SSO Revalidation
Provides a SSO revalidation script which if returns true will re-trigger the SSO to re authenticate the user. If the script returns true the SSO Authentication scripts are run again, if false the users current login session is used. When the revalidation script returns true, the Get SSO Auth script will execute and the authentication provider will run.
This script is enabled by selecting Enable SSO Filter and Enable SSO Revalidation check boxes on the Security Manager tab. This shows the SSO Revalidation Tab where the script can be modified.
Where the execution path returns true, the script should logout from the spring security context. This will invalidate the current session. You maybe required to copy session attribute from the existing session, logout then write them to the new session. This is how to logout from the spring security context.
``` SecurityContextLogoutHandler securityContextLogoutHandler = new SecurityContextLogoutHandler(); securityContextLogoutHandler.logout(request, null, null); ```The intent of this script is to look at changes in the request headers which can trigger the re-authentication process. Examples:
-
Checking the "referer" header, revalidate if this is not the coming from a Journey Manager Form Space or Federated Endpoint
- Checking if a header that holds the user login name against the currentUserAuthentication.getUsername()
This Groovy script is executed by the SSOAuthenticationFilter.
Script Interface
/* Provides a Groovy script to determine whether the requests session requires revalidation.
Script parameters include:
request : <a target="_blank" href="http://docs.oracle.com/javaee/7/api/javax/servlet/http/HttpServletRequest.html">HttpServletRequest</a>
currentUserAuthentication : <a target="_blank" href="http://static.springsource.org/spring-security/site/docs/3.1.x/apidocs/org/springframework/security/core/Authentication.html">Authentication</a>
portal : <a target="_blank" href="../../javadoc/com/avoka/fc/core/entity/Portal.html">Portal</a>
securityManager : <a target="_blank" href="../../javadoc/com/avoka/fc/core/entity/SecurityManager.html">SecurityManager</a>
Script return:
true is revalidation is required, otherwise false. NOTE: script must return a boolean result.
*/
Service Invoke Parameters
| Parameter | Description | Optional |
|---|---|---|
| request | the HTTP servlet request | no |
| currentUserAuthentication | the current users SpringSecurity authentication token | no |
| portal | the portal associated with the user's request | no |
| securityManager | the SecurityManager configuration entity | no |
Error Handling
This script should generally not throw any errors. It should simply return true if re-authentication is required
or false otherwise. Any errors thrown will be logged to the Journey Manager Error Log table by the SSOAuthenticationFilter.
Examples
The example script below will require re-authentication if the referer header has changed. This can be useful in the scenario where a user opening a new form on a clients web site, should be re-authenticated to ensure we have their latest profile information for form prefill.
/* Provides a Groovy script to determine whether the requests session requires revalidation.
Script parameters include:
request : javax.servlet.http.HttpServletRequest
currentUserAuthentication : org.springframework.security.core.Authentication
portal : com.avoka.fc.core.entity.Portal
securityManager : com.avoka.fc.core.entity.SecurityManager
Script return:
true is revalidation is required, otherwise false
*/
import com.avoka.core.groovy.GroovyLogger as logger
import org.apache.commons.lang3.StringUtils
import com.avoka.fc.core.service.EventLogService
EventLogService eventLogService = new EventLogService()
def logEvent = { msg ->
if (false) {
eventLogService.logInfoEvent("SSO Revalidation Script: " + msg, request)
}
}
def msg = ""
String referer = request.getHeader("referer")
if (StringUtils.isBlank(referer) || StringUtils.isBlank(portal.getContextPath())){
msg += "\n either referer or portal context path is blank. Revalidate=false"
logEvent(msg)
return false
}
if( referer.toLowerCase().startsWith(portal.getContextPath().toLowerCase())) {
msg += "\n referer is from the portal. Revalidate=false"
logEvent(msg)
return false
}
if( referer.toLowerCase().startsWith("https://{adfs server domain name}/adfs")) {
msg += "\n referer is from the federated endpoint. Revalidate=false"
logEvent(msg)
return false
}
msg += "\n referer is from a separate URL. Loging out spring security context. Revalidate=true"
logEvent(msg)
return true