Handling server webservice calls

In modern applications, web application may need to request some other web applications on behalf of the authenticated users. There are three ways to do this:

  • the Ugly : provide to all applications the SSO cookie. Not secured because the SSO cookie can be caught and used everywhere, every time by everyone!!! NOT RECOMMENDED.
  • the Bad (Secure Token Handler) : Deprecated. Can be used in specific cases
  • the Good (Service Token Handler): See below ! (Thanks Sergio…)

The “Bad” method consists to give the token (cookie value) to webapp1 which uses it as cookie header in its request. Since 2.0 version, LL::NG gives a better way (the Good !) to do this by using limited scope tokens.

Tokens are time limited (30 seconds) and URL restricted (three max).


Webapp1 handler configuration

Insert a header filled with this value:

token( $_session_id, 'webapp2.example.com', 'webapp3.example.com' )

Webapp1 can read this header and use it in its requests by setting the X-Llng-Token header. The token is built using the session ID and the authorized virtualhosts list. The token is only available during 30 seconds and for the specified virtualhosts.

Webapp2 handler configuration

Change handler type to “ServiceToken”. So it is able to manage both user and server connections. And that's all !