Joget DX 8 Stable Released
The stable release for Joget DX 8 is now available, with a focus on UX and Governance.
Table of Contents |
---|
User logs in to external system and implicitly gains access to Joget Workflow without being prompted to login again.
Panel | ||||||
---|---|---|---|---|---|---|
| ||||||
The sample code provided below using Javascript that exposes the user credential information is not a good security best practice. Please do not put this into practice. |
Code Block | ||
---|---|---|
| ||
<script>
$(document).ready(function(){
$.ajax({
type: "POST",
url: 'http://localhost:8080/jw/web/json/directory/user/sso?callback=callbackFunction',
data: {
username: 'admin',
password: 'admin'
},
success: function(res) {
console.log("username (" + res.username + ") is " + ((res.isAdmin !== undefined && res.isAdmin === "true")?"admin":"not an admin"));
},
dataType: "json"
});
});
</script> |
...
Code Block |
---|
import org.joget.apps.workflow.security.WorkflowUserDetails; import org.joget.directory.model.service.DirectoryManager; import org.joget.workflow.model.service.WorkflowUserManager; import org.joget.apps.app.service.AppUtil; import org.springframework.security.authentication.UsernamePasswordAuthenticationToken; import org.springframework.security.core.Authentication; import org.joget.directory.model.User; import org.joget.workflow.util.WorkflowUtil; import org.springframework.security.core.context.SecurityContextHolder; import javax.servlet.http.HttpSession; import javax.servlet.http.HttpServletRequest; import org.springframework.security.web.savedrequest.HttpSessionRequestCache; import org.springframework.security.web.savedrequest.SavedRequest; //Get service beans DirectoryManager dm = (DirectoryManager) AppUtil.getApplicationContext().getBean("directoryManager"); WorkflowUserManager workflowUserManager = (WorkflowUserManager) AppUtil.getApplicationContext().getBean("workflowUserManager"); //Login as "clark" String username = "clark"; User user = dm.getUserByUsername(username); if (user != null) { WorkflowUserDetails userDetail = new WorkflowUserDetails(user); //Generate an authentication token without a password AuthenticationUsernamePasswordAuthenticationToken auth = new UsernamePasswordAuthenticationToken(userDetail, userDetail.getUsername(), "", userDetail.getAuthorities()); auth.setDetails(userDetail); //Login the user SecurityContextHolder.getContext().setAuthentication(auth); workflowUserManager.setCurrentThreadUser(user.getUsername()); // generate new session to avoid session fixation vulnerability HttpServletRequest httpRequest = WorkflowUtil.getHttpServletRequest(); HttpSession session = httpRequest.getSession(false); if (session != null) { SavedRequest savedRequest = (SavedRequest) session.getAttribute("SPRING_SECURITY_SAVED_REQUEST_KEY"); session.invalidate(); session = httpRequest.getSession(true); if (savedRequest != null) { session.setAttribute("SPRING_SECURITY_SAVED_REQUEST_KEY", savedRequest); } } } |
...
Please note that if you are adding these code in a filter, you will need to store the SecurityContext to session.
Code Block |
---|
//Store SecurityContext to session to avoid spring security to clean it.
session.setAttribute("SPRING_SECURITY_CONTEXT", SecurityContextHolder.getContext()); |