Joget DX 8 Stable Released
The stable release for Joget DX 8 is now available, with a focus on UX and Governance.
User logs in to external system and implicitly gains access to Joget Workflow without being prompted to login again.
The sample code provided below using Javascript that exposes the user credential information is not a good security best practice. Please do not put this into practice.
<script> $(document).ready(function(){ $.ajax({ type: "POST", url: 'http://localhost:8080/jw/web/json/directory/user/sso?callback=callbackFunction', data: { username: 'admin', password: 'admin' }, success: function(res) { console.log("username (" + res.username + ") is " + ((res.isAdmin !== undefined && res.isAdmin === "true")?"admin":"not an admin")); }, dataType: "json" }); }); </script>
<script> $(document).ready(function(){ $.ajax({ type: "POST", url: 'http://localhost:8080/jw/web/json/directory/user/sso', beforeSend: function (xhr) { xhr.setRequestHeader ("Authorization", "Basic dXNlcjE6cGFzc3dvcmQx"); }, success: function(res) { console.log("username (" + res.username + ") is " + ((res.isAdmin !== undefined && res.isAdmin === "true")?"admin":"not an admin")); }, dataType: "json" }); }); </script>
Using the AssignmentManager.login method for SSO.
<script type="text/javascript" src="http://localhost:8080/jw/js/jquery/jquery-1.9.1.min.js"></script> <script type="text/javascript" src="http://localhost:8080/jw/js/json/util.js" ></script> <script type="text/javascript" > $(document).ready(function(){ var loginCallback = { success : function(response){ if(response.username != "roleAnonymous"){ alert("login successfully"); }else{ alert("login fail"); } } }; AssignmentManager.login('http://localhost:8080/jw', 'admin', 'admin', loginCallback); }); </script>
import org.joget.apps.workflow.security.WorkflowUserDetails; import org.joget.directory.model.service.DirectoryManager; import org.joget.workflow.model.service.WorkflowUserManager; import org.joget.apps.app.service.AppUtil; import org.springframework.security.authentication.UsernamePasswordAuthenticationToken; import org.springframework.security.core.Authentication; import org.joget.directory.model.User; import org.joget.workflow.util.WorkflowUtil; import org.springframework.security.core.context.SecurityContextHolder; import javax.servlet.http.HttpSession; import javax.servlet.http.HttpServletRequest; import org.springframework.security.web.savedrequest.HttpSessionRequestCache; import org.springframework.security.web.savedrequest.SavedRequest; //Get service beans DirectoryManager dm = (DirectoryManager) AppUtil.getApplicationContext().getBean("directoryManager"); WorkflowUserManager workflowUserManager = (WorkflowUserManager) AppUtil.getApplicationContext().getBean("workflowUserManager"); //Login as "clark" String username = "clark"; User user = dm.getUserByUsername(username); if (user != null) { WorkflowUserDetails userDetail = new WorkflowUserDetails(user); //Generate an authentication token without a password UsernamePasswordAuthenticationToken auth = new UsernamePasswordAuthenticationToken(userDetail.getUsername(), "", userDetail.getAuthorities()); auth.setDetails(userDetail); //Login the user SecurityContextHolder.getContext().setAuthentication(auth); workflowUserManager.setCurrentThreadUser(user.getUsername()); // generate new session to avoid session fixation vulnerability HttpServletRequest httpRequest = WorkflowUtil.getHttpServletRequest(); HttpSession session = httpRequest.getSession(false); if (session != null) { SavedRequest savedRequest = (SavedRequest) session.getAttribute("SPRING_SECURITY_SAVED_REQUEST_KEY"); session.invalidate(); session = httpRequest.getSession(true); if (savedRequest != null) { session.setAttribute("SPRING_SECURITY_SAVED_REQUEST_KEY", savedRequest); } } }