Versions Compared

Old Version 3

changes.mady.by.user Sitthipong Boonkhoom

Saved on

compared with

New Version Current

changes.mady.by.user Hugo

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

User logs in to external system and implicitly gains access to Joget Workflow without being prompted to login again.

Panel
titleColorwhite
titleBGColor#9b4d4d
titleIMPORTANT NOTICE

The sample code provided below using Javascript that exposes the user credential information is not a good security best practice. Please do not put this into practice.

Using JSON API

  • Using '/web/json/directory/user/sso' JSON API.
  • You are allowed to call this method using JSON API Authentication or 
  • Directly passes the username and password with "username" and "password" parameters respectively shown in following example.

...

...


Code Block
import org.joget.apps.workflow.security.WorkflowUserDetails;
import org.joget.directory.model.service.DirectoryManager;
import org.joget.workflow.model.service.WorkflowUserManager;
import org.joget.apps.app.service.AppUtil;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.joget.directory.model.User;
import org.joget.workflow.util.WorkflowUtil;
import org.springframework.security.core.context.SecurityContextHolder;
import javax.servlet.http.HttpSession;
import javax.servlet.http.HttpServletRequest;
import org.springframework.security.web.savedrequest.HttpSessionRequestCache;
import org.springframework.security.web.savedrequest.SavedRequest;
 
//Get service beans
DirectoryManager dm = (DirectoryManager) AppUtil.getApplicationContext().getBean("directoryManager");
WorkflowUserManager workflowUserManager = (WorkflowUserManager) AppUtil.getApplicationContext().getBean("workflowUserManager");
 
//Login as "clark"
String username = "clark"; 
User user = dm.getUserByUsername(username);

if (user != null) {
    WorkflowUserDetails userDetail = new WorkflowUserDetails(user);
 
    //Generate an authentication token without a password
    AuthenticationUsernamePasswordAuthenticationToken auth = new UsernamePasswordAuthenticationToken(userDetail, userDetail.getUsername(), "", userDetail.getAuthorities());
     auth.setDetails(userDetail);
    //Login the user
    SecurityContextHolder.getContext().setAuthentication(auth);
    workflowUserManager.setCurrentThreadUser(user.getUsername());

    // generate new session to avoid session fixation vulnerability
    HttpServletRequest httpRequest = WorkflowUtil.getHttpServletRequest();
    HttpSession session = httpRequest.getSession(false);
    if (session != null) {
        SavedRequest savedRequest = (SavedRequest) session.getAttribute("SPRING_SECURITY_SAVED_REQUEST_KEY");
        session.invalidate();
        session = httpRequest.getSession(true);
        if (savedRequest != null) {
            session.setAttribute("SPRING_SECURITY_SAVED_REQUEST_KEY", savedRequest);
        }
    }
}

 

...

Please note that if you are adding these code in a filter, you will need to store the SecurityContext to session.
 Code Block
//Store SecurityContext to session to avoid spring security to clean it.
session.setAttribute("SPRING_SECURITY_CONTEXT", SecurityContextHolder.getContext());