vADC Docs

Tech Tip: Prompting for Authentication in a Java Extension

by on ‎03-05-2013 08:05 AM - edited on ‎06-16-2015 04:44 PM by PaulWallace (933 Views)

This code snippet illustrates how to prompt for HTTP Basic Authentication using a Feature Brief: Java Extensions in Stingray Traffic Manager  It could form the basis of a custom authentication method for your HTTP services.  You'll need to fill in the details in the CheckCredentials() function to implement your custom check.

 

How does it work?

 

The extension sends back a '401 Authenticate' response to the client if the client has not provided authentication credentials, or if the client's credentials are not valid. This response will generally cause a client's browser to display a dialog box requesting a user's credentials:

 

Screen Shot 2013-03-05 at 15.50.22.png

This will occur repeatedly until the credentials are accepted and the client is given access.

 

The code

 

The significant parts are commented:

 

  • Additional Imports: we need a couple of additional classes
  • The doGet() method: extracts the user name and password, and prompts with a 401 Authenticate response if necessary
  • The CheckCredentials() function: this verifies the username and password (in this trivial example, it's sufficient that they match

 

The rest of the code is as per the template in Writing Java Extensions - an introduction :

 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
import java.io.IOException;
 
 
import javax.servlet.ServletException;
 
import javax.servlet.http.HttpServlet;
 
import javax.servlet.http.HttpServletRequest;
 
import javax.servlet.http.HttpServletResponse;
 
 
// Additional imports
 
import java.io.PrintWriter;
 
import com.zeus.ZXTMServlet.*;
 
 
public class JavaAuth extends HttpServlet {
 
   private static final long serialVersionUID = 1L;
 
 
   public void doGet( HttpServletRequest req, HttpServletResponse res )
 
      throws ServletException, IOException
 
   {
 
  try {
 
  ZXTMHttpServletRequest zreq = (ZXTMHttpServletRequest)req;
 
 
  String[] userPass = zreq.getRemoteUserAndPassword();
 
  if( userPass == null ) throw new Exception( "No Authentication details" );
 
 
  if( ! CheckCredentials( userPass[0], userPass[1] ) )
 
  throw new Exception( "Credentials incorrect:" + userPass[0] + ", " + userPass[1] );
 
 
  // No exceptions thrown... must have been successful
 
  return;
 
  } catch( Exception e ) {
 
  res.setHeader( "WWW-Authenticate", "Basic realm=\"Please log in\"" );
 
  res.setHeader( "Content-Type", "text/html" );
 
  res.setStatus( 401 );
 
 
  String message =
 
  "<html>" +
 
  "<head><title>Unauthorized</title></head>" +
 
  "<body>" +
 
  "<h2>Unauthorized - please log in</h2>" +
 
  "<p>Please log in with your system username and password</p>" +
 
  "<p>Error: " + e.toString() + "</p>" +
 
  "</body>" +
 
  "</html>";
 
 
  PrintWriter out = res.getWriter();
 
  out.println( message );
 
  }
 
   }
 
   public void doPost( HttpServletRequest req, HttpServletResponse res )
 
      throws ServletException, IOException
 
   {
 
      doGet( req, res );
 
   }
 
   private boolean CheckCredentials( String user, String pass )
 
   {
 
    if( user.equals( pass ) ) return true;
 
    return false;
 
   }
 
}

 

You would call this Java Extension from a TrafficScript request rule:

 

    java.run( "CheckAuth" ); 

 

If the authentication was not successful, the call to java.run() would not return because the Java Extension would write the response to the client.

 

If the authentication was successful, the java.run() function would return without taking any action and the request rule would continue to be processed.

 

Read more

 

Contributors