Integrate CUBA Application with an external Web Application

Hi All,

I need (urgently) to integrate my CUBA web application with an external web application (EWA), so I need to code an auto-login procedure in order to avoid to show the standard login page when the application is called by the EWA.

As first integration attempt I’d settle with a little insecure fashion like the EWA will call the URL of my CUBA Application sending a convetional username/password credentials into the query string (e.g. as MD5 encoded pair) that will correspond to a correct CUBA user.

The idea is: if the query string will contain the credential, I’ll login automatically my application, otherwise I’ll show the login page: how to do it?

Thanks for whatever support you are able to provide!

Kind regards


You could implement it using custom CubaAuthProvider.

First of all, create class SimpleTokenAuthProvider in your web module:

public class SimpleTokenAuthProvider implements CubaAuthProvider {
    public void authenticate(String login, String password, Locale messagesLocale) throws LoginException {
        throw new UnsupportedOperationException("Use standard auth only");

    public void init(FilterConfig filterConfig) throws ServletException {
        // do nothing

    public void destroy() {
        // do nothing

    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
        // here we will implement SSO logic for simple hard-coded token

We will use two additional internal classes: SimpleTokenPrincipalImpl and ServletRequestWrapper.

SimpleTokenPrincipalImpl will be implementation of

public static class SimpleTokenPrincipalImpl implements Principal {
    private final String userName;

    public SimpleTokenPrincipalImpl(String userName) {
        this.userName = userName;

    public String getName() {
        return userName;

ServletRequestWrapper will extend javax.servlet.http.HttpServletRequestWrapper:

public static class ServletRequestWrapper extends HttpServletRequestWrapper {
    private final SimpleTokenPrincipalImpl principal;

    public ServletRequestWrapper(HttpServletRequest request, SimpleTokenPrincipalImpl principal) {
        this.principal = principal;

    public Principal getUserPrincipal() {
        return principal;

In fact, any CubaAuthProvider is a HttpFilter that is invoked on each HTTP request.

We will check request parameter “token” and if it is a correct token, then login user as passed user name.
For instance: http://localhost:8080/app?token=LOG_IN_ME_PLEASE&user=admin will login as “admin”.

Our auth logic:

HttpServletRequest httpRequest = (HttpServletRequest) request;
HttpSession session = httpRequest.getSession();
HttpServletResponse httpResponse = (HttpServletResponse) response;

// check token and redirect if it is correct
if (request.getParameter("user") != null
        && "LOG_IN_ME_PLEASE".equals(request.getParameter("token"))) {

    SimpleTokenPrincipalImpl sessionPrincipal = new SimpleTokenPrincipalImpl(request.getParameter("user"));
    session.setAttribute(TOKEN_PRINCIPAL_SESSION_ATTR, sessionPrincipal);

// session already have principal, use wrapped HttpServletRequest
SimpleTokenPrincipalImpl principal = (SimpleTokenPrincipalImpl) session.getAttribute(TOKEN_PRINCIPAL_SESSION_ATTR);
if (principal != null) {
    HttpServletRequest authenticatedRequest = new ServletRequestWrapper(httpRequest, principal);
    chain.doFilter(authenticatedRequest, response);

// there is no SSO attributes, just use standard behaviour
chain.doFilter(request, response);

You can find this demo project on GitHub:

Hope it will help you to develop your own auth integration.

1 Like


sso-login-by-token don’t work on CUBA 6.6 (login is imposible)




It is expected behaviour, since we throw UnsupportedOperationException from authenticate method. In 6.6 we have changed the behaviour of external auth. Previously, if an external authentication (LDAP or SSO) was on, a user could bypass it if he or she had a valid password set in the application security subsystem. Now it is possible only if the user’s login is also listed in the cuba.web.standardAuthenticationUsers application property.