0 Replies Latest reply on Oct 18, 2017 12:35 PM by Alessandro Moscatelli

    Jaspic, JSESSIONIDSSO and Undertow

    Alessandro Moscatelli Newbie

      Hi everybody,

      I used to have a standard plain old good JAAS module and a simple single-sign-on tag in the host configuration within undertow configuration :

       

          <host name="default-host" alias="localhost">
           <location name="/" handler="welcome-content"/>
           <filter-ref name="server-header"/>
           <filter-ref name="x-powered-by-header"/>
           <single-sign-on/>
           <http-invoker security-realm="ApplicationRealm"/>
          </host>
      

       

      I used SSO to have a single session usable to login in both frontend and backend modules.

       

      Now I switched from JAAS to Jaspic :

       

          <security-domain name="auth" cache-type="default">
           <authentication-jaspi>
            <login-module-stack name="dummy">
             <login-module code="Dummy" flag="optional"/>
            </login-module-stack>
            <auth-module code="Dummy"/>
           </authentication-jaspi>
          </security-domain>
      

       

      My code Jaspic code is pretty simple and follows any guide I found about Jaspic :

       

          @Override
          @PermitAll
          public AuthStatus validateRequest(MessageInfo messageInfo, Subject clientSubject, Subject serviceSubject) throws AuthException {
              
              if (!Boolean.valueOf(messageInfo.getMap().get(IS_MANDATORY).toString())){
                  return AuthStatus.SUCCESS;
              }
              
              Object requestMessage = messageInfo.getRequestMessage();
              Object responseMessage = messageInfo.getResponseMessage();
              
              try {
              
                  if (requestMessage instanceof HttpServletRequest && responseMessage instanceof HttpServletResponse){
                      HttpServletRequest httpServletRequest = HttpServletRequest.class.cast(requestMessage);
                      HttpServletResponse httpServletResponse = HttpServletResponse.class.cast(responseMessage);
                      
                      Principal userPrincipal = httpServletRequest.getUserPrincipal();
                      
                      if (!Objects.isNull(userPrincipal)){
                          handler.handle(new Callback[] { new CallerPrincipalCallback(clientSubject, userPrincipal) });
                          return AuthStatus.SUCCESS;
                      }
                      
                      Credential credential = retrieveCredential(httpServletRequest, httpServletResponse);
                      
                      if (Objects.isNull(credential)){
                          return manageMissingCredential(httpServletRequest, httpServletResponse);
                      }
                      
                      Collection<Credential> results = credentialDao.find(credential, 1, 0).getResults();
                      if (!CollectionUtils.isEmpty(results)){
                          Credential match = results.stream().findFirst().get();
                          Restriction toFind = new Restriction();
                          toFind.setCredential(match);
                          
                          for (Restriction restriction : restrictionDao.find(toFind, null, null).getResults()){
                              if (restriction instanceof IpRestriction){
                                  IpRestriction cast = IpRestriction.class.cast(restriction);
                                  SubnetUtils subnetUtils = new SubnetUtils(cast.getCidrNotation());
                                  subnetUtils.setInclusiveHostCount(true);
                                  String remoteAddr = httpServletRequest.getHeader("X-FORWARDED-FOR");
                                  if (StringUtils.isEmpty(remoteAddr)) {
                                      remoteAddr = httpServletRequest.getRemoteAddr();
                                  }
                                  if (!subnetUtils.getInfo().isInRange(remoteAddr)){
                                      logger.error("RESTRICTION FOR " + remoteAddr);
                                      return manageRestriction(httpServletRequest, httpServletResponse);
                                  }
                              }
                          }
                          
                          CallerPrincipalCallback callerPrincipalCallback = new CallerPrincipalCallback(clientSubject, new AuthenticationPrincipal(match.getName(), match));
                          GroupPrincipalCallback groupPrincipalCallback = new GroupPrincipalCallback(clientSubject, match.getRoles().stream().map(r -> r.getValue()).toArray(String[]::new));
                          handler.handle(new Callback[] { callerPrincipalCallback , groupPrincipalCallback });
                          messageInfo.getMap().put(REGISTER_SESSION, Boolean.TRUE.toString());
                          return manageCorrectCredential(httpServletRequest, httpServletResponse);
                      }
                      return manageWrongCredential(httpServletRequest, httpServletResponse);
                      
                  }
              
              } catch (IOException | UnsupportedCallbackException e) {
                  throw (AuthException) new AuthException().initCause(e);
              }
              
              return AuthStatus.FAILURE;
              
          }
      

       

      Everything works as I planned except for NO JSESSIONIDSSO is generated.

       

      In the response header I read :

       

      Set-CookieJSESSIONID=ZCKMJufNMwe5hnKMrzD2L630NCQoA-UbPq-ErFsB.8f55e6ab3654; path=/OptoPlusServices-web


      Am I enable to get a good old JSESSIONIDSSO generation with Jaspic ?

       

      Thank you in advance