Versions Compared

Old Version 3

changes.mady.by.user Kyle Miller

Saved on

compared with

New Version 4

changes.mady.by.user Kyle Miller

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

...

Table of Contents

In addition to HTTP Basic authentication, Content Gateway allows for the use of an optional token-based authentication. Token-based authentication works by performing a one-time HTTP Basic authentication request within the Management API or to a special URI path in the Storage API in order to receive a token. This token is used on subsequent requests as proof of the user's credentials.

Tokens have the following characteristics:

  • They are always owned by the user that creates them except for tokens created by token administrators.

  • They expire at a fixed time after creation; default is 24 hours if not specified.

  • They may contain an optional S3 secret access key for use with the S3 protocol.

  • They may contain optional metadata matching the prefix pattern: x-custom-meta-*

  • The owner can list and delete their active tokens.

  • The token administrators can list and delete any user's active tokens.

Application developers may prefer to make use of the Management API in order to create tenant tokens for storage domains that belong to a tenant. Storage domain tokens are created with the special URI defined by the tokenPath IDSYS attribute.

...

See "Qualification of User/Group Names" in the IDSYS Document Format.

Gateway stores all tokens within the administrative domain as objects that automatically expire using the object lifepoint feature. The expiration time of an authentication token can be specified when the token is created. If the time is not specified, a default expiration time will be assigned based on the tokenTTLHours parameter in the [gateway] section of the gateway.cfg file. If an expired token is presented to Gateway, the request will proceed as an anonymous user subject to all of the normal access control policies. Additionally, the Set-Cookie header of the response will instruct the HTTP client to delete its expired token cookie.

To create a new authentication token, POST a blank document to either:

  • your storage domain and token path, or

  • the Management API path /_admin/manage/tenants/{tenantName}/tokens/

...using HTTP Basic authentication to authenticate the request. Requests to the tokenPath URI are processed independently from the storage protocol handling and these instructions work with both SCSP and S3 front-end protocols and to the Management API.

title
Info

Note

In these examples, HTTP Basic authentication is demonstrated using "Auth: {user}:{password}" for clarity. Use the Authorization HTTP request header according the definition in RFC 2717.

...