Sending login/logout requests to the server
Auth Handler
Preliminaries
This note describes how the server handles POST requests to login and logout of the Role Based Access Control mechanism.
Users can login to the website using the services of the built-in "rwserve-rbac-auth" plugin. This handler expects requests to be sent with a POST
method.
Webmasters should either create their own form-based page to act as a front-end user interface for this handler, or use AJAX to manage the request/response cycle.
Requests sent to the handler must have a content-type of application/x-www-form-urlencoded
. The form's payload includes four possible URL-encoded values: action
, user
, password
and location
.
Action should be either "login"
or "logout"
.
Login Request
When processing the login action, the handler applies the server's standard SHA256 hashing algorithm, as outlined in the note regarding user accounts. The handler accepts or rejects the login request based on successful comparison of the caclulated shaDigest
against the user's previously stored shaDigest
.
Requests that are accepted return a set-cookie
response header, which instructs the browser to create and store a session cookie under the identifier rw-rbac
. All subsequent requests from the browser will send that cookie back to the server for use by the RBAC handler.
The contents of the rw-rbac
cookie are the roles assigned to the user, in an encrypted form. Refer to the separate note regarding Stateful Roles for a detailed description of how this cookie is secured against bad actors.
Logout Request
When processing the logout action, the handler simply sends a new set-cookie
response header with an rw-rbac
identifier and an empty string. This instructs the browser to remove the cookie which effectively prevents further access to protected resources.
The logout action does not use, and will ignore, any user
and password
sent with the request.
HTML Forms
In these two examples, the POST form's "action"
attribute points to the path /login-logout
, which is not a real location; rather, this path is configured by the webmaster to point to a virtual resource path. See the examples below, and refer to the note pertaining to the Router, for detailed instructions on how it works.
Here is what a properly crafted HTML login form should look like:
<form method="POST" action="/login-logout">
<input type="hidden" name="action" value="login">
<input type="text" name="user">
<input type="password" name="password">
<input type="hidden" name="location" value="https://example.com/welcome">
<input type="submit" value="Login">
</form>
Here is what a properly crafted HTML logout form should look like:
<form method="POST" action="/login-logout">
<input type="hidden" name="action" value="logout">
<input type="hidden" name="location" value="https://example.com/bye-bye">
<input type="submit" value="Logout">
</form>
Information Headers
The login request may fail for several reasons. Appropriate status codes and information headers are returned as follows:
Triggering event | Status code | Information header |
---|---|---|
Not using a POST method | 405 | rw-rbac-unsupported-method |
Not using application/x-www-form-urlencoded | 415 | rw-rbac-unsupported-content-type |
Action not "login" or "logout" | 400 | rw-rbac-unsupported-action |
The "user" and "password" were not provided | 400 | rw-rbac-missing-credentials |
shaDigest does not match roles file | 403 | rw-rbac-forbidden |
Unable to access the roles file | 500 | rw-rbac-internal-error |
Status codes
Successful login and logout requests return a status code of either 204
or 303
. For both the login and logout actions, the optional location
form value may be supplied. It should contain a path (including the https://
scheme) pointing to the web page to be displayed after a successful action. If provided, the server will respond with status code 303
and a location
header, instructing the browser to issue a new request to that other web page. If not provided, the server will respond with status code 204
, and the webmaster will be responsible for providing some type of browser-side script to determine how to proceed.
Configuration
Here is a partial configuration showing just the entries used by the RBAC-Auth handler. A more complete example is provided in the note that covers the RBAC handler itself.
host {
modules {
rbac on
}
plugins {
router {
`/login-logout` *methods=POST *plugin='rwserve-rbac-auth'
}
}
rbac {
roles `/etc/rwserve/roles` // the file created by the 'addrole' CLI utility
cipher-secret C#9fB$2gD@5zR*7e // secret used to encrypt the 'rw-roles' cookie
max-idle 1800 // number of seconds of inactivity before credentials expire
}
}
Review
Key points to remember:
- RBAC login/logout uses
POST
with content-typeapplication/x-www-form-urlencoded
. - Forms are designed by the webmaster.
- The handler's virtual resource location is configured in the
router
section.