Joget DX 8 Stable Released
The stable release for Joget DX 8 is now available, with a focus on UX and Governance.
Table of Contents |
---|
User logs in to external system and implicitly gains access to Joget Workflow without being prompted to login again.
Panel | ||||||
---|---|---|---|---|---|---|
| ||||||
The sample code provided below using Javascript that exposes the user credential information is not a good security best practice. Please do not put this into practice. |
...
...
Code Block |
---|
import org.joget.apps.workflow.security.WorkflowUserDetails; import org.joget.directory.model.service.DirectoryManager; import org.joget.workflow.model.service.WorkflowUserManager; import org.joget.apps.app.service.AppUtil; import org.springframework.security.authentication.UsernamePasswordAuthenticationToken; import org.springframework.security.core.Authentication; import org.joget.directory.model.User; import org.joget.workflow.util.WorkflowUtil; import org.springframework.security.core.context.SecurityContextHolder; import javax.servlet.http.HttpSession; import javax.servlet.http.HttpServletRequest; import org.springframework.security.web.savedrequest.HttpSessionRequestCache; import org.springframework.security.web.savedrequest.SavedRequest; //Get service beans DirectoryManager dm = (DirectoryManager) AppUtil.getApplicationContext().getBean("directoryManager"); WorkflowUserManager workflowUserManager = (WorkflowUserManager) AppUtil.getApplicationContext().getBean("workflowUserManager"); //Login as "clark" String username = "clark"; User user = dm.getUserByUsername(username); if (user != null) { WorkflowUserDetails userDetail = new WorkflowUserDetails(user); //Generate an authentication token without a password UsernamePasswordAuthenticationToken auth = new UsernamePasswordAuthenticationToken(userDetail.getUsername(), "", userDetail.getAuthorities()); auth.setDetails(userDetail); //Login the user SecurityContextHolder.getContext().setAuthentication(auth); workflowUserManager.setCurrentThreadUser(user.getUsername()); // generate new session to avoid session fixation vulnerability HttpServletRequest httpRequest = WorkflowUtil.getHttpServletRequest(); HttpSession session = httpRequest.getSession(false); if (session != null) { SavedRequest savedRequest = (SavedRequest) session.getAttribute("SPRING_SECURITY_SAVED_REQUEST_KEY"); session.invalidate(); session = httpRequest.getSession(true); if (savedRequest != null) { session.setAttribute("SPRING_SECURITY_SAVED_REQUEST_KEY", savedRequest); } } } |
Please note that if you are adding these code in a filter, you will need to store the SecurityContext to session.
Code Block |
---|
//Store SecurityContext to session to avoid spring security to clean it. session.setAttribute("SPRING_SECURITY_CONTEXT", SecurityContextHolder.getContext()); |
...