Jaspic, JSESSIONIDSSO and Undertow
alessandromoscatelli Oct 18, 2017 12:35 PMHi everybody,
I used to have a standard plain old good JAAS module and a simple single-sign-on tag in the host configuration within undertow configuration :
<host name="default-host" alias="localhost"> <location name="/" handler="welcome-content"/> <filter-ref name="server-header"/> <filter-ref name="x-powered-by-header"/> <single-sign-on/> <http-invoker security-realm="ApplicationRealm"/> </host>
I used SSO to have a single session usable to login in both frontend and backend modules.
Now I switched from JAAS to Jaspic :
<security-domain name="auth" cache-type="default"> <authentication-jaspi> <login-module-stack name="dummy"> <login-module code="Dummy" flag="optional"/> </login-module-stack> <auth-module code="Dummy"/> </authentication-jaspi> </security-domain>
My code Jaspic code is pretty simple and follows any guide I found about Jaspic :
@Override @PermitAll public AuthStatus validateRequest(MessageInfo messageInfo, Subject clientSubject, Subject serviceSubject) throws AuthException { if (!Boolean.valueOf(messageInfo.getMap().get(IS_MANDATORY).toString())){ return AuthStatus.SUCCESS; } Object requestMessage = messageInfo.getRequestMessage(); Object responseMessage = messageInfo.getResponseMessage(); try { if (requestMessage instanceof HttpServletRequest && responseMessage instanceof HttpServletResponse){ HttpServletRequest httpServletRequest = HttpServletRequest.class.cast(requestMessage); HttpServletResponse httpServletResponse = HttpServletResponse.class.cast(responseMessage); Principal userPrincipal = httpServletRequest.getUserPrincipal(); if (!Objects.isNull(userPrincipal)){ handler.handle(new Callback[] { new CallerPrincipalCallback(clientSubject, userPrincipal) }); return AuthStatus.SUCCESS; } Credential credential = retrieveCredential(httpServletRequest, httpServletResponse); if (Objects.isNull(credential)){ return manageMissingCredential(httpServletRequest, httpServletResponse); } Collection<Credential> results = credentialDao.find(credential, 1, 0).getResults(); if (!CollectionUtils.isEmpty(results)){ Credential match = results.stream().findFirst().get(); Restriction toFind = new Restriction(); toFind.setCredential(match); for (Restriction restriction : restrictionDao.find(toFind, null, null).getResults()){ if (restriction instanceof IpRestriction){ IpRestriction cast = IpRestriction.class.cast(restriction); SubnetUtils subnetUtils = new SubnetUtils(cast.getCidrNotation()); subnetUtils.setInclusiveHostCount(true); String remoteAddr = httpServletRequest.getHeader("X-FORWARDED-FOR"); if (StringUtils.isEmpty(remoteAddr)) { remoteAddr = httpServletRequest.getRemoteAddr(); } if (!subnetUtils.getInfo().isInRange(remoteAddr)){ logger.error("RESTRICTION FOR " + remoteAddr); return manageRestriction(httpServletRequest, httpServletResponse); } } } CallerPrincipalCallback callerPrincipalCallback = new CallerPrincipalCallback(clientSubject, new AuthenticationPrincipal(match.getName(), match)); GroupPrincipalCallback groupPrincipalCallback = new GroupPrincipalCallback(clientSubject, match.getRoles().stream().map(r -> r.getValue()).toArray(String[]::new)); handler.handle(new Callback[] { callerPrincipalCallback , groupPrincipalCallback }); messageInfo.getMap().put(REGISTER_SESSION, Boolean.TRUE.toString()); return manageCorrectCredential(httpServletRequest, httpServletResponse); } return manageWrongCredential(httpServletRequest, httpServletResponse); } } catch (IOException | UnsupportedCallbackException e) { throw (AuthException) new AuthException().initCause(e); } return AuthStatus.FAILURE; }
Everything works as I planned except for NO JSESSIONIDSSO is generated.
In the response header I read :
Set-Cookie | JSESSIONID=ZCKMJufNMwe5hnKMrzD2L630NCQoA-UbPq-ErFsB.8f55e6ab3654; path=/OptoPlusServices-web |
Am I enable to get a good old JSESSIONIDSSO generation with Jaspic ?
Thank you in advance