Wikiadmin: Created page with "== Introduction == In context of Openbravo ''Authentication'' is the act verifying a Users' identity. This can be done by asking for Username & Password and verify it against..."

2021-12-16T05:16:10Z

Created page with "== Introduction == In context of Openbravo ''Authentication'' is the act verifying a Users' identity. This can be done by asking for Username & Password and verify it against..."

New page

== Introduction ==

In context of Openbravo ''Authentication'' is the act verifying a Users' identity. This can be done by asking for Username & Password and verify it against the built-in ''AD_User'' table or any other mechanism.

The process of ''Authorization'' which is to determine which actions (like opening a specific window, or launching a process) a user then is allowed to do is a separate topic and not scope of this article.

== How authentication works in Openbravo ERP ==

When a user wants to gain access to an Openbravo ERP resource. Openbravo ERP asks to the authentication manager the application User Id of the user that request access to the Openbravo ERP resource. If the user has not been authenticated before the authentication provider has the responsibility of authenticating this user.

The following describes the flow of events happening when using the [https://code.openbravo.com/erp/devel/pi/file/tip/src/org/openbravo/authentication/basic/DefaultAuthenticationManager.java ''DefaultAuthenticationManager'']:

* Visit any Openbravo URL for the first time, a Cookie is send back to the browser to allow the usual creation of a HTTP-Session to allow to group the users' request together.
* The Authentication Manager's authenticate method is called to check if the session has been already authenticated. The DefaultAuthenticationManagers implementation checks for a special attribute in the HTTP-Session object to decide if this session is authenticated or not. As it is not yet it redirects the user to the standard Openbravo Login-Page asking for User & Password.
* When the Login Form is submitted the [https://code.openbravo.com/erp/devel/pi/file/tip/src/org/openbravo/base/secureApp/LoginHandler.java LoginHandler] class verifies those credentials against the 'AD_User'' table and if accepted sets special attribute HttpSession to mark this session as authenticated and to store the userID of the authenticated user.
* Then a redirect to the previously requested page is done.
* For this request the AuthenticationManagers' ''authenticate'' Method is called again. As now the attribute is set in the HttpSession corresponding to this request it returns the userID of the authenticated User and the request continues to be handled in the usual way.
* The same now happens for any following request while normally using the application.
* This session will be invalidated by any of the following three events:
** Explicit logout by the user
** Session-Timeout (invalidating the HttpSession)
** Clear Browser-Cookie by the User
* In that case the flow is back to the first step and the same cycle begins again.

Note that this only described the flow of events when using the DefaultAuthenticationManager. Any other implementation may implement this different by i.e. not using the standard Openbravo Login-page at all or using another mechanism to mark the HTTP-Session as authenticated.

== How to configure the authentication manager in Openbravo ERP ==

The authentication manager used in Openbravo ERP is defined in the configuration file [[Openbravo.properties]]. In the property ''authentication.class'' you have to write the class name of the authentication provider that Openbravo will use for this purpose.

Openbravo includes three ''AuthenticationManager'' implementations:

=== Default Authentication Manager ===

This is the default authentication manager provided by Openbravo. It is the classic authentication method that uses the Openbravo current login page to authenticate users.

After installing Openbravo ERP you do not need to configure anything if you want to use this authentication manager that is the classic method Openbravo authenticates application users.

=== LAM Authentication Manager (external module) ===

This authentication manager allows Openbravo to be connected to an LAM/CAS-server setup which provides central authentication and Single Sign-On session management.

This functionality has been separated from the main Openbravo 3 distribution and is optionally available as an module.

More details on this can be found in the wiki page of the [http://forge.openbravo.com/projects/lamauthenticationmanager project].

== Getting Authentication Manager ==
{{(!) | Available from '''3.0MP7'''}}

To obtain an instance of the Authentication Manager defined in the Openbravo.properties, it is possible to use the ''AuthenticationManager.getAuthenticationManager'' method.

== Develop your own Authentication Manager ==

{{ (!) | This implementation is available from '''3.0MP7'''. From '''3.0MP4''' to '''3.0MP6''', the same is valid but web service implementation is not present in ''AuthenticationManager''. For versions previous to '''3.0MP4''', ''AuthenticationManager'' was an interface, check [[Projects/CodeCleanupOB3#AuthenticationManager_changes|here]] how it worked. }}

You can also develop your own Authentication manager. To do this you have to create a new java class that extends the abstract class [https://code.openbravo.com/erp/devel/pi/file/tip/src/org/openbravo/authentication/AuthenticationManager.java org.openbravo.authentication.AuthenticationManager]. This interface has the following methods:

<source lang="java">
public void init(HttpServlet s) throws AuthenticationException;

public final String authenticate(HttpServletRequest request, HttpServletResponse response)
throws AuthenticationException, ServletException, IOException

public final String webServiceAuthenticate(HttpServletRequest request)
throws AuthenticationException

public final String webServiceAuthenticate(String user, String password)
throws AuthenticationException

public final String connectorAuthenticate(HttpServletRequest request)
throws AuthenticationException

public final String connectorAuthenticate(String user, String password)
throws AuthenticationException

protected abstract String doAuthenticate(HttpServletRequest request, HttpServletResponse response)
throws AuthenticationException, ServletException, IOException

protected String doWebServiceAuthenticate(HttpServletRequest request)

protected String doWebServiceAuthenticate(String user, String password)

public final void logout(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException

protected abstract void doLogout(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException
</source>

The method ''init'' is called after the class is instantiated. It can be used to read the configuration parameters of the authentication manager if needed.

The method ''authenticate'' is called for each single request done which requires authentication. It invokes the abstract ''doAuthenticate'' method which if this request is authenticated, must the return the userid of the authenticated user. This id must be a valid ad_user_id of a existing entry in the ''AD_User'' table.

Otherwise the method must perform the needed steps to acquire some authentication and then return ''null' as return-value for the function. Usually this consists of redirecting the user to some kind of ''Login-Page'' and asking for credentials.
After these have been verified the ''authenticate'' method will be called again for the next request an now will succeed and return the userId as described above.

The method ''logout'' is called when the user requests to close the current session. This method invokes the abstract ''doLogout''. The work expected to be done by the authentication manager is to invalidate the existing session and redirect the user to a page where a new login page be done.

{{(!) | Starting from [[Release_Notes/3.0PR18Q1.4|3.0PR18Q1.4]] <code>AuthenticationManager</code>s where authentication page is served outside Openbravo code, for example from a Single Sign On service, must override <code>useExternalLoginPage</code> method, returning <code>true</code>. }}

{{(!) | Note for implementation: The ''authenticate'' method is always called with DAL adminMode being active, so code inside it does not need to manage the adminMode on its own.}}

=== Web Services and Connectors ===

{{ (!) | All external authenticated services '''must''' make use of ''webServiceAuthenticate'' authentication. Authorized ''Connectors'' can use ''connectorAuthenticate''. }}

Web Service authentication invokes ''webServiceAuthenticate'' and connectors invoke ''connectorAuthenticate'', both of them call ''doWebServiceAuthenticate''. This method is implemented to do standard authenitcation, it first looks whether user (''l'') and password (''p'') are sent as request parameters, if not basic authentication is performed. ''doWebServiceAuthenticate'' method can be implemented by authentication managers in case different authentication is needed.

''webServiceAuthenticate'' and ''connectorAuthenticate'' are overloaded to accept both ''HttpServletRequest'' parameter (default one) or ''String, String'' parameters. This second one, should be used by other services where the default one is not suitable, this ones receives user and password parameters.

[[Category:Concepts]]

Authentication - Revision history

Wikiadmin: Created page with "== Introduction == In context of Openbravo ''Authentication'' is the act verifying a Users' identity. This can be done by asking for Username & Password and verify it against..."