Authentication challenge based on user agent
WebSEAL provides a mechanism that allows the authentication challenge type to be configured based on the user agent of a client requesting a protected resource. This mechanism allows for tight integration and fine grained control over how different clients can authenticate to WebSEAL.
Each authentication type, as specified by the auth-challenge-type configuration entry, can be qualified with a set of rules. These rules define the user agent strings that are included or excluded for different authentication types.
For example: auth-challenge-type = [-msie*+ms*]ba, [+mozilla*; +msie]forms; eai
Based on the configuration example, WebSEAL:
- Does not return a basic authentication challenge to user agent strings beginning with msie, but does return a basic authentication challenge for agents beginning with ms.
- Returns a forms based authentication challenge client to user agents beginning with mozilla or msie.
- Returns an EAI authentication challenge to any user agent.
User Agent String Authentication Challenges msie forms, eai ms_office_word ba, eai mozilla forms, eai chrome eai
Rule Syntax
Each authentication challenge type can be defined only once in the auth-challenge-type string. The rules must precede the authentication type enclosed in square brackets with different patterns separated by semicolons. A plus (+) or minus (-) character indicates whether that challenge type is included or excluded for that user agent string respectively.
The pattern can contain alphanumeric characters, spaces, periods, and wildcard characters, such as, question mark (?) and asterisk (*).
When WebSEAL evaluates these rules based on the user agent, the first rule with a pattern matching the current string is applied. Any other rules that match the given authentication mechanism are ignored. WebSEAL performs these evaluations in the order in which the rules are defined.
An authentication type with no defined rule set will match any user agent string.
If we do not want the authentication type to match any user agent string, indicate the given authentication challenge using a negative wildcard string, such as [-*]ba. The Authentication challenge based on the user agent functionality must not be used as a security or enforcement measure.
Parent topic: Authentication overview
Related concepts
- Definition and purpose of authentication
- Client identities and credentials
- Authentication process flow
- Authenticated and unauthenticated access to resources
Related reference