How secured is jasper token based authentication ?

[emilly]

I am planning to integrate jasper server with my web application as Single Sign on. I went throug Jasper Authentication cookbook(http://community.jaspersoft.com/system/files/restricted-docs/jasperreportsserver-auth-cookbook_2.pdf) and jasper

suggest Token based authentication as one of the solution (as authentication is already done by my web application)

What Jasper suggests is this

you pass the token in specific format to jasper server (as defined below under tokenFormatMapping), jasper will authenticate the request.
So valid tokens can be
     

u=user|r=role1|o=org1|pa1=PA11|pa2=PA21|exp=2001404150601 [/code]

Invalid token can be
      

u1=user|r=role1|o=org1|pa1=PA11|pa2=PA21|exp=2001404150601r=role1|u=user|o=org1|pa1=PA11|pa2=PA21|exp=2001404150601[/code]

 

<beanclass="com.jaspersoft.jasperserver.api.security.externalAuth.wrappers.spring.preauth.JSPreAuthenticatedAuthenticationProvider">....................      <property name="tokenPairSeparator" value="|" />      <property name="tokenFormatMapping">        <map>          <entry key="username" value="u" />          <entry key="roles" value="r" />          <entry key="orgId" value="o" />          <entry key="expireTime" value="exp" />          <entry key="profile.attribs">            <map>              <entry key="profileAttrib1" value="pa1" />              <entry key="profileAttrib2" value="pa2" />            </map>          </entry>        </map>      </property>      <property name="tokenExpireTimestampFormat" value="yyyyMMddHHmmssZ" />    </bean>  </property></bean>[/code]

       
My question is this really a secured process because as soon hacker knows the pattern under tokenFormatMapping, he can simply login to jasper server . Is not it? To me looks like security can be compromised here.  Am i m issing something here?

Also cookbook says that

In token-based authentication, the JasperReports Server login screen is not displayed to the user and the user does not log in directly.

I did not get what does it mean actually.  Can't user login to jasper server if token is in correct format?

 

[elizam]

For security, it is recommended that you encrypt the token & use a timestamp.  You would encrypt it in your webapp using the algorithm of your choice and then hookup the decrption algorithm to the token auth in jasper.

Yes you are logged in.  I think they meant to say user does not have to go through manual authentcation process.

 

[emilly]

Yes i am also thinking the same that encryption using shared key would be safe bet. But i did not get where timestamp will help. Do you mean encryption using timestamp. If yes, how jasper server will get the same timestamp to decrypt the token.

[elizam]

You encrypt the timestamp along with the rest of the token. The time stamp is used as the basis for an "expiration date" - for example, time stamp is only good for so many milliseconds - so JRS decrypts the token and checks that it is still valid. This ensures someone can't just steal a token and keep using it.

[mehulkatara]

Follow this link for Jasper Token Based Authentication

https://github.com/mehulkatara/Jasper-Token-based-Authentication