=50
Transport.KeepAlive.ByClient=false
Transport.KeepAlive.RetryOnFail=true
Transport.BlockSize=8192
Transport.ResponseLineSize=4096
Transport.RequestTimeout=120000
Transport.ConnectTimeout=15000
Transport.LoadBalancing=false
Transport.SetServerHeader=false
Transport.ResourceManager=ch::nevis::isiweb4::servlet::connector::base::SessionResourceManager
Transport.ResourceManager.RetryTimeout=10
Transport.ResourceManager.RetryBindingTimeout=7200
Transport.ResourceManager.DisablePing=, Required
Transport.OutboundProxy=, Optional
Transport.OutboundProxy.ErrorCodes=502,503,504
Transport.SSLProtocol=-all +TLSv1.2 +TLSv1.3
(secure default: all +TLSv1.2 +TLSv1.3)
Transport.SSLCipherSuites=ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256
(secure default: ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256)
Transport.SSLCache=on
Transport.SSLCheckPeerHostname=true
Transport.UseSSL=true
Transport.SSLClientCertificateFile=, Required
Transport.SSLClientKeyFile=, Optional
Transport.SSLCACertificateFile=, Required
Transport.DisableBindingStatusCode=, Optional
Transport.DelegateHeader=, Optional
Transport.ConnectionRetries=, Optional
The Transport.RequestTimeout attribute also defines the polling frequency. The maximum interval between two polling calls to nevisAuth is 1/3*Transport.RequestTimeout
.
The following configuration attributes of the Http(s)ConnectorServlet have hard-coded values and cannot be overwritten:
ProtocolExtension="none"
CookieManager.CookieBinding="none"
CookieManager.DefaultCookiePath="/"
AutoRewrite="off"
MappingType="requesturi"
CookieManager="off"
ProxyPolicy="stealth commit-response"