13 Servlet Authentication Filters 13-1 13 Servlet Authentication Filters A Servlet Authentication Filter is a provider type that performs pre- and post-processing for authentication functions, including identity assertion. A Servlet Authentication Filter is a special type of security provider that primarily acts as a helper to an Authentication provider. The ServletAuthenticationFilter interface defines the security service provider interface SSPI for authentication filters that can be plugged in to WebLogic Server. You implement the ServletAuthenticationFilter interface as part of an Authentication provider, and typically as part of the Identity Assertion form of Authentication provider, to signal that the Authentication provider has authentication filters that it wants the servlet container to invoke during the authentication process. The following sections describe Servlet Authentication Filter interface concepts and functionality, and provide step-by-step instructions for developing a Servlet Authentication Filter: ■ Section 13.1, Authentication Filter Concepts ■ Section 13.2, How Filters Are Invoked ■ Section 13.3, Example of a Provider that Implements a Filter ■ Section 13.4, How to Develop a Custom Servlet Authentication Filter

13.1 Authentication Filter Concepts

Filters, as defined by the Java Servlet API 2.3 specification, are preprocessors of the request before it reaches the servlet, andor postprocessors of the response leaving the servlet. Filters provide the ability to encapsulate recurring tasks in reusable units and can be used to transform the response from a servlet or JSP page. Servlet Authentication filters are an extension to of the filter object that allows filters to replace or extend container-based authentication.

13.1.1 Why Filters are Needed

The WebLogic Security Framework allows you to provide a custom Authentication provider. However, due to the nature of the Java Servlet API 2.3 specification, the interaction between the Authentication provider and the client or other servers is architecturally limited during the authentication process. This restricts authentication mechanisms to those that are compatible with the authentication mechanisms the Servlet container offers: basic, form, and certificate. Filters have fewer architecturally-dependence limitations; that is, they are not dependent on the authentication mechanisms offered by the Servlet container. By 13-2 Developing Security Providers for Oracle WebLogic Server allowing filters to be invoked prior to the container beginning the authentication process, a security realm can implement a wider scope of authentication mechanisms. For example, a Servlet Authentication Filter could redirect the user to a SAML provider site for authentication. JAAS LoginModules within a WebLogic Authentication provider can be used for customization of the login process. Customizing the location of the user database, the types of proof material required to execute a login, or the population of the Subject with groups is implemented via a LoginModule. Conversely, redirecting to a remote site to execute the login, extracting login information out of the query string, and negotiating a login mechanism with a browser are implemented via a Servlet Authentication Filter.

13.1.2 Servlet Authentication Filter Design Considerations

You should consider the following design considerations when writing Servlet Authentication Filters: ■ Do you need to allow multiple filters to be specified? You might want to allow this so that administrative decisions can be made at configuration time. ■ Do you depend on a particular order of-execution? Servlet Authentication Filters must not be dependent on the order in which filters are executed. ■ Have you considered allowing each filter to process the request both before and after authentication? If so, the filter should not make any assumptions about when it is being invoked. ■ Consider allowing each filter to have the option of stopping the execution of the remaining filters and the Servlets authentication process by not calling the Filter doFilter method. ■ Do you need to allow a filter to cause the browser to redirect? ■ Consider allowing a filter to work for 1-way SSL, 2-way SSL, identity assertion, form authentication, and basic authentication. For example, Form authentication is a two-request process and the filter is called twice for form authentication.

13.2 How Filters Are Invoked