I turned on security authentication in my orbeon app and now I log in remotely to the app via rest api (I send post request on url https://localhost:8444/orbeon/j_security_check).
Now I want to logout from my app but I don't know where to send the request.
I would check what happen (what http request is issued) after I click logout button but there is no logout button in orbeon.
All I found in documentation is this:
<p:processor name="oxf:session-invalidator"/>
but I have no idea how to use it.
Please help
Since you mention j_security_check, I imagine that you've setup FORM-based authentication in Orbeon Forms' web.xml. Note that you're here in pure "servlet territory"; there isn't much of this that is specific to the Orbeon Forms web app in particular. Since you're using FORM-based authentication, the server knows who you are after you logged in because the browser sends the JSESSIONID cookie Tomcat set when you logged in. To logout, you want to tell Tomcat "invalidate that session". To do so:
The simplest way is most likely to write a JSP that calls session.invalidate().
If you're already doing things with XPL within Orbeon Forms, you can write an XPL file that calls the <p:processor name="oxf:session-invalidator"/> and hook that XPL to a URL through the page flow.
Related
On a tomcat-7 instance I have ApplicationA, ApplicationB and SSO vavle turned on. Both applications are servlet-based and secured with form security method.
When I use web browser, SSO works as intended: when I open ApplicationA for the first time, I'm prompted to enter username and login. After I pass login form I can access ApplicatioB without being asked to login.
Now the usecase is: ApplicationA needs to request some content from ApplicationB. So I open ApplicationA in web browser and enter login and password in a login form. After that ApplicationA creates HttpUrlConntection to ApplicationB to get some content but it only gets ApplicationB's login form instead as it is a new request which is not authenticated.
I expect ApplicationB to be accessed for a programmatic request from ApplicationA without login form because I've logged into SSO in a browser.
Also I need content from ApplicationB as a String in ApplicationA, so I'm not using requestDispatcher.include().
Is it possible?
Thank you.
What I tried is to set all Cookies (there are things like JSESSIONID and JSESSIONIDSSO) and headers from my browser request to HttpUrlConnection via conn.setRequestProperty() but no luck.
In order to enforce Single-Sign-On, the applications must be accessed from same client and not from different clients.
So, it is not possible because you are accessing ApplicationB via HttpUrlConnection within ApplicationA, which is now acting as a new client similar to web-browser client, although both applications are enabled SSO by Tomcat.
Also, setting cookies and headers of web-browser client session in HttpUrlConnection client session will not be honored by Tomcat because HTTP connections are coming from different clients.
I have configured CAS(v4.0.0) on Apache Tomcat and have multiple clients based on Java, Python and PHP.
What I want to achieve is when I logout from any one application and gets redirected to cas/logout, I want a popup to be opened with all the applications that particular user is logged in with and asks whether you want to log out from every application or not.
I am following the official documentation
http://jasig.github.io/cas/4.2.x/installation/Logout-Single-Signout.html
and found out Single Logout Per Service which allows me to control single logout behavior individually and I can control whether to allow a particular service to use Back Channel or Front Channel or turned off for that application but what I want to achieve is this -
1.Logging out all applications both from CAS and from browser dynamically on button click
2.Logging out a single application from CAS dynamically on button click, with all other applications having their sessions maintained on CAS server and on browser too.
3.Configuration to be changed in PHP and Python clients to handle the logout callback from CAS server.
Any help would be highly appreciated.
Logging out all applications both from CAS and from browser dynamically on button click
invoke /cas/logout. If SLO is turned on, all applications will receive a notification to logout. CAS will logout as well.
Logging out a single application from CAS dynamically on button click, with all other applications having their sessions maintained on CAS server and on browser too.
Well, you go to your application and you log out from the application. Why do you want to involve CAS? CAS is not responsible for maintaining your app and how it works. /app/logout should do the job.
Configuration to be changed in PHP and Python clients to handle the logout callback from CAS server.
You'll need to figure out if your clients support CAS SLO. If they do, they will proceed the SLO notification and kill the app session.
I'd like the view implementation for my login page to detect if its page has been downloaded via HTTPS. Then it could warn that login won't work unless the whole site is served via HTTPS, due to my checks on the server side and due to it being generally unwise. And it could avoid sending any password via regular HTTP.
Is there any way to do this in GWT client code without writing some Javascript?
Yes. This test should do it:
Window.Location.getProtocol().equals("https")
A probably better alternative would be to write a redirect to https rule (on the server side) as soon as your user hits your login page, this way you force your users to be https from the start of the login process, before you send to your server any username/password, hence they are guaranteed to be encrypted.
I'm developing some web service using Resin and at the beginning I was using a servlet to log users but I quit and decided to user a class provided by resin called AbstractAuthenticator. At the end I feel although it was easier it ended up being the same since there's no encryption and now the user and password are naked in the URL. So my question is how common it is to user servlet for a login form? What is the most common approach to this? I know I will end up using SSL since using a digest authentication provided by the browser window is very obtrusive.
That it's a servlet isn't why the username/password are in the URL, that's because it's a GET request and not a POST.
Login forms can be handled by any number of back-end technologies, while a great many people use a framework, there's no technical reason it can't be handled by a servlet.
I have a C# ASP.NET 3.5 web application which uses forms authentication. Users log in with their username and password on login.aspx, are authenicated using a custom authentication logic and are then directed to input.aspx, where they enter some parameters and get response on output.aspx. If they try to access input.aspx without authenticating themselves, they are redirected to login.aspx.
The same users want to be able to use the functionality of this web application without using the UI, from Unix environment. So I added a web service file (.asmx) to this web application. I didn't create a separate project for this web service because the web service uses code files, code in global.asax of the existing web application and I should not duplicate that code for the web service.
The web service functionality works fine now, though I don't know how to authenticate the users. The web service client will send username and password once (maybe using a 'login' webmethod, which I can write to authenticate them) and then should be able to send multiple requests (maybe until they call a 'logout' webmethod or until their session/cookies expire).
For web requests to not get redirected to login.aspx page, I excluded the .asmx file from Forms authentication using the location tag in web.config. (I don't know if that's the way to go.) But then I am thinking that the user is not then authenticated in the web application and so the web application code that the service uses, won't be accessible, right?
I would recommend a quick read on this link (http://msdn.microsoft.com/en-us/library/ms977327.aspx) and then follow it up with this one (http://msdn.microsoft.com/en-us/library/9z52by6a(VS.80).aspx). A custom security header is probably where you want to go to secure your web service outside of forms authentication. It does mean that each method call needs to have the header supplied though.