Jump to content

marcelo.soares_1

Members
  • Posts

    2
  • Joined

  • Last visited

Community Answers

  1. marcelo.soares_1's post in Token-based Authentication - How to create new session when a new token is sent was marked as the answer   
    Hi everyone,
    I found a solution to fix this issue. I needed to change the class BasePreAuthenticatedProcessingFilter.java.
    Full path: /jasperserver-api-impl/externalAuth/src/main/java/com/jaspersoft/jasperserver/api/security/externalAuth/preauth/BasePreAuthenticatedProcessingFilter.java
    Like I said, I changed the doFilter method to verify if a token was sent. If so, I get the user sent by token and I also catch the session's user. Then, I compare the users to know if the user that was sent by token is the same user from session or else if is a other user.
    If is a different user, I invalidate the session and call super.doFilter(request, response, chain) normaly to do a new authentication. 
    @Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { if(isJsonResponseRequested((HttpServletRequest) request)){ // it's visualize authentication. Correct JSON success response is required here. // The only way to get correct redirect is to authenticate again. So, let's clear security context. SecurityContextHolder.clearContext(); } /** * CHANGE'S START * Veryfing if a new user was send by token */ HttpSession session = ((HttpServletRequest) request).getSession(false); Object principal = getPreAuthenticatedPrincipal((HttpServletRequest)request); if(principal != null && session != null){//Token was send Authentication currentUser = SecurityContextHolder.getContext().getAuthentication(); String newUser = null; String preAuthTokenStr = principal.toString(); String[] tokenKeyValuePairs = preAuthTokenStr.split(tokenPairSeparator); //Getting the user from token for (String tokenPair : tokenKeyValuePairs) { String[] tokenPairArr = tokenPair.split(TOKEN_KEY_VALUE_PAIR_SEPARATOR); if (tokenPairArr.length != 2) { logger.error("Invalid pre-authenticated token format. Pair " + tokenPair + " is missing key-value separator " + TOKEN_KEY_VALUE_PAIR_SEPARATOR + ". Skipping this pair processing."); continue; } final String tokenKey = tokenPairArr[0]; final String tokenValue = tokenPairArr[1]; final String[] tokenValuesArr = tokenValue.split(TOKEN_VALUE_SEPARATOR); if (tokenKey.equalsIgnoreCase(String.valueOf(tokenFormatMapping.get(PREAUTH_USERNAME)))) { if (tokenValuesArr.length != 1) logger.warn("A list of users was passed in. Only one user is supported. Using only the 1st user: " + tokenValuesArr[0]); newUser = tokenValuesArr[0]; } } if (logger.isDebugEnabled()){ logger.debug("Main parameter was send. Check if is a new user: " + principal); if(currentUser != null) logger.debug("currentUser: " + currentUser.getName()); if(newUser != null) logger.debug("newUser: " + newUser); } if((currentUser != null && newUser != null) && (!currentUser.getName().equals(newUser))){ if (logger.isDebugEnabled()) logger.debug("New user " + newUser + " different from " + currentUser.getName() + ". Destroy the session to do a new authenticate"); SecurityContextHolder.clearContext(); session.invalidate(); } } /** * CHANGE'S END */ super.doFilter(request, response, chain); }[/code]I also needed to add these methods in the same class:
    public void setTokenPairSeparator(String tokenPairSeparator) { this.tokenPairSeparator = Pattern.quote(tokenPairSeparator); } public void setTokenFormatMapping(Map<String, Object> tokenFormatMapping) { this.tokenFormatMapping = tokenFormatMapping; }[/code]... and classes variables:
    private Map<String,Object> tokenFormatMapping = new HashMap<String, Object>(); private String tokenPairSeparator = "\|"; public static final String TOKEN_KEY_VALUE_PAIR_SEPARATOR = "="; public static final String TOKEN_VALUE_SEPARATOR = ","; public static final String PREAUTH_USERNAME = "username";[/code]... and imports:
    import java.io.IOException;import java.util.HashMap;import java.util.Map;import java.util.regex.Pattern;import javax.servlet.http.HttpSession;import org.apache.log4j.Logger;import org.springframework.security.core.Authentication;import org.springframework.security.core.context.SecurityContextHolder;import org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter;import com.jaspersoft.jasperserver.api.common.crypto.CipherI;import com.jaspersoft.jasperserver.api.common.crypto.PlainTextNonCipher;import com.jaspersoft.jasperserver.api.security.externalAuth.ExternalDataSynchronizer;[/code]Remember you need to compile the application.
    I hope it helps you!
×
×
  • Create New...