Form Authentication

With this authentication method, user accounts and passwords are managed in a YAML configuration file. Users authenticate by entering their login name and password into the EDG login form. Logout is supported.

Considerations

Form authentication is a simple option that can be set up quickly and does not require integration with an external identity provider.

However, it is a generally a poor long-term solution. A system administrator must edit a configuration file to onboard or remove users or change passwords. When possible, implement an enterprise single sign-on (SSO) strategy with SAML or OpenID Connect instead.

Form authentication is cumbersome for API clients. If form authentication is used, and API clients need access to the EDG APIs, then an additional API authentication method such as HTTP Basic Authentication should be configured.

Configuring

To enable form authentication, add or uncomment in the setup file (edg-setup.properties):

endUserAuthMethod = form

User management

User accounts are defined in users.yaml as described here: The users.yaml file

Authenticating API requests

While not recommended, it is possible for API clients to access EDG APIs using form authentication. This involves obtaining an authenticated HTTP session cookie and including that cookie with subsequent requests.

Assuming EDG is running at http://localhost:8083/, the general sequence is:

1. Send a GET request to http://localhost:8083/ to obtain a JSESSIONID cookie

2. Send a POST request to http://localhost:8083/j_security_check to authenticate, with login name in field j_username and password in j_password, using form-encoding. Include the JSESSIONID from the previous request, and note any updated value for that cookie in the server response

3. Make authenticated requests by including the updated JSESSIONID cookie with each request

4. Make an authenticated GET request to http://localhost:8083/logout to end the session and free resources

The following sections show these steps in detail with the curl HTTP command line client.

1. Obtain a session cookie

# Obtains a session cookie and write it to cookies.txt
curl -c cookies.txt http://localhost:8083/

2. Submit login name and password to authentication endpoint

# Send username and pw to auth endpoint
# This uses cookies from cookies.txt and stores new session cookie in same file
curl -i -b cookies.txt -c cookies.txt -d j_username=user1 -d j_password=mypassword http://localhost:8083/j_security_check

3. Make authenticated requests

# This request (to the SPARQL API) is authenticated
curl -b cookies.txt -d "query=SELECT * { () teamwork:readableGraphsUnderTeamControl ?g }" http://localhost:8083/tbl/sparql

4. Log out to free seat

curl -b cookies.txt http://localhost:8083/logout

See also

• Python example for API client authentication