Edge Device Authenticator Extension Example
The example below illustrates how an edge device authenticator extension can be developed to use security claims that are submitted from the edge.
This example does the following:
• Extends the SecurityClaimsAuthenticator class from the ThingWorx Platform API to implement custom processing logic within the matchesAuthRequest and authenticate methods.
• Within the matchesAuthRequest method:
◦ The incoming security claims are checked to see if they contain a secretTokenKey claim.
◦ If the claims do contain a secretTokenKey claim, the method returns true to the platform, indicating that this authenticator should be used to validate the security claims.
• Within the authenticate method:
◦ Obtains the secretTokenKey.
◦ If the secretTokenKey is not null and not empty and its value matches the expected value of MySecretKey, the method returns the value of whoTheySaidTheyWere, which is a user.
◦ If the supplied user exists, they are authenticated on the ThingWorx Platform.
package your.company.thingworx.authenticator;
import com.thingworx.communications.common.SecurityClaims;
import com.thingworx.security.authentication.AuthenticatorException;
import com.thingworx.security.authentication.SecurityClaimsAuthenticator;
/**
* Custom edge security authenticators are based around the "SecurityClaims"
* class. This class is at its essence a wrapper around a map. To use the
* map, one provides
*/
public class CustomEdgeAuthenticator extends SecurityClaimsAuthenticator {
private static final long serialVersionUID = 1L;
/**
* The matchesAuthRequest method is the indicator that this
* authenticator should be used to verify the SecurityClaims object
* presented. This method allows the author to make a determination
* about the claims provided by inspecting the information therein and
* decide if this authenticator
* should be used to try to verify the claims provided or not.
*
* @param SecurityClaims object containing the corresponding security
* information @return boolean indicating the authenticator should be
* used to verify the SecurityClaims provided
*/
@Override
public boolean matchesAuthRequest(SecurityClaims securityClaims) throws
AuthenticatorException {
//in this simple implementation we are looking for a 'secretTokenKey'
//claim. If one is present in the securityClaims object supplied -
//this SecurityClaimsAuthenticator should be used
return securityClaims.getClaims().containsKey("secretTokenKey");
}
/**
* This is the method that must be implemented to ensure the presented
* SecurityClaims are valid.
*
* @param SecurityClaims object containing the corresponding security
* information @return String indicating the corresponding user identity
* which the SecurityClaims represent.
*/
@Override
public String authenticate(SecurityClaims securityClaims) throws
AuthenticatorException {
String secretTokenValue = securityClaims.getClaims().get
("secretTokenKey");
if(secretTokenValue != null && secretTokenValue.trim().length() > 0)
{
//the secretTokenValue was provided - verify it is the proper
value!
if("MySecretKey".equals(secretTokenValue)) {
//Only when all these checks are complete will we consider
// the auth request to be valid. Here we have permitted the
// user to tell the platform "who" they are via the
// SecurityClaims
//This is a naieve example - and is for illustrative
// purposes only.
return securityClaims.getClaims().get("whoTheySaidTheyWere");
}
}
//throw a generic exception - and do not leak important information
//to the caller
throw new AuthenticatorException("The claims provided are incorrect");
}
}