Jaspic, JSESSIONIDSSO and Undertow
Hi everybody,
I used to have a standard plain old good JAAS module and a simple single-sign-on tag in the host configuration within undertow configuration :
<host name="default-host" alias="localhost"> <location name="/" handler="welcome-content"/> <filter-ref name="server-header"/> <filter-ref name="x-powered-by-header"/> <single-sign-on/> <http-invoker security-realm="ApplicationRealm"/> </host>
I used SSO to have a single session usable to login in both frontend and backend modules.
Now I switched from JAAS to Jaspic :
<security-domain name="auth" cache-type="default"> <authentication-jaspi> <login-module-stack name="dummy"> <login-module code="Dummy" flag="optional"/> </login-module-stack> <auth-module code="Dummy"/> </authentication-jaspi> </security-domain>
My code Jaspic code is pretty simple and follows any guide I found about Jaspic :
@Override
@PermitAll
public AuthStatus validateRequest(MessageInfo messageInfo, Subject clientSubject, Subject serviceSubject) throws AuthException {
if (!Boolean.valueOf(messageInfo.getMap().get(IS_MANDATORY).toString())){
return AuthStatus.SUCCESS;
}
Object requestMessage = messageInfo.getRequestMessage();
Object responseMessage = messageInfo.getResponseMessage();
try {
if (requestMessage instanceof HttpServletRequest && responseMessage instanceof HttpServletResponse){
HttpServletRequest httpServletRequest = HttpServletRequest.class.cast(requestMessage);
HttpServletResponse httpServletResponse = HttpServletResponse.class.cast(responseMessage);
Principal userPrincipal = httpServletRequest.getUserPrincipal();
if (!Objects.isNull(userPrincipal)){
handler.handle(new Callback[] { new CallerPrincipalCallback(clientSubject, userPrincipal) });
return AuthStatus.SUCCESS;
}
Credential credential = retrieveCredential(httpServletRequest, httpServletResponse);
if (Objects.isNull(credential)){
return manageMissingCredential(httpServletRequest, httpServletResponse);
}
Collection<Credential> results = credentialDao.find(credential, 1, 0).getResults();
if (!CollectionUtils.isEmpty(results)){
Credential match = results.stream().findFirst().get();
Restriction toFind = new Restriction();
toFind.setCredential(match);
for (Restriction restriction : restrictionDao.find(toFind, null, null).getResults()){
if (restriction instanceof IpRestriction){
IpRestriction cast = IpRestriction.class.cast(restriction);
SubnetUtils subnetUtils = new SubnetUtils(cast.getCidrNotation());
subnetUtils.setInclusiveHostCount(true);
String remoteAddr = httpServletRequest.getHeader("X-FORWARDED-FOR");
if (StringUtils.isEmpty(remoteAddr)) {
remoteAddr = httpServletRequest.getRemoteAddr();
}
if (!subnetUtils.getInfo().isInRange(remoteAddr)){
logger.error("RESTRICTION FOR " + remoteAddr);
return manageRestriction(httpServletRequest, httpServletResponse);
}
}
}
CallerPrincipalCallback callerPrincipalCallback = new CallerPrincipalCallback(clientSubject, new AuthenticationPrincipal(match.getName(), match));
GroupPrincipalCallback groupPrincipalCallback = new GroupPrincipalCallback(clientSubject, match.getRoles().stream().map(r -> r.getValue()).toArray(String[]::new));
handler.handle(new Callback[] { callerPrincipalCallback , groupPrincipalCallback });
messageInfo.getMap().put(REGISTER_SESSION, Boolean.TRUE.toString());
return manageCorrectCredential(httpServletRequest, httpServletResponse);
}
return manageWrongCredential(httpServletRequest, httpServletResponse);
}
} catch (IOException | UnsupportedCallbackException e) {
throw (AuthException) new AuthException().initCause(e);
}
return AuthStatus.FAILURE;
}
Everything works as I planned except for NO JSESSIONIDSSO is generated.
In the response header I read :
| Set-Cookie | JSESSIONID=ZCKMJufNMwe5hnKMrzD2L630NCQoA-UbPq-ErFsB.8f55e6ab3654; path=/OptoPlusServices-web |
Am I enable to get a good old JSESSIONIDSSO generation with Jaspic ?
Thank you in advance