Authentication filters
An authentication filter specifies how a request for application resources is authenticated. You can set authentication filters to secure different types of HTTP servlet requests with different authentication mechanisms, such as SPNEGO or JSON Web Tokens.
Authentication mechanisms in Open Liberty are managed by the server configuration. In an application where different kinds of protected resources require different authentication mechanisms, authentication filters can control how authentication is managed for each resource. You can configure authentication filters in your server.xml
file to look for different characteristics of a request, such as URL pattern, IP address, domain name, browser type, and more.
For example, in a banking application, resources for customers might be accessible through social media login while resources for administrators are secured by SPNEGO. In that case, you can configure an authentication filter to secure requests that contain the /mywebapp
URL pattern with social media login. You can set another authentication filter to secure requests that contain the /EmployeeRoleServlet
URL pattern with SPNEGO.
Open Liberty supports authentication filters for various authentication mechanisms, including JSON Web Tokens, Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO), and Social Media Login.
For example, you can configure an authentication filter for the Social Media Login feature to secure requests from a web application with Google credentials. In the following example, request URLs that contain the /mywebapp
pattern are authenticated by using Google credentials:
<googleLogin authFilterRef="authFilter1" clientId="your app id" clientSecret="your app secret" />
<authFilter id="authFilter1">
<requestUrl
id="myUrlFilter"
urlPattern="/mywebapp"
matchType="contains" />
</authFilter>
You can also specify a piped list of values to filter to an authentication mechanism. In the following example, a piped list of web applications is specified. To process an incoming request with the mechanism that uses this filter, the request must target any of the myApp1
, myApp2
, or myApp3
applications.
<authFilter id="myAuthFilter">
<webApp id="myWebApp" name="myApp1|myApp2|myApp3" matchType="contains"/>
</authFilter>
For more information, see the authFilter element documentation.