This TechNote describes the enhancement to the remote authentication API that enables the Servlet context objects on the client to be transferred to the server as part of the authentication process. This feature is off by default.
In previous versions of OpenSSO/OpenAM, the remote authentication API did not have a method to transfer the following objects from the client to the server.
On the OpenAM server authentication modules can make use of these objects via the
getHttpServletResponse methods in the
AMLoginModule class. When the Authentication UI is used on the server, the correct objects are returned to the authentication module. When the Distributed Authentication UI is used, this methods will either return null or invalid objects.
This release of OpenAM introduces a mechanism to serialize the client side servlet context objects and include them in the remote authentication API XML communications between the client and the server. This will enable authentication modules to work in a standard manner regardless of whether the authentication is running locally or remotely.
This feature is disabled by default.
Why is it turned off by default
There are multiple reasons why this feature is disabled by default.
- Many existing customers will be using custom authentication modules that work around this limitation by making decisions based on the
HttpServletResponseobject being null. The behaviour of the custom modules will be effected with this feature enabled.
- There is a slight performance impact of around 5% of enabling this feature. The overhead comes from the serialization and de-serialization of the servlet context objects. The default OpenAM authentication modules do not use this functionality and therefore this functionality can be safely disabled.
Customers using custom authentication modules that wish to utilise the client
HttpServletResponse objects in their custom authentication modules should enable this feature.
How do I turn it on?
AMDistAuthConfig.properties file update the following property to