How to create a custom authentication?

We are building a CUBA app, and we have the following request. The app will be accessible through an existing portal using an iFrame. Based on that, the users will login into the company’s portal and from an available menu, a new web page will be displayed - this page will include an iFrame component that will responsible for the loading of the CUBA app. At this stage, when the application will be loaded, the login screen of the CUBA app should not be required again since the user will be already logged in through the portal. So, I would like to ask you how we could prevent the login screen from being displayed and providing the user’s credentials through another channel - possibly included in the URL string?

Thanks in advance,
George Papageorgiou


There are two ways of how you can log in CUBA application using URL.

The first way is using parameters in URL navigation. For instance, let’s say that
the token “e63cacd4-646b-4232-bd72-36ddff780bbf” is generated only for user “admin”.
So we can add the following code to the LoginWidow:

private NavigationState state;
private String secretToken = "e63cacd4-646b-4232-bd72-36ddff780bbf";

private UrlRouting urlRouting;

private void onBeforeShow(BeforeShowEvent event) {
    state = urlRouting.getState();

private void onAfterShow(AfterShowEvent event) {
    String st = state.getParams().get("st");
    if (secretToken.equals(st)) {
        doLogin(new ExternalUserCredentials("admin"));

In onBeforeShow we save the current state of URL with parameters in order to check
token and do log in after screen is shown.

Use the following link to log in:


The second way is using HttpRequestFilter and ApplicationListener<AppStartedEvent>.
In our filter, we check that address contains the specific parameter and if so save it to

String st = request.getParameter("st");
if (!Strings.isNullOrEmpty(st)) {
    request.getSession().setAttribute("st", st);

    RequestContext.create(request, response);


chain.doFilter(request, response);

Redirect is used for removing parameters from address. In the ApplicationListener
we get given parameter, check it and do login.

private String secretToken = "e63cacd4-646b-4232-bd72-36ddff780bbf";

public void onApplicationEvent(AppStartedEvent event) {
    App app = event.getApp();
    Connection connection = app.getConnection();

    if (!connection.isAuthenticated()) {
        RequestContext requestContext = RequestContext.get();
        if (requestContext != null) {
            HttpServletRequest request = requestContext.getRequest();
            String st = (String) request.getSession().getAttribute("st");
            if (secretToken.equals(st)) {
                try {
                    connection.login(new ExternalUserCredentials("admin"));
                } catch (LoginException e) {
                    log.warn("Unable to login by token {}", st);

Use the following link to log in:


Useful links:

  1. Login
  2. Web login
  3. authentication-by-url demo
1 Like

Thank you very much! This is really what I needed!

1 Like