Request Header Session Authentication Plugin

Mindbreeze InSpire

Copyright ©

Mindbreeze GmbH, A-4020 Linz, 2018.

All rights reserved. All hardware and software names used are brand names and/or trademarks of their respective manufacturers.

These documents are strictly confidential. The submission and presentation of these documents does not confer any rights to our software, our services and service outcomes, or any other protected rights. The dissemination, publication, or reproduction hereof is prohibited.

For ease of readability, gender differentiation has been waived. Corresponding terms and definitions apply within the meaning and intent of the equal treatment principle for both sexes.

IntroductionPermanent link for this heading

The Request Header Session Authentication Plugin allows setting username and user groups via HTTP request headers for the Mindbreeze InSpire Client Service.

IMPORTANT:

The plugin must be exclusively used in environments where the Mindbreeze InSpire Client is only accessible via an authenticated reverse proxy to the end users. The username and groups must be set by the reverse proxy based on the authentication. It is crucial that no user can pass the headers through the proxy server or by directly accessing the Client Service.

Once the plugin is activated for a given Mindbreeze InSpire Client Service, the username and group list set in the configured HTTP request headers will be accepted without further checking and used for authorization of the search results.

InstallationPermanent link for this heading

The plugin is installable via the Mindbreeze InSpire Management Center by uploading the plugin archive in the “Plugins” panel of the “Configuration” section.

ConfigurationPermanent link for this heading

Configuration requires activating the Request Header Session Authentication Plugin for the selected Client Service and setting the HTTP request header names that contain the user information in the plugin settings.

Activating the PluginPermanent link for this heading

In the “Client Services” panel select the Client Service for which the Plugin should be activated. Make sure that the Client Service has the “Credential Certificate” option set to an installed trusted client certificate.

Using the “Advanced Settings” view mode, navigate to the “Session Authentication Plugins” section of the Client Service configuration. In the plugin selector dropdown list chose “SessionAuthenticationService.RequestHeaderAuthentication” and then click on “Add”:

Configuring the PluginPermanent link for this heading

After successfully adding the session authentication plugin to the selected client service the plugin is ready for configuration:

Settings

Username Header

Name of the HTTP request header that contains the user name. Per default it is set to “X-Username”

Groups Header

Name of the HTTP request header that contains the groups. Per default it is set to “X-Groups”

Groups Header Splitter

Regular expression to split groups header into a list of groups.

Convert Principals to Lowercase

If activated, username and groups retrieved from the request headers will be converted to lowercase.

As soon as the plugin is added and the configured Client Service is restarted with the new settings, the new authentication method is available.