Authenticate user, save it and access it for all next requests

security

#1

Hi,

I'm building a custom plugin with XPack and I have created a custom Realm and a custom RolesProvider.
In my logic I want a user to authenticate and then all next requests will be done according to that user (who has specific permissions different from each user that I get by calling an external REST service).

Currently it is possible to do authentication by running:

curl "localhost:9200/_xpack/security/_authenticate" -H "claim-header: $json"

where $json contains the username.
I have overridden the token() method to catch the username and build a proper AuthenticationToken:

    @Override
    public MyToken token(final ThreadContext threadContext) {
        final String json = threadContext.getHeader(HEADER);

        if (Strings.hasText(json)) {
            return new MyToken(json);
        } else {
            return null;
        }
    }

So, when running _authenticate the username is read, but if I make another request without the -H "claim-header: $json" it does not work and of course I get missing authentication token for REST request

I would like to find a way to avoid always passing the -H "claim-header: $json" for all next requests, so is there a way to save the authenticated username (only once until another _authenticate request is made and the username in the header is different from the current one) and then access it in future requests?

Thanks a lot!


(Yogesh Gaikwad) #2

Hi @Uiidoi12,

What you are after is basically session-based authentication to the Elasticsearch server.
We do not maintain any user state on Elasticsearch server so this would not be possible.
/_xpack/security/_authenticate is a REST API (REST applications are stateless) which is mainly used for debugging purpose where you want to see the user information like roles etc. after authentication.
Hope this helps.

Thanks and Regards,
Yogesh Gaikwad


(system) closed #3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.