search

nzilbb / labbcat-server

Server components for LaBB-CAT
GNU Affero General Public License v3.0
2 stars 0 forks source link

How to replace the basic authentication with webform-based authentication? #38

Closed fishfree closed 2 months ago

fishfree commented 2 months ago

Webform-based authentication is more convinient to create and moderate users with the admin account.

robertfromont commented 2 months ago

You can replace BASIC authentication with FORM authentication by supplying the corresponding configuration in web.xml, and the related login form file. This should work fine for the web-browser front end.

However, it's not advisable to make this change if you intend to use programmatic access to LaBB-CAT from Python/R etc. The client libraries for Python, R, NodeJS, and Java assume BASIC authentication, and won't work with a different authentication method.

(In fact, in the long term, the plan is to change to a JWT-based request authentication system, but that's a fair way off yet.)

If you don't want to use Python/R, and want to use FORM authentication anyway, you need to replace this tag in web.xml:

    <login-config>
      <auth-method>BASIC</auth-method>
      <realm-name>LaBB-CAT</realm-name>
    </login-config>

... with something like this:

    <login-config>
      <auth-method>FORM</auth-method>
      <form-login-config>
    <form-login-page>/login.html</form-login-page>
    <form-error-page>/login-error.html</form-error-page>
      </form-login-config>
    </login-config>

Then you need to add a login.html file to the web app files (i.e. in the labbcat directory) with content like:

<!DOCTYPE html>
<html>
  <head><title>Login</title></head>
  <body>
    <form method="POST" action="j_security_check">
      <table>
    <tr>
      <td>Name:</td>
      <td><input type="text" name="j_username" /></td>
    </tr>
    <tr>
      <td>Password:</td>
      <td><input type="password" name="j_password"/ ></td>
    </tr>
    <tr>
      <td colspan="2"><input type="submit" value="Login" /></td>
    </tr>
      </table>
    </form>
  </body>
</html>

...and similarly a login-error.html something like:

<!DOCTYPE html>
<html>
  <head><title>Login Failed</title></head>
  <body>
    <p>Login failed, please try again:</p>
    <form method="POST" action="j_security_check">
      <table>
    <tr>
      <td>Name:</td>
      <td><input type="text" name="j_username" /></td>
    </tr>
    <tr>
      <td>Password:</td>
      <td><input type="password" name="j_password"/ ></td>
    </tr>
    <tr>
      <td colspan="2"><input type="submit" value="Login" /></td>
    </tr>
      </table>
    </form>
  </body>
</html>

This will work, but will give you no direct way to log out (which I'm guessing is what you're after). In order to achieve that, you can add a file called mvc/logout.jsp (i.e. logout.jsp in the mvc subdirectory) with this content:

<%
{
  session.invalidate();
  request.setAttribute("redirect", ".");
}
%>

Then, when you open the URL https://example.com/labbcat/logout you'll be logged out, and presented with a login form for logging in as a different user.

fishfree commented 2 months ago

@robertfromont Thank you very much! I will give a try~