emilly Posted January 22, 2015 Share Posted January 22, 2015 I am planning to integrate jasper server with my web application as Single Sign on. I went throug Jasper Authentication cookbook(http://community.jaspersoft.com/system/files/restricted-docs/jasperreportsserver-auth-cookbook_2.pdf) and jaspersuggest Token based authentication as one of the solution (as authentication is already done by my web application)What Jasper suggests is thisyou pass the token in specific format to jasper server (as defined below under tokenFormatMapping), jasper will authenticate the request.So valid tokens can be u=user|r=role1|o=org1|pa1=PA11|pa2=PA21|exp=2001404150601 [/code]Invalid token can be u1=user|r=role1|o=org1|pa1=PA11|pa2=PA21|exp=2001404150601r=role1|u=user|o=org1|pa1=PA11|pa2=PA21|exp=2001404150601[/code] <beanclass="com.jaspersoft.jasperserver.api.security.externalAuth.wrappers.spring.preauth.JSPreAuthenticatedAuthenticationProvider">.................... <property name="tokenPairSeparator" value="|" /> <property name="tokenFormatMapping"> <map> <entry key="username" value="u" /> <entry key="roles" value="r" /> <entry key="orgId" value="o" /> <entry key="expireTime" value="exp" /> <entry key="profile.attribs"> <map> <entry key="profileAttrib1" value="pa1" /> <entry key="profileAttrib2" value="pa2" /> </map> </entry> </map> </property> <property name="tokenExpireTimestampFormat" value="yyyyMMddHHmmssZ" /> </bean> </property></bean>[/code] My question is this really a secured process because as soon hacker knows the pattern under tokenFormatMapping, he can simply login to jasper server . Is not it? To me looks like security can be compromised here. Am i m issing something here?Also cookbook says thatIn token-based authentication, the JasperReports Server login screen is not displayed to the user and the user does not log in directly.I did not get what does it mean actually. Can't user login to jasper server if token is in correct format? Link to comment Share on other sites More sharing options...
Solution elizam Posted January 23, 2015 Solution Share Posted January 23, 2015 For security, it is recommended that you encrypt the token & use a timestamp. You would encrypt it in your webapp using the algorithm of your choice and then hookup the decrption algorithm to the token auth in jasper.Yes you are logged in. I think they meant to say user does not have to go through manual authentcation process. Link to comment Share on other sites More sharing options...
emilly Posted January 23, 2015 Author Share Posted January 23, 2015 Yes i am also thinking the same that encryption using shared key would be safe bet. But i did not get where timestamp will help. Do you mean encryption using timestamp. If yes, how jasper server will get the same timestamp to decrypt the token. Link to comment Share on other sites More sharing options...
elizam Posted January 23, 2015 Share Posted January 23, 2015 You encrypt the timestamp along with the rest of the token. The time stamp is used as the basis for an "expiration date" - for example, time stamp is only good for so many milliseconds - so JRS decrypts the token and checks that it is still valid. This ensures someone can't just steal a token and keep using it. Link to comment Share on other sites More sharing options...
mehulkatara Posted March 3, 2018 Share Posted March 3, 2018 Follow this link for Jasper Token Based Authenticationhttps://github.com/mehulkatara/Jasper-Token-based-Authentication Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now