Child pages
  • Client state transfer in the Remote Authentication API enhancement
Skip to end of metadata
Go to start of metadata

Overvire

This TechNote describes the enhancement to the remote authentication API that enables the Servlet context objects on the client to be transferred to the server as part of the authentication process. This feature is off by default.

What's changed

In previous versions of OpenSSO/OpenAM, the remote authentication API did not have a method to transfer the following objects from the client to the server.

  • HttpServletRequest
  • HttpServletResponse
  • HttpSession

On the OpenAM server authentication modules can make use of these objects via the getHttpServletRequest/getHttpServletResponse methods in the AMLoginModule class. When the Authentication UI is used on the server, the correct objects are returned to the authentication module. When the Distributed Authentication UI is used, this methods will either return null or invalid objects. 
This release of OpenAM introduces a mechanism to serialize the client side servlet context objects and include them in the remote authentication API XML communications between the client and the server. This will enable authentication modules to work in a standard manner regardless of whether the authentication is running locally or remotely.

This feature is disabled by default.

Why is it turned off by default

There are multiple reasons why this feature is disabled by default.

  • Many existing customers will be using custom authentication modules that work around this limitation by making decisions based on the HttpServletRequest/HttpServletResponse object being null. The behaviour of the custom modules will be effected with this feature enabled.
  • There is a slight performance impact of around 5% of enabling this feature. The overhead comes from the serialization and de-serialization of the servlet context objects. The default OpenAM authentication modules do not use this functionality and therefore this functionality can be safely disabled. 

Customers using custom authentication modules that wish to utilise the client HttpServletRequest/HttpServletResponse objects in their custom authentication modules should enable this feature.

How do I turn it on?

In the AMDistAuthConfig.properties file update the following property to true.

openam.remoteauth.include.reqres=true
  • No labels