Authentication filters

An authentication filter specifies how a request for application resources is authenticated. You can set authentication filters to secure different types of HTTP servlet requests with different authentication mechanisms, such as SPNEGO or JSON Web Tokens.

Authentication mechanisms in Open Liberty are managed by the server configuration. In an application where different kinds of protected resources require different authentication mechanisms, authentication filters can control how authentication is managed for each resource. You can configure authentication filters in your server.xml file to look for different characteristics of a request, such as URL pattern, IP address, domain name, browser type, and more.

For example, in a banking application, resources for customers might be accessible through social media login while resources for administrators are secured by SPNEGO. In that case, you can configure an authentication filter to secure requests that contain the /mywebapp URL pattern with social media login. You can set another authentication filter to secure requests that contain the /EmployeeRoleServlet URL pattern with SPNEGO.

Open Liberty supports authentication filters for various authentication mechanisms, including JSON Web Tokens, Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO), and Social Media Login.

For example, you can configure an authentication filter for the Social Media Login feature to secure requests from a web application with Google credentials. In the following example, request URLs that contain the /mywebapp pattern are authenticated by using Google credentials:

<googleLogin  authFilterRef="authFilter1" clientId="your app id"  clientSecret="your app secret" />

<authFilter id="authFilter1">
    <requestUrl
        id="myUrlFilter"
        urlPattern="/mywebapp"
        matchType="contains" />
</authFilter>

You can also specify a piped list of values to filter to an authentication mechanism. In the following example, a piped list of web applications is specified. To process an incoming request with the mechanism that uses this filter, the request must target any of the myApp1, myApp2, or myApp3 applications.

<authFilter id="myAuthFilter">
         <webApp id="myWebApp" name="myApp1|myApp2|myApp3" matchType="contains"/>
</authFilter>

For more information, see the authFilter element documentation.