Implementing authentication for a connector

You can use AWS IAM Roles Anywhere, the Connector SDK, the three classes (NetworkAuthenticator, NetworkAuthenticatorContext, and NetworkAuthenticatorConnector), and the companion Javadocs to implement authentication for a connector.

AWS IAM Roles Anywhere authentication settings

info

AWS IAM Roles Anywhere relies on public key infrastructure (PKI) to establish trust between an AWS account and a certificate authority (CA), both belonging to the customer. The CA issues X509 certificates which can be used by your SDK Connector to get temporary credentials to operate on the AWS Service. The temporary credentials are valid for a predefined bounded period of time configured by the user and cached to be reused across connectors using the same connection component and consecutive process executions. The connector will handle the renewal after the credentials expire.

Authentication Type - Select the authentication type to connect to the service, either via your access keys or AWS IAM Roles Anywhere. When using access keys, provide both an access key ID and a secret access key. When using AWS IAM Roles Anywhere, provide trusted X.509 certificates and the service configuration data required to validate the trust and obtain temporary security credentials. Access keys is the default authentication method.

Profile ARN - Enter the Amazon Resource Name (ARN) of the profile.

Role ARN - Enter the Amazon Resource Name (ARN) of the role to assume.

Trust Anchor ARN - Enter the Amazon Resource Name (ARN) of the trust anchor.

AWS Roles Anywhere Region - Select the AWS Region associated to your AWS IAM Roles Anywhere service. If your region is not included in the dropdown options, you can enter it in AWS Roles Anywhere Custom Region. The default value is 'us-east-1'.

AWS Roles Anywhere Custom Region - Enter the AWS region in which your AWS IAM Roles Anywhere service resides. You must enter your values in all lowercase using dashes; for example, us-east-2. If it is defined, the connection uses this value and ignores the selection in AWS Roles Anywhere Region drop-down.

Session name - Enter a name for the role session. This field is mandatory and can be any value.

Duration (in seconds) - Enter the duration of the role session in seconds. The value specified can range from 900 seconds (15 minutes) up to 3600 seconds (1 hour).

note

The connector considers credentials with less than 60 seconds of lifetime expired and will retrieve a new set. This mitigates potential 401 errors that can occur when temporary credentials expire right after being retrieved from the cache.

Public certificate - Select the client certificate issued by the trusted CA to authenticate and receive temporary credentials from AWS IAM Roles Anywhere.

Private key - Select the private key associated with the client certificate to authenticate and receive temporary credentials from AWS IAM Roles Anywhere.

Java based authentication

The Integration authentication protocol handler implements a number of authentication schemes that the Java platform supports. The implementation of the Java Authentication and Authorization Service supports the following:

• HTTP basic authentication

• HTTP digest authentication

• NTLM (defined by Microsoft)

• HTTP SPNEGO Negotiate (defined by Microsoft) with the following underlying mechanisms:

  • Kerberos
  • NTLM
  note

  While the HTTP Authentication protocol handler supports SPNEGO, which includes the NTLM and Kerberos sub-mechanisms, Boomi has not tested Kerberos and does not provide technical support for it.

note

The behavior of the authentication exchanges may vary, based on the Java and operating system version.

NetworkAuthenticator class

Each authentication scheme is typically used by connector code in a similar way. To implement authentication for a connector, you first create a class that implements NetworkAuthenticator (see the Javadocs). NetworkAuthenticator is a class that enables optional authentication credentials for network connections. It is implemented by connectors that you build, and is invoked to obtain a username and password for authentication.

NetworkAuthenticatorContext class

The NetworkAuthenticatorContext class (see the Javadocs) provides more information and context of the network exchange. The PasswordAuthentication method from NetworkAuthenticator requests a PasswordAuthentication instance based on the specified context. Any of the following information can be requested for the context of the authentication exchange:

• getRequestingAuthType — Returns the requestor as a proxy or a server.
• getRequestingHost — Gets the hostname of the site or proxy that is requesting authentication. If not available, returns null.
• getRequestingPort — Gets the port number for the requested connection.
• getRequestingPrompt — Gets the prompt string provided by the requestor.
• getRequestingProtocol — Gets the protocol that is requesting the connection.
• getRequestingScheme — Gets the scheme of the requestor. For example, the HTTP schema for an HTTP firewall.
• getRequestingSite — Gets the InetAddress of the site that is requesting authorization. If not available, returns null.
• getRequestingURL — Gets the URL that resulted in the request for authorization.

NetworkAuthenticatorContext can get a different username and password for any of the previous information in the context. If this is not needed, see the SimpleNetworkAuthenticator class (see the Javadocs). SimpleNetworkAuthenticator creates single password authentication using a single password authentication. This is enabled by default and is independent from the NetworkAuthenticator. Boomi provides this free implementation of NetworkAuthenticator so you do not need to implement it yourself.

Code sample

In Integration, when a Runtime that is running in the JVM calls the authentication method in your connector, NetworkAuthenticatorContext contains the context of the authentication. The username and password for the specific context is returned, as shown in the following example:

Code sample

// The `SampleAuthenticator` class implements the `NetworkAuthenticator` interface. 
// It is responsible for handling authentication requests for a connector.
public class SampleAuthenticator implements NetworkAuthenticator {

private final String _userNameFromConnectionSettings;  
private final String _passwordFromConnectionSettings; 

public SampleAuthenticator(PropertyMap connectionProperties) {
    _userNameFromConnectionSettings = connectionProperties.getProperty("userName");
    _passwordFromConnectionSettings = connectionProperties.getProperty("password");
}

/*
 * (non-Javadoc)
 * 
 * @see com.boomi.connector.api.network.NetworkAuthenticator#requestPasswordAuthentication(com.boomi.connector.api.
 * network.NetworkAuthenticatorContext)
 */
@Override
public PasswordAuthentication requestPasswordAuthentication(NetworkAuthenticatorContext context) {
    switch (context.getRequestingHost()) {
    case "hostOne":
        return new PasswordAuthentication("hostOneUser", "hostOnePassword".toCharArray());
    case "hostTwo":
        return new PasswordAuthentication("hostTwoUser", "hostTwoPassword".toCharArray());
    default:
        return new PasswordAuthentication(_userNameFromConnectionSettings, _passwordFromConnectionSettings.toCharArray());
    }
}
}

NetworkAuthenticatorConnector class

SDK developers can implement the NetworkAuthenticatorConnector class (see the Javadocs), which provides a factory method to create optional NetworkAuthentication and is used to extend the base Connector interface. This class creates an optional NetworkAuthenticator instance that is based on the current BrowseContext. Implementing classes may return null if no network authentication is required. Non-null instances returned are used to obtain authentication for a network connection. The BrowseContext has all of the connector settings.

Code sample

The following example illustrates the NetworkAuthenticatorConnector class.

Code sample

// The `SampleConnector` class is implementing the `NetworkAuthenticatorConnector` interface.
// This means it implements the `createAuthenticator` method defined in the
// `NetworkAuthenticatorConnector` interface.
public class SampleConnector implements NetworkAuthenticatorConnector {

    /*
    * (non-Javadoc)
    * 
    * @see com.boomi.connector.api.network.NetworkAuthenticatorConnector#createAuthenticator(com.boomi.connector.api.
    * BrowseContext)
    */
    @Override
    public NetworkAuthenticator createAuthenticator(BrowseContext context) {
        return new SampleAuthenticator(context.getConnectionProperties());
    }
}