Hi Chamindu, Couple of questions came to my mind is 1. What will be the case if both headers are provided? Are we doing both validations? 2. Do we have a expiry time for this cookie. 3.In the case of invalid cookie how can one obtain a new valid cookie?
Thanks & Regards, Ishara Cooray Senior Software Engineer Mobile : +9477 262 9512 WSO2, Inc. | http://wso2.com/ Lean . Enterprise . Middleware On Fri, Jan 4, 2019 at 5:04 PM Chamindu Udakara <chami...@wso2.com> wrote: > Hi All, > > My project is to add cookie based authentication for micro-gateway. This > is the approach that I have come up with. Please review and let me know > what you think and please be kind enough to suggest your suggestions. > > Requirement > > Provide authentication for product micro-gateway with cookie based > authentication which uses session HTTP cookies for authentication. > > Suggested Approach > > When an user invoke an API with a cookie, micro-gateway has to validate > that cookie prior to the response. The list of cookies included in the HTTP > request which use to authenticate, have to be extracted from the request. > From all extracted cookies,their respective session ID value has to be > extracted properly. > > The Authn filter will check incoming request to micro-gateway and > determine whether it contains header as "Authorization" or header as > "Cookie". If header is equals to "Cookie" then the cookie validation > process will be executed and cookie will be validated. If not it will > execute as a normal request which contains header as "Authorization". The > session ID of the required cookie can be provided to server as a direct key > value pair at the micro-gateway server startup. > > > > > > > if (request.hasHeader(authHeaderName)) { > > authHeader = request.getHeader(authHeaderName); > > }else if (request.hasHeader(COOKIE_HEADER)){ > > //Authentiction with HTTP cookies > > CookieBasedAuth cookieBasedAuth = new CookieBasedAuth (); > > result = cookieBasedAuth.processRequest(listener, request, > context); > > }else { > > log:printError("No authorization header was provided"); > > setErrorMessageToFilterContext(context, > API_AUTH_MISSING_CREDENTIALS); > > sendErrorResponse(listener, request, untaint context); > > return false; > > } > > Above code segment will do that identification of header type of the > coming request. Then the validation process will be done at the separate > file named as* "cookie.bal"*. In this file the extraction of session Id > and validation of that Id with given value at the server startup will be > done. For that I have implemented a new function as "*ProcessRequest*" > which returns a string or an error. If any of the cookies included in > request is not equal to given Id then the validation process will be > failed. If it fails, then it throws an error and authnFilter will be > failed. If any of session Id of a cookie matches with given one then that > id will be returned to authnFilter for further execution at authnFilter. > > public function processRequest(http:Listener listener, http:Request > request, http:FilterContext context) > > returns string|error { > > boolean isAuthorized; > > //get required cookie as config value > > string requiredCookie = config:getAsString(COOKIE_HEADER, default > = ""); > > //extraxt cookies from the incoming request > > string authHead = request.getHeader(COOKIE_HEADER); > > string[] cookies = authHead.trim().split(";"); > > foreach cookie in cookies{ > > io:println(cookie); > > string[] sessionIds = cookie.trim().split("="); > > string sessionId = sessionIds[1]; > > if (sessionId == requiredCookie){ > > return sessionId; > > } > > } > > error notFound = {message:"No matched cookie found"}; > > return notFound; > > } > > > > *Chamindu Udakara * > *Software engineering Intern* > WSO2 (University of Moratuwa) > *mobile *: *+94 755285531* | *email *: cudak...@gmail.com > _______________________________________________ > Architecture mailing list > Architecture@wso2.org > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >
_______________________________________________ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
