Joget DX 8 Stable Released
The stable release for Joget DX 8 is now available, with a focus on UX and Governance.
User logs in to external system and implicitly gains access to Joget Workflow without being prompted to login again.
<script> $(document).ready(function(){ $.ajax({ type: "POST", url: 'http://localhost:8080/jw/web/json/directory/user/sso?callback=callbackFunction', data: { username: 'admin', password: 'admin' }, success: function(res) { console.log("username (" + res.username + ") is " + ((res.isAdmin !== undefined && res.isAdmin === "true")?"admin":"not an admin")); }, dataType: "json" }); }); </script>
<script> $(document).ready(function(){ $.ajax({ type: "POST", url: 'http://localhost:8080/jw/web/json/directory/user/sso', beforeSend: function (xhr) { xhr.setRequestHeader ("Authorization", "Basic dXNlcjE6cGFzc3dvcmQx"); }, success: function(res) { console.log("username (" + res.username + ") is " + ((res.isAdmin !== undefined && res.isAdmin === "true")?"admin":"not an admin")); }, dataType: "json" }); }); </script>
Using the AssignmentManager.login method for SSO.
<script type="text/javascript" src="http://localhost:8080/jw/js/jquery/jquery-1.9.1.min.js"></script> <script type="text/javascript" src="http://localhost:8080/jw/js/json/util.js" ></script> <script type="text/javascript" > $(document).ready(function(){ var loginCallback = { success : function(response){ if(response.username != "roleAnonymous"){ alert("login successfully"); }else{ alert("login fail"); } } }; AssignmentManager.login('http://localhost:8080/jw', 'admin', 'admin', loginCallback); }); </script>
import org.joget.apps.workflow.security.WorkflowUserDetails; import org.joget.directory.model.service.DirectoryManager; import org.joget.workflow.model.service.WorkflowUserManager; import org.joget.apps.app.service.AppUtil; import org.springframework.security.authentication.UsernamePasswordAuthenticationToken; import org.springframework.security.core.Authentication; import org.joget.directory.model.User; import org.joget.workflow.util.WorkflowUtil; import org.springframework.security.core.context.SecurityContextHolder; import javax.servlet.http.HttpSession; import javax.servlet.http.HttpServletRequest; import org.springframework.security.web.savedrequest.HttpSessionRequestCache; import org.springframework.security.web.savedrequest.SavedRequest; //Get service beans DirectoryManager dm = (DirectoryManager) AppUtil.getApplicationContext().getBean("directoryManager"); WorkflowUserManager workflowUserManager = (WorkflowUserManager) AppUtil.getApplicationContext().getBean("workflowUserManager"); //Login as "clark" String username = "clark"; User user = dm.getUserByUsername(username); if (user != null) { WorkflowUserDetails userDetail = new WorkflowUserDetails(user); //Generate an authentication token without a password UsernamePasswordAuthenticationToken auth = new UsernamePasswordAuthenticationToken(userDetail.getUsername(), "", userDetail.getAuthorities()); auth.setDetails(userDetail); //Login the user SecurityContextHolder.getContext().setAuthentication(auth); workflowUserManager.setCurrentThreadUser(user.getUsername()); // generate new session to avoid session fixation vulnerability HttpServletRequest httpRequest = WorkflowUtil.getHttpServletRequest(); HttpSession session = httpRequest.getSession(false); if (session != null) { SavedRequest savedRequest = (SavedRequest) session.getAttribute("SPRING_SECURITY_SAVED_REQUEST_KEY"); session.invalidate(); session = httpRequest.getSession(true); if (savedRequest != null) { session.setAttribute("SPRING_SECURITY_SAVED_REQUEST_KEY", savedRequest); } } }
Please note that if you are adding these code in a filter, you will need to store the SecurityContext to session.
//Store SecurityContext to session to avoid spring security to clean it. session.setAttribute("SPRING_SECURITY_CONTEXT", SecurityContextHolder.getContext());