Receive requests for login/logout actions from an external web application

I need to integrate my CUBA application with an external Java Web Application. The user’s authentication is performed by the external Application (by login/password), after that, if the web user presses a link button, he/she will be redirected to my Cuba Application with a request of login as explained below.

What I need is to replace the standard login page with a CUBA service able to (removing also from the CUBA’s Web GUI every “logout buttons”):

  1. receive an HTTP GET request for a login action (from the external App) with a token parameter in a query string as this: http://URL:PORT/myCubaApp?tokenSSO=XXXX-XXX-XXX
  2. call back an external SOAP Service replying with the received token and with a logout URL (a function of the token as: http://URL:PORT/myCubaApp/logout?tokenSSO=XXXX-XXX-XXX)
  3. parse the SOAP response:
    (a) if it’s OK the service starts a user session (mantaining the token into the session itself), mapping some received infos (from SOAP response) with a user/password/role in my CUBA Application
    (b) if it’s an KO response the service shows an error page (no authentication)
  4. in case of 3-(a), the service is able to receive the external logout request in the form of the provided logout URL (see 2) in order to logout the specific user session, in any case the session will go in timeout in case of inaction for XX minutes.

What’s the best way to implement this scenario?

At the moment I’m using the latest stable version of the Cuba Platform (the 6.7.2 version).

Hi,

Your case is similar to Facebook authentication that we’ve implemented in social-login demo: GitHub - cuba-platform/sample-social-login: Custom authentication for CUBA Applications using Facebook This example is useful when you create custom authentication using another services OAauth / SSO / etc. Login redirect and callback are implemented here in extended login window: sample-social-login/ExtAppLoginWindow.java at master · cuba-platform/sample-social-login · GitHub

Also, there is IdpAuthProvider that implements CubaAuthProvider interface. IdpAuthProvider doFilter handles external login requests with special parameters and redirects all unauthenticated users to an external login form: Single-Sign-On for CUBA Applications - CUBA Platform. Developer’s Manual If session is already authenticated then it wraps standard http request with IdpServletRequestWrapper that provides authenticated Principal. The principal instance from a http request is used later in App class to perform loginOnStart() in DefaultApp. You can use IdpAuthProvider as an example of such an external authentication.

Thank you very much for your quick reply Yury!
Is there any example/code, in Github or other places, in order to manage an external logout request too?
I need to manage a request of logout, and using a token (the same used in login fase) to be able to logout the correct Cuba user session.

Yes, see com.haulmont.cuba.web.controllers.IdpLogoutCallbackController#logout and com.haulmont.cuba.security.idp.IdpServiceBean#logoutUserSession method that finds session by session attribute and performs session kill.

Great! :slight_smile: Thank you very much

Hi Yuri,
i’m trying to use CubaAuthProvider with cuba 6.7.2 with pure source code example without any modify and it doesn’t work. I don’t have any error on log and server but login doesn’t work and always I have a redirect to login form.
There are some problem with that example and new version of cuba 6.7.2?

Thanks.

See my answer here: External Login fail implements CubaAuthProvider - #3 от пользователя artamonov - CUBA.Platform