2020-05-14 23:29:41 +02:00
|
|
|
Handling server webservice calls
|
|
|
|
|
================================
|
|
|
|
|
|
|
|
|
|
In modern applications, web application may need to request some other
|
|
|
|
|
web applications on behalf of the authenticated users. There are three
|
|
|
|
|
ways to do this:
|
|
|
|
|
|
2022-04-23 17:09:18 +02:00
|
|
|
- the Ugly: provide to all applications SSO cookie. Not secured
|
2020-05-14 23:29:41 +02:00
|
|
|
because SSO cookie can be caught and used everywhere, every time by
|
|
|
|
|
everyone!!! **NOT RECOMMENDED**.
|
2022-04-23 17:09:18 +02:00
|
|
|
- the Bad (:doc:`Secure Token Handler<securetoken>`): **Deprecated**.
|
|
|
|
|
Should be used for specific cases
|
|
|
|
|
- the Good (Service Token Handler): See below! (Thanks Sergio...)
|
2020-05-14 23:29:41 +02:00
|
|
|
|
|
|
|
|
The "Bad" method consists to give the token (cookie value) to WebApp1
|
|
|
|
|
which uses it as cookie header in its request. Since 2.0 version, LL::NG
|
2022-04-23 17:09:18 +02:00
|
|
|
gives a better way (the Good!) to do this by using limited scope
|
2020-05-14 23:29:41 +02:00
|
|
|
tokens.
|
|
|
|
|
|
|
|
|
|
Tokens are time limited (30 seconds by default) and URL restricted.
|
|
|
|
|
|
|
|
|
|
|Kinematic|
|
|
|
|
|
|
|
|
|
|
Webapp1 handler configuration
|
|
|
|
|
-----------------------------
|
|
|
|
|
|
2022-04-23 17:09:18 +02:00
|
|
|
Select **Main** handler type to protect WebApp1 and append a header containing:
|
2020-05-14 23:29:41 +02:00
|
|
|
|
2020-05-21 15:13:24 +02:00
|
|
|
.. code-block:: perl
|
2020-05-14 23:29:41 +02:00
|
|
|
|
|
|
|
|
token( $_session_id, 'webapp2.example.com', 'webapp3.example.com', 'serviceHeader1=webapp1.example.com', "testHeader=$uid" )
|
|
|
|
|
|
|
|
|
|
WebApp1 can read this header and use it in its requests by setting the
|
2022-04-23 17:09:18 +02:00
|
|
|
``X-LLNG-TOKEN`` header. The token is built by using the ``token`` extended
|
|
|
|
|
with session ID and authorized virtualhosts list parameters. A Service Token is valide
|
|
|
|
|
for the specified virtual hosts only and during 30 seconds by default. It can also be
|
|
|
|
|
used for sending service headers (headerName1=headerValue1) to requested
|
|
|
|
|
apps. Can be useful to send the origin host by example. Service headers are
|
|
|
|
|
sent to ALL requested applications.
|
2020-05-14 23:29:41 +02:00
|
|
|
|
2022-04-23 17:09:18 +02:00
|
|
|
You can set Service Token TTL by editing virtualHost options in Manager
|
|
|
|
|
for each requested virtualHost.
|
2020-05-14 23:29:41 +02:00
|
|
|
|
|
|
|
|
You can also set ServiceToken default timeout (30 seconds) by editing
|
|
|
|
|
``lemonldap-ng.ini`` in section [handler]:
|
|
|
|
|
|
2020-05-21 15:13:24 +02:00
|
|
|
.. code-block:: ini
|
2020-05-14 23:29:41 +02:00
|
|
|
|
|
|
|
|
[handler]
|
|
|
|
|
handlerServiceTokenTTL = 30
|
|
|
|
|
|
|
|
|
|
|
2020-05-18 09:56:39 +02:00
|
|
|
.. note::
|
2020-05-14 23:29:41 +02:00
|
|
|
|
|
|
|
|
Service token timeout can be set for each virtual hosts.
|
|
|
|
|
|
|
|
|
|
Webapp2 handler configuration
|
|
|
|
|
-----------------------------
|
|
|
|
|
|
|
|
|
|
Change handler type to **ServiceToken**. So it is able to manage both
|
2022-04-23 17:09:18 +02:00
|
|
|
user and server connections. And that's all!
|
2020-05-14 23:29:41 +02:00
|
|
|
|
|
|
|
|
.. |Kinematic| image:: documentation/server_to_server.png
|
|
|
|
|
|
