Integrate CUBA Application with an external Web Application

dpicheo · May 27, 2017, 5:37pm

Hi All,

I need (urgently) to integrate my CUBA web application with an external web application (EWA), so I need to code an auto-login procedure in order to avoid to show the standard login page when the application is called by the EWA.

As first integration attempt I’d settle with a little insecure fashion like the EWA will call the URL of my CUBA Application sending a convetional username/password credentials into the query string (e.g. as MD5 encoded pair) that will correspond to a correct CUBA user.

The idea is: if the query string will contain the credential, I’ll login automatically my application, otherwise I’ll show the login page: how to do it?

Thanks for whatever support you are able to provide!

Kind regards

artamonov · June 15, 2017, 2:20pm

Hi,

You could implement it using custom CubaAuthProvider.

First of all, create class SimpleTokenAuthProvider in your web module:


public class SimpleTokenAuthProvider implements CubaAuthProvider {
    @Override
    public void authenticate(String login, String password, Locale messagesLocale) throws LoginException {
        throw new UnsupportedOperationException("Use standard auth only");
    }

    @Override
    public void init(FilterConfig filterConfig) throws ServletException {
        // do nothing
    }

    @Override
    public void destroy() {
        // do nothing
    }

    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
        // here we will implement SSO logic for simple hard-coded token
    }
}

We will use two additional internal classes: SimpleTokenPrincipalImpl and ServletRequestWrapper.

SimpleTokenPrincipalImpl will be implementation of java.security.Principal:


public static class SimpleTokenPrincipalImpl implements Principal {
    private final String userName;

    public SimpleTokenPrincipalImpl(String userName) {
        this.userName = userName;
    }

    @Override
    public String getName() {
        return userName;
    }
}

ServletRequestWrapper will extend javax.servlet.http.HttpServletRequestWrapper:


public static class ServletRequestWrapper extends HttpServletRequestWrapper {
    private final SimpleTokenPrincipalImpl principal;

    public ServletRequestWrapper(HttpServletRequest request, SimpleTokenPrincipalImpl principal) {
        super(request);
        this.principal = principal;
    }

    @Override
    public Principal getUserPrincipal() {
        return principal;
    }
}

In fact, any CubaAuthProvider is a HttpFilter that is invoked on each HTTP request.

We will check request parameter “token” and if it is a correct token, then login user as passed user name.
For instance: http://localhost:8080/app?token=LOG_IN_ME_PLEASE&user=admin will login as “admin”.

Our auth logic:


HttpServletRequest httpRequest = (HttpServletRequest) request;
HttpSession session = httpRequest.getSession();
HttpServletResponse httpResponse = (HttpServletResponse) response;

// check token and redirect if it is correct
if (request.getParameter("user") != null
        && "LOG_IN_ME_PLEASE".equals(request.getParameter("token"))) {

    SimpleTokenPrincipalImpl sessionPrincipal = new SimpleTokenPrincipalImpl(request.getParameter("user"));
    session.setAttribute(TOKEN_PRINCIPAL_SESSION_ATTR, sessionPrincipal);
    httpResponse.sendRedirect(httpRequest.getRequestURL().toString());
    return;
}

// session already have principal, use wrapped HttpServletRequest
SimpleTokenPrincipalImpl principal = (SimpleTokenPrincipalImpl) session.getAttribute(TOKEN_PRINCIPAL_SESSION_ATTR);
if (principal != null) {
    HttpServletRequest authenticatedRequest = new ServletRequestWrapper(httpRequest, principal);
    chain.doFilter(authenticatedRequest, response);
    return;
}

// there is no SSO attributes, just use standard behaviour
chain.doFilter(request, response);

You can find this demo project on GitHub: GitHub - cuba-labs/sso-login-by-token

Hope it will help you to develop your own auth integration.

marcin.zawadowicz · September 13, 2017, 3:00pm

Hi.

sso-login-by-token don’t work on CUBA 6.6 (login is imposible)

Regards
Marcin

Screenshot_20170913_165920

artamonov · September 15, 2017, 1:23pm

Hi,

It is expected behaviour, since we throw UnsupportedOperationException from authenticate method. In 6.6 we have changed the behaviour of external auth. Previously, if an external authentication (LDAP or SSO) was on, a user could bypass it if he or she had a valid password set in the application security subsystem. Now it is possible only if the user’s login is also listed in the cuba.web.standardAuthenticationUsers application property.