My Application requires a Siteminder SSO login. I am able to capture the SM_USER which is the Employee Id by
request.getHeader("SM_USER");
Now I want to capture the Employee Name which is stored in Cookie.
I used request.getHeader("Cookie");
The cookie which I am getting is like
lcid=1033; IDEALDOMAIN=53AvKXzgyShYOE5+I4sX4Q==; SUPERUSER=False; ADIDMAPPINGFLAG=7LQlj8/2nvgLQlH4X/M4Gw==; INITMAPPINGSTATE=True; LDAPVALIDATIONFLAG=53AvKXzgyShYOE5+I4sX4Q==; SSOCONTENTNAME=IXK93MPqLZSIGwzx7YZ31XI8LtsJuLAActhQvcJy7sw=; SSOCONTENTEMAIL=Pym0Td3ayVI/gasQDYx0GJGt78jalJIJGLlFLVGsod8=; EID=AljFH+Zu6YpIYtFVw7TEZw==; IDMPROVISIONED=True; AD=Uyv5wIQS5rx76pd0hBocfg==; ACTIVEVIEW=vopKOOSRtqVJg2cbvwFkYg==; AMP_Session={"**username**":"**xxxxxxxx xxxxx**","opened": true}; JSESSIONID=0000DW8l91J8oZilIKjHYvb_Ahi:19t5pcqiq; SMSESSION=CC9Ac8JxZgpw+MsV6jIUKKjRtm2QCzBhon7hTZSfab/ceK0ZKij8SWXKN2D03jVA+KaGGrGPKoKY/Y3H34i9ymeNu9Ff7vtWhxbSekIzYc9KNQc0lYwxs/eWX0YKVDCZzakh5kR6n78UY/IOMQQN1p8mK2nZ2E7JI8vQDhT1o/IBHbIjfbS+o/a4r+IoUvrA5QcVBSHTeK8SifojnhSVWwi6kl/MQzmlDCuznDiCZpR9FR4k84BtNhArbME2Iq5lvZo7JeLnIFgqva4QqgVYh5fqbdme7b0YqzOvfRJoEHTn2dHYbPw0cQBsxaHRE49/vNrOL0VB6IOTUsD7rq8HL+WXhyaYp2kZLmvsroWcdGkikSwyp/u+p4I0Weeg+vqr8NhD6h4M/EYTEFKpB6nRhavj5sGnG5I2L9L66KNL3cPvU60YtTvUA4i0X/yBys7KI8mwHYUCA1vH/OUWVDW3Q0aOLN1ZF53G2vwBCYoc5EuYZ/Wg6SaUe5WOu1J8QS7LL7G1H5QqzojrcOOMWhqtjdkJOznODh4tuQieoB+TSkt7z/XHnUeqiagH8MCfF4zsd8pVXDsnc7of+RZpq/VKbTCXPQHP21ncNnB4Z8Miqnn5EMmAKdmJopZ/petU4UvNttGFoU4jJQl6ZgSEyrvqBnQFFVf0HQtqnt3zT64JajVrlFLITT/+wd//dAHsqtbLMLQcrsCU9aWRszP5toLXMn2rj1n8dRkcDbYwoSA5PWqSiHM3RcbKlO7Ej7Oe4FqOwITKde4yLE211JmMEEPvH42Bvg+1H/OrUJVQ3YfgkRFKu12oL5BubfjveknmK4r8wp8r3LTq/Rz58zkiwUj1J0qNAQ5BlHbL53vJdBZebQT0lpjTQ2KTOi96JlPkWhR2AnG71ZaIbfUsWz9QPYH55zc9KzbJE0AreyD/eJG9XcSkP6cV7gjsUDCUZk2i+H2iqO3tNQDMgUuZb65i7+CQKWlYixHYuo66zvrUql//1hdm8YiBDzNPRm4SIVKOcZkPk/H9MQYnTWa5fKppDVShcyCSNF6YME8038qg5mv5m7oF+0AfyxmzHeJ+Ddvy95NO
Now How can I get the username from this Cookie
Just like you are using request.getHeader("SM_USER") to obtain the userid, the usual suggestion in the Siteminder world is to use the so-called Response for Siteminder to help you retrieve whatever user attributes you need, in the case the Employee Name, and make them available in the Header for you. In short, you would need to ask your Siteminder administrator to configure this for you.
Since Cookie lives on a Browser, so unless the Cookie is encrypted, the user on the Browser would be able to tamper it and render the Cookie useless. If a Cooke is encrypted, then your program would need to know how to decrypt it and hence you would have a far more challenging task to do.
Related
I have developed Rest API basic authentication, I am able to get the JSON response only when I test using Advanced Rest Client plugin(for Chrome), But how to access the JSON response by passing username and password in URL? How can others consume my rest API? Do I need to give any login popup? How can I achieve this? Any help would be highly appreciated.
your method should be POST and you need to create a encripted token for every login, and you need to active that token up to user logged out or anything else, you can store that token in browser cache, when user logged out then remove that token as well. for every user action you need to verify that token. you can generate token using MD5 also.
i think it may help you.
I need to acess the name of the user of the Proxy, our server is Jboss6.4, when this user enter in my URL, I'm using ServletRequestListener, with the object HttpServletRequest, but I can't find the user.
String user1= request.getUserPrincipal().getName();
String user2 = request.getRemoteUser();
Both's are null, I need to do authentication without use a typical modal window or formular, I want to do this automatic, my idea it's use the LogonId of the User that he use in the Proxyof the browser and afterwards check in my LDAP directory if exist and the rights are correct.
To acess to the URL, the user first has to login in the browser because we have a proxy, my idea is take the id of the user from the proxy, but Ican't find it..
Unless your proxy is setting a header containing the username in the forwarded HTTP requests, you won't have the ability to retrieve the username used to connect to the proxy.
What you want to achieve looks like SSO but a simple proxy won't achieve SSO.
I'm trying to implement token authentication for a REST service based on Spring MVC.
I'm followiong this SO answer: https://stackoverflow.com/a/10864088/1061499 as guideline, but now I need to understand some server-side detail.
When an user is successfully authenticated (first time via username + password) I return a token that stores some information.
When the same user sent his token in a request header, I need to identify the associated user and define if is "session" is still alive.
So the way are basically two:
encrypt the token with an algorithm (which one?) I can also use to decrypt on server side and extract user information
store token-user association info in application DB also storing session info.
Most suggest the first solution, without storing any info about authentication in DB, but this solution seems to me less secure.
Any suggestion?
According to Foursquare's dev site, venue details do not require user auth:
HTTP Method GET
Requires Acting User No (learn more)
Modes supported foursquare, swarm (learn more)
But the example uses a oauth token and if you try searching with your client credentials, you get a 400 response.
https://api.foursquare.com/v2/venues/4b522afaf964a5200b6d27e3?client_id=MY_CLIENT_ID&client_secret=MY_CLIENT_SECRET&v=20140714
returns:
{"meta":{"code":400,"errorType":"invalid_auth","errorDetail":"Missing access credentials. See https:\/\/developer.foursquare.com\/docs\/oauth.html for details."},"response":{}}
Does anybody know of a way to get venue details without having user logged in?
Sigh
The issue was with my code. I was putting my client ID in twice.
just so everybody knows, the above works :)
I am developing a small REST-webservice for non critical data which will mainly be accessed by a smartphone application. For limiting the access of the users to their individual data (the authorization does not need groups or roles), I need to implement some sort of basic authentification.
As the service will be accessed over HTTP, using HTTP-Authentification seems to be no good idea as the username and password will be sent in cleartext on every request and need to be stored on the client device.
Thus, my idea was to implement authentification the following way:
The user logs on using a login method of my webservice passing their username / password
This method checks the validity of the username / password combination (based on a database containing salted and hashed passwords)
If the login is successful, the id of the user (primary key of the database table) is stored in the session as an attribute
In the following requests, this attribute is used to authentificate the user
In code, my login method would look like the following:
User user = this.authentificate(username, password);
HttpSession session = request.getSession(true);
if (user != null)
session.setAttribute("UserId", user.getId());
else
session.invalidate();
Afterwards, I would be able to authentificate the user based on the session:
int userId = (int) request.getSession().getAttribute("UserId");
User currentUser = getUserById(userId);
Can this approach be considered as "secure" (no easy session highjacking possible - as far as I understood https://stackoverflow.com/a/5838191/232175 , the attributes' values won't leave the server)?
Are there any downsides or alternatives?
With regard to storing the user id in the session, I think that is OK, but you have another problem.
First, I would assume that the login method would be over HTTPS, otherwise the username and password would be sent in clear text to the login method and you are right back to the same problem you had before.
Second, if the login method were over HTTPS, then the session cookie would be an HTTPS cookie and all other API calls would also need to be over HTTPS. If subsequent calls were over HTTP, they would get a new session cookie and the user id would be unavailable in that session.
If you really want secure authentication without HTTPS, you would need to use a shared secret signing scheme (e.g. HMAC) or an asymmetric signing system like RSA to have the client sign requests and then validate those signed requests server side.