There are many use cases where the authentication options supported by TIBCO Spotfire® need to be customized, For example, when Spotfire is embedded into a portal or other web application and authentication needs to be passed from the portal to TIBCO Spotfire or a company has internal web application security standards that require Single-Sign-On to all web applications that needs to include TIBCO Spotfire. Spotfire supports these scenarios via external and custom authentication.
- Server Platform API Reference
- Article with attached PDF document that describes custom authentication and the main changes in TIBCO Spotfire 7.0 and earlier versions to TIBCO Spotfie 7.5 and later versions.
- External Athentication section in the server manual.
- How to create a custom login page
- Extending TIBCO Spotfire - overview of the different extension and customization options that the Spotfire platform provides.
Spotfire Server API - custom authentication
The Spotfire Server API provides several options for custom authentication. Which one to choose depends on the use case.
A PostAuthenticationFilter may be used if the user identity can be established through some built-in authentication method and all that is needed is some additional verification (to impose restrictions on the IP address of the client for example). May also be used for performing additional logging or to set up group memberships using the UserDirectory API. For more details, see Configure a custom PostAuthenticationFilter in TIBCO Spotfire® Server.
Custom JAAS Login Module
A custom JAAS Login Module may be used if the authentication is based on username/password but the built-in options for verifying such (database, LDAP and Windows domain controller) are insufficient.
Custom Login Page
If the authentication is based on username/password but some additional information needs to be collected from the user and verified or logged a custom login page can be combined with a PostAuthenticationFilter (and possibly a custom JAAS Login Module).
A CustomAuthenticator is a suitable option when the user identity can be retrieved from an HTTP header or similar but the built-in functionality for retrieving such isn't sufficient - for example if the header contains a token that must be validated against some external service to establish the user identity. It has access to headers, cookies and attributes and may perform more advanced forms of validation and/or transformation.
A CustomWebAuthenticator should be used for web-based authentication flows (based on OAuth2 or similar) where the user is redirected to some external identity provider and then redirected back to the Spotfire Server. This option can be combined with username/password based authentication and/or OpenID Connect.
The example code is intended to show how various custom authentication components interacts with the Spotfire Server. It is not intended to illustrate any best practices for secure coding. In fact, some parts of the code have intentionally been simplified in a way that contradicts secure coding. The examples should therefore not be used in production. The example code can be found in the attached zip file.
The first example, JwtCustomAuthenticator, shows a typical use of the CustomAuthenticator API - it retrieves the user identity from a signed JWT provided as a cookie.
When the Spotfire Server is configured to use external authentication, it can extract the user identities from request attributes, HTTP headers or HTTP cookies. In those cases, no custom components are required. The only prerequisite is to enable external authentication on the server and to configure which external authentication source to use: attributes, headers or cookies. How to use external authentication with any of those sources is described in the Spotfire Server manual. For more advanced scenarios the CustomAuthenticator API can be used (as shown in the example).
CustomWebAuthenticator example with an identity provider service
The second example is slightly more complicated than the JwtCustomAuthenticator example. It consists of two components: a Custom Web Authenticator named IdentityProviderCustomWebAuthenticator and an identity provider service named IdentityProviderServlet.
The IdentityProviderCustomWebAuthenticator component is deployed in the Spotfire Server, while the IdentityProviderServlet component must be deployed in a separate web application, typically hosted by a separate Servlet container. The Spotfire Server redirects the browser client to the identity provider service, which displays an HTML login form, prompting the user for a username and a password. The entered credentials are validated against a file-based user-and-password database. If the credentials are incorrect, the same HTML login form is displayed again with an error message. If the credentials are correct, the browser client is redirected back to the Return Endpoint on the Spotfire Server, with an authentication token appended as a query parameter. The Custom Web Authenticator validates the authentication token using the identity provider's validation service and extracts the user metadata from the validation response.