Versions Compared

Old Version 7

changes.mady.by.user Owen Ong

Saved on

compared with

New Version Current

changes.mady.by.user Hugo

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

User logs in to external system and implicitly gains access to Joget Workflow without being prompted to login again.

Panel
titleColorwhite
titleBGColor#9b4d4d
titleIMPORTANT NOTICE

The sample code provided below using Javascript that exposes the user credential information is not a good security best practice. Please do not put this into practice.

Using JSON API

  • Using '/web/json/directory/user/sso' JSON API.
  • You are allowed to call this method using JSON API Authentication or 
  • Directly passes the username and password with "username" and "password" parameters respectively shown in following example.

...

  • Since V4, Joget Workflow is suppoeted supported Basic HTTP Authentication in JSON API authentication, you can passing the credentials in the header.
  • ExampleAssuming the username and password required is "user1" and "password1" respectively, we can set the Basic Auth header to the JSON API using following jQuery script.

...


 

Code Block
import org.joget.apps.workflow.security.WorkflowUserDetails;
import org.joget.directory.model.service.DirectoryManager;
import org.joget.workflow.model.service.WorkflowUserManager;
import org.joget.apps.app.service.AppUtil;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.joget.directory.model.User;
import org.joget.workflow.util.WorkflowUtil;
import org.springframework.security.core.context.SecurityContextHolder;
import javax.servlet.http.HttpSession;
import javax.servlet.http.HttpServletRequest;
import org.springframework.security.web.savedrequest.HttpSessionRequestCache;
import org.springframework.security.web.savedrequest.SavedRequest;
 
//Get service beans
DirectoryManager dm = (DirectoryManager) AppUtil.getApplicationContext().getBean("directoryManager");
WorkflowUserManager workflowUserManager = (WorkflowUserManager) AppUtil.getApplicationContext().getBean("workflowUserManager");
 
//Login as "clark"
String username = "clark"; 
User user = dm.getUserByUsername(username);

if (user != null) {
    WorkflowUserDetails userDetail = new WorkflowUserDetails(user);
 
    //Generate an authentication token without a password
    Authentication auth = new UsernamePasswordAuthenticationToken(userDetail, userDetail.getUsername(), userDetail.getAuthorities());
    
    //Login the user
    SecurityContextHolder.getContext().setAuthentication(auth);
    workflowUserManager.setCurrentThreadUser(user.getUsername());

    // generate new session to avoid session fixation vulnerability
    HttpServletRequest httpRequest = WorkflowUtil.getHttpServletRequest();
    HttpSession session = httpRequest.getSession(false);
    if (session != null) {
        SavedRequest savedRequest = (SavedRequest) session.getAttribute("SPRING_SECURITY_SAVED_REQUEST_KEY");
        session.invalidate();
        session = httpRequest.getSession(true);
        if (savedRequest != null) {
            session.setAttribute("SPRING_SECURITY_SAVED_REQUEST_KEY", savedRequest);
        }
    }
}

 

...