Authentication

Financials now uses a new method of customizing user Authentication.  web.xml contains a reference to a Servlet Filter that will delegate filtering to a second Servlet Filter.  The Delegating Authentication Filter is configured using properties so the web.xml file does not need to be modified.  By default, authentication is handled by the DevelopmentLoginFilter.  This filter automatically authenticates the user of the application as a specific user.  The default user is khuntley.  This filter should only be used in development.

Filter customization is done with properties.  You can specify these properties one of the properties files that is loaded on application startup.  Here is an example of how the default DevelopmentLoginFilter properties are specified:

login.filter.className=org.kuali.kfs.sys.web.filter.DevelopmentLoginFilter
login.filter.param.loginUser=khuntley

These properties would translate to the following web.xml configuration:

<filter>
    <filter-name>AuthenticationFilter</filter-name>
    <filter-class>org.kuali.kfs.sys.web.filter.DevelopmentLoginFilter</filter-class>
    <init-param>
        <param-name>loginUser</param-name>
        <param-value>khuntley</param-value>
    </init-param>
</filter>

If you need a different login filter, you need to make sure that filter is on the classpath, then specify the filter classname as the value for login.filer.className in a properties file.  You can specify as many param properties as needed and each one will be passed to your authentication filter.

Core Authentication

Financials provides an authentication filter that uses the Kuali Core module for authentication.  If you would like to use this filter, you can specify the following properties in your properties file:

login.filter.className=co.kuali.core.auth.web.CoreAuthenticationFilter
login.filter.param.authConfigurationClass=org.kuali.kfs.sys.web.filter.CoreAuthenticationFilterConfiguration

core.authentication.filter.authBaseUrl=https://domain.kuali.co
core.authentication.filter.secondsToCacheAuthTokenResponse=300

The first two properties specify the filter to use and the source of configuration for the filter.  The second two properties are the configuration for the core authentication filter.  In addition to this configuration, core requires that your Financials installation be:

• https - The shared cookie from core is a secure only cookie so your application must be accessed via https for authentication to work
• The same domain - The shared cookie is a domain level cookie so your application must be on the same domain as the core authBaseUrl.  You can accomplish this in development by modifying the hosts file on your development workstation and adding a host name in addition to localhost that is in the proper domain and configuring financials to use that host name.

REST Authentication

All Financials REST API's require token authentication. A client sends the token in the HTTP request Authentication header like this:

Authorization: Bearer TOKEN

If the application is configured to use Kuali Core for authentication, the token is validated against Kuali Core.  If the token is valid in Core, the API will run as the user that owns the token.  If it is not valid, the client will receive a 401 error.

If the application is not configured to use Kuali Core, the token will be checked that it was signed by financials when created.  If it is not, the client will receive a 401 error.  If it is signed properly, a table will be checked to make sure the token has not been revoked.  If it has been revoked, the client will receive a 401 error.  If the token passes these tests, the code will run as the owner of the token.