View source | Discuss this page | Page history | Printable version   




In context of Openbravo Authentication is the act verifying a Users' identity. This can be done by asking for Username & Password and verify it against the built-in AD_User table or any other mechanism.

The process of Authorization which is to determine which actions (like opening a specific window, or launching a process) a user then is allowed to do is a separate topic and not scope of this article.

How authentication works in Openbravo ERP

When a user wants to gain access to an Openbravo ERP resource. Openbravo ERP asks to the authentication manager the application User Id of the user that request access to the Openbravo ERP resource. If the user has not been authenticated before the authentication provider has the responsibility of authenticating this user.

The following describes the flow of events happening when using the DefaultAuthenticationManager:

Note that this only described the flow of events when using the DefaultAuthenticationManager. Any other implementation may implement this different by i.e. not using the standard Openbravo Login-page at all or using another mechanism to mark the HTTP-Session as authenticated.

How to configure the authentication manager in Openbravo ERP

The authentication manager used in Openbravo ERP is defined in the configuration file In the property authentication.class you have to write the class name of the authentication provider that Openbravo will use for this purpose.

Openbravo includes three AuthenticationManager implementations:

Default Authentication Manager

This is the default authentication manager provided by Openbravo. It is the classic authentication method that uses the Openbravo current login page to authenticate users.

After installing Openbravo ERP you do not need to configure anything if you want to use this authentication manager that is the classic method Openbravo authenticates application users.

Getting Authentication Manager

Bulbgraph.png   Available from 3.0MP7

To obtain an instance of the Authentication Manager defined in the, it is possible to use the AuthenticationManager.getAuthenticationManager method.

Develop your own Authentication Manager

Bulbgraph.png   This implementation is available from 3.0MP7. From 3.0MP4 to 3.0MP6, the same is valid but web service implementation is not present in AuthenticationManager. For versions previous to 3.0MP4, AuthenticationManager was an interface, check here how it worked.

You can also develop your own Authentication manager. To do this you have to create a new java class that extends the abstract class org.openbravo.authentication.AuthenticationManager. This interface has the following methods:

  public void init(HttpServlet s) throws AuthenticationException;
  public final String authenticate(HttpServletRequest request, HttpServletResponse response)
      throws AuthenticationException, ServletException, IOException
  public final String webServiceAuthenticate(HttpServletRequest request)
      throws AuthenticationException
  public final String webServiceAuthenticate(String user, String password)
      throws AuthenticationException
  public final String connectorAuthenticate(HttpServletRequest request)
      throws AuthenticationException
  public final String connectorAuthenticate(String user, String password)
      throws AuthenticationException
  protected abstract String doAuthenticate(HttpServletRequest request, HttpServletResponse response)
      throws AuthenticationException, ServletException, IOException
  protected String doWebServiceAuthenticate(HttpServletRequest request)
  protected String doWebServiceAuthenticate(String user, String password)
  public final void logout(HttpServletRequest request, HttpServletResponse response)
      throws ServletException, IOException
  protected abstract void doLogout(HttpServletRequest request, HttpServletResponse response)
      throws ServletException, IOException

The method init is called after the class is instantiated. It can be used to read the configuration parameters of the authentication manager if needed.

The method authenticate is called for each single request done which requires authentication. It invokes the abstract doAuthenticate method which if this request is authenticated, must the return the userid of the authenticated user. This id must be a valid ad_user_id of a existing entry in the AD_User table.

Otherwise the method must perform the needed steps to acquire some authentication and then return null' as return-value for the function. Usually this consists of redirecting the user to some kind of Login-Page and asking for credentials. After these have been verified the authenticate method will be called again for the next request an now will succeed and return the userId as described above.

The method logout is called when the user requests to close the current session. This method invokes the abstract doLogout. The work expected to be done by the authentication manager is to invalidate the existing session and redirect the user to a page where a new login page be done.

Bulbgraph.png   Starting from 3.0PR18Q1.4 AuthenticationManagers where authentication page is served outside Openbravo code, for example from a Single Sign On service, must override useExternalLoginPage method, returning true.
Bulbgraph.png   Note for implementation: The authenticate method is always called with DAL adminMode being active, so code inside it does not need to manage the adminMode on its own.

Web Services and Connectors

Bulbgraph.png   All external authenticated services must make use of webServiceAuthenticate authentication. Authorized Connectors can use connectorAuthenticate.

Web Service authentication invokes webServiceAuthenticate and connectors invoke connectorAuthenticate, both of them call doWebServiceAuthenticate. This method is implemented to do standard authenitcation, it first looks whether user (l) and password (p) are sent as request parameters, if not basic authentication is performed. doWebServiceAuthenticate method can be implemented by authentication managers in case different authentication is needed.

webServiceAuthenticate and connectorAuthenticate are overloaded to accept both HttpServletRequest parameter (default one) or String, String parameters. This second one, should be used by other services where the default one is not suitable, this ones receives user and password parameters.

Authentication with an External Authentication Provider

Bulbgraph.png   This feature is available starting from 23Q4.

To authenticate with an external authentication provider, the provider configuration must be created, as system administrator, in the Authentication Provider Configuration window. In the header the following fields should be populated:


OpenID Authentication

If the selected type in the header is OpenID then the OpenID subtab is displayed, allowing to configure the specific OpenID settings required by the external authentication provider:


Note there can only be one active record in the OpenID subtab per configuration.

Bulbgraph.png   For the OpenID authentication it is expected that the e-mail is used to identify the user in the external authentication provider, so the e-mail provided in the authentication must be the e-mail of the Openbravo User that is accessing into the application.

Login Page

Once configured the login page will display one button per active configuration.


Additional Topics

Retrieved from ""

This page has been accessed 15,819 times. This page was last modified on 26 July 2023, at 15:01. Content is available under Creative Commons Attribution-ShareAlike 2.5 Spain License.