The /ebx-authentication servlet is the central point handling the user authentication in EBX®. Its role is to:
Create an authorization token when the user logs in for the first time.
Revoke the authorization token when the user logs out.
Redirect the authorized user to the appropriate page.
Furthermore, depending on the configuration, it can also:
Handle the login process by displaying a login screen.
Redirect the unauthorized user to a custom login screen.
Redirect the user logging out to a custom exit page.
When the /ebx-authentication servlet successfully authenticates a user, it creates a token containing the authentication information and stores it in a session cookie.
This means that the authorization is shared between all the browser tabs:
If the user is already authenticated on a browser tab and opens EBX® on another tab, it will not be asked to authenticate again.
It is not possible to be logged with different users in different tabs of the same browser.
The cookie containing the token has the following properties:
| Not customizable. The cookie can't be read by javascript code in the browser. |
| Customizable via the property |
| Customizable via the property |
By default, EBX® uses a built-in directory and built-in login page. It is strongly recommended to replace the built-in directory by a custom one.
While EBX® provides a built-in directory, it is strongly recommended to replace it:
Create a class overriding Directory
Create a class overriding DirectoryFactory
Use the property ebx.directory.factory in ebx.properties to declare the factory.
While EBX® provides a built-in login page, it is possible to replace it. To do so, use the property ebx.security.loginPage.url in ebx.properties to declare the custom login page.
It is up to the custom login page to authenticate the user. Once the user is authenticated, he should be redirected to the /ebx-authentication/login page. Then, EBX® will call the Directory.authenticateUserFromHttpRequest method before creating an authorization token. The following points are required for this to work:
The request pointing to /ebx-authentication/login should contain enough information to authenticate the user, for instance in a cookie, a HTTP header or a query parameter.
The directory must be overridden (see Customizing the directory) and the implementation of the Directory.authenticateUserFromHttpRequest method should read the information from the incoming request in order to return the appropriate UserReference.
When EBX® redirects the user to the custom login page, it also adds a resume query parameter to the URL. This resume query parameter contains an URL pointing to /ebx-authentication/login with some additional parameters and should be used in priority to redirect the user to /ebx-authentication/login after the authentication succeeds.