EsAuth4ConnectorServlet
The EsAuth4ConnectorServlet works in combination with the IdentityCreationFilter and/or the SecurityRoleFilter to enable client authentication in nevisProxy. Its role is to connect nevisProxy to the remote nevisAuth authentication service via HTTP/SOAP. If explicitly configured to do so, the EsAuth4ConnectorServlet is also responsible for polling the authentication service to fetch the list of sessions that were terminated by nevisAuth.
ch::nevis::isiweb4::servlet::connector::soap::esauth4::Esauth4ConnectorServlet
libEsauth4SOAPConnectorServlet.so.1
Configuration
TargetURI
- Type: URI
- Usage Constraints: optional, basic
- Default:
/nevisauth/services/AuthenticationService
This attribute references the target URI of the nevisAuth Web service. A possible change of the deployment context path may require changing of this value.
Encoding
- Type: String
- Usage Constraints: optional, advanced
- Default:
UTF-8
This attribute specifies the default encoding to use for SOAP document encoding.
EnablePollTerminatedCalls
- Type: Boolean
- Usage Constraints: optional
- Default:
false
Enables the pollTerminatedSession feature. If you set this parameter to "true", nevisProxy calls nevisAuth for terminated sessions.
This polling feature is required only if your nevisAuth is configured to terminate sessions on its own. Otherwise enabling it will unnecessarily increase the load on nevisAuth and can degrade terminated sessions. Then enabling this parameter, it is recommended that you:
- Configure a single EsAuth4ConnectorServlet for all IdentityCreationFilters and SecurityRoleFilters that connect to the same nevisAuth instance in a web.xml file, or alternatively disable the polling for all Esauth4ConnectorServlets but one.
- Stick to the default value of the Transport.RequestTimeout parameter whenever possible, since lowering this value will increase the polling frequency.
In case several nevisProxy instances share their sessions in a remote session store and connect to the same nevisAuth instance, we also suggest that you enable the polling in a single EsAuth4ConnectorServlet for all the proxy instances. However, in this configuration the polling will stop if the corresponding instance gets down.
It is possible that this polling mechanism decreases the system performance. This can happen if several nevisProxy instances share a single nevisAuth instance or if a nevisProxy instance contains several Esauth4ConnectorServlets that are connected to the same nevisAuth instance. To reduce the load on nevisAuth, the polling mechanism is disabled by default. To enable the polling mechanism, set the servlet's parameter EnablePollTerminatedCalls to true
.
ReplaceIllegalXmlCharacters
- Type: String
- Usage Constraints: optional
Syntax:
/<character[s]>/
Some application frontends can send emojis containing characters that are not allowed by XML. This will cause an error because the request cannot be sent to nevisAuth. If you set this parameter, nevisProxy will replace all illegal XML characters with the configured character(s). Illegal characters are: 0x01 to 0x1f, except 0x09, 0x0a, and 0x0d.
Example: The following example replaces all special characters by a space: / /
.
LimitNumberOfEncodingExceptions
- Type: Integer
- Usage Constraints: optional
- Default:
5
If this property is more than 0 then before sending parameters from the user's request to nevisAuth, the parameters are tested if they can be encoded to the format configured with the Encoding property from the format set with user.locale
.
The parameters which cannot be encoded won't be sent to nevisAuth. After encountering the configured amount of unencodable parameters, further parameters are automatically dropped for the given request.
Setting this property to 0 disables this check. This is not recommended because in this case when there are unencodable parameters, the request won't be sent to nevisAuth.
Transport.*
You can use the following configuration attributes of the HttpsConnectorServlet with the Transport.
prefix. The list contains the default values if there is one.
Transport.Protocol=HTTP/1.1
Transport.URLEncoding=true
Transport.CheckForMultipleIpAddresses=false
Transport.DNSCache=true
Transport.DNSCache.ttl=3600
Transport.InetAddress=, Required
Transport.HostName=, Optional
Transport.HostName.StripDefaultPort=true
Transport.KeepAlive=true
Transport.KeepAlive.LifeTime=600
Transport.KeepAlive.InactiveInterval=60
Transport.KeepAlive.ConnectionPoolSize=50
Transport.KeepAlive.ByClient=false
Transport.KeepAlive.RetryOnFail=true
Transport.BlockSize=8192
Transport.ResponseLineSize=4096
Transport.RequestTimeout=120000
Transport.ConnectTimeout=15000
Transport.LoadBalancing=false
Transport.SetServerHeader=false
Transport.ResourceManager=ch::nevis::isiweb4::servlet::connector::base::SessionResourceManager
Transport.ResourceManager.RetryTimeout=10
Transport.ResourceManager.RetryBindingTimeout=7200
Transport.ResourceManager.DisablePing=, Required
Transport.OutboundProxy=, Optional
Transport.SSLProtocol=-all +TLSv1.2 +TLSv1.3
Transport.SSLCipherSuites=ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256
(secure default: ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256)
Transport.SSLCache=on
Transport.SSLCheckPeerHostname=true
Transport.UseSSL=true
Transport.SSLClientCertificateFile=, Required
Transport.SSLClientKeyFile=, Optional
Transport.SSLCACertificateFile=, Required
Transport.DisableBindingStatusCode=, Optional
Transport.DelegateHeader=, Optional
Transport.ConnectionRetries=, Optional
Transport.SSLOpenSSLConfCmd=, Optional
Transport.EnableMetrics=false
The Transport.RequestTimeout attribute also defines the polling frequency. The maximum interval between two polling calls to nevisAuth is 1/3*Transport.RequestTimeout
.
The following configuration attributes of the Http(s)ConnectorServlet have hard-coded values and cannot be overwritten:
ProtocolExtension="none"
CookieManager.CookieBinding="none"
CookieManager.DefaultCookiePath="/"
AutoRewrite="none"
MappingType="requesturi"
CookieManager="off"
ProxyPolicy="stealth commit-response"