English |
---|
User logs in to external system / identity provider and implicitly gains access to Joget without being prompted to login again. |
Chinese |
---|
用户登录到外部系统,隐式获得对Joget 的访问,而不会再提示重新登录。 |
...
Code Block |
---|
import org.joget.apps.workflow.security.WorkflowUserDetails;
import org.joget.directory.model.service.DirectoryManager;
import org.joget.workflow.model.service.WorkflowUserManager;
import org.joget.apps.app.service.AppUtil;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.joget.directory.model.User;
import org.joget.workflow.util.WorkflowUtil;
import org.springframework.security.core.context.SecurityContextHolder;
import javax.servlet.http.HttpSession;
import javax.servlet.http.HttpServletRequest;
import org.springframework.security.web.savedrequest.HttpSessionRequestCache;
import org.springframework.security.web.savedrequest.SavedRequest;
//Get service beans
DirectoryManager dm = (DirectoryManager) AppUtil.getApplicationContext().getBean("directoryManager");
WorkflowUserManager workflowUserManager = (WorkflowUserManager) AppUtil.getApplicationContext().getBean("workflowUserManager");
//Login as "clark"
String username = "clark";
User user = dm.getUserByUsername(username);
if (user != null) {
WorkflowUserDetails userDetail = new WorkflowUserDetails(user);
//Generate an authentication token without a password
UsernamePasswordAuthenticationToken auth = new UsernamePasswordAuthenticationToken(userDetail.getUsername(), "", userDetail.getAuthorities());
auth.setDetails(userDetail);
//Login the user
SecurityContextHolder.getContext().setAuthentication(auth);
workflowUserManager.setCurrentThreadUser(user.getUsername());
// generate new session to avoid session fixation vulnerability
HttpServletRequest httpRequest = WorkflowUtil.getHttpServletRequest();
HttpSession session = httpRequest.getSession(false);
if (session != null) {
SavedRequest savedRequest = (SavedRequest) session.getAttribute("SPRING_SECURITY_SAVED_REQUEST_KEY");
session.invalidate();
session = httpRequest.getSession(true);
if (savedRequest != null) {
session.setAttribute("SPRING_SECURITY_SAVED_REQUEST_KEY", savedRequest);
}
}
} |
Please note that if you are adding these code in a filter, you will need to store the SecurityContext to session.
Chinese |
---|
请注意,如果要将这些代码添加到过滤器中,则需要将SecurityContext存储到会话中。 |
Thai |
---|
โปรดทราบว่าหากคุณเพิ่มรหัสเหล่านี้ในตัวกรองคุณจะต้องเก็บ SecurityContext ไปที่เซสชัน |
Code Block |
---|
//Store SecurityContext to session to avoid spring security to clean it.
session.setAttribute("SPRING_SECURITY_CONTEXT", SecurityContextHolder.getContext()); |
...