Level 3

Solved

Trusted Credential in SSO

Forum|Forum|10 years ago
October 16, 2015
10 replies
2217 views

Hi,
I'm working in add users from other app and login into CQ5. One of the ideas is to use Trusted Credential Attribute. However, it's seems to be deprecated for security issues.

Someone can confirm this? What's the other alternative?

Thanks,

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.

Best answer by Sham_HC

avalers wrote...

Should be work if I use in my custom AuthenticationHandler?

The auth handler sits on top of the repository where as the login module acts inside the repository. The login module allows logins directly on the jcr API, eg via jcr remoting, webdav.... on the other side the auth handler only works when accessing via sling. if you choose to go with the AuthenticationHandler use com.day.crx.security.token.TokenUtil#createCredentials as Trusted Credentials is deprecated.

Sham_HC

Level 10

This is to confirm trust_credentials_attribute is deprecated.
Workaround is implement an custom loginmodule in that override isPreAuthenticated method also & deploy as OSGi fragment.

S

Sam205505050

Level 6

Even though you see this message in error.log but it is still valid. I have implemented cookie and header based SSO in 5.6.1 using Trusted Credential Attribute in repoasitory.xml

A

avalersAuthor

Level 3

could you share with me your example? The code when you set the trusted-credentials?

A

avalersAuthor

Level 3

Could you provide more information and some examples?

Thanks,

Sham_HC

Level 10

avalers wrote...

Could you provide more information and some examples?

Thanks,

High level steps at http://www.wemblog.com/2012/06/how-to-add-custom-login-module-in-cq55.html

A

avalersAuthor

Level 3

thank you so much!

what's the difference with this approach:

https://issues.apache.org/jira/browse/JCR-3293

Should be work if I use in my custom AuthenticationHandler?

Subject s = getAndPopulateTheSubject(); Session session = Subject.doAs(s, new PrivilegedExceptionAction() {public Session run() throws RepositoryException {return repository.login(); } });

Sham_HCAccepted solution

Level 10

avalers wrote...

Should be work if I use in my custom AuthenticationHandler?

The auth handler sits on top of the repository where as the login module acts inside the repository. The login module allows logins directly on the jcr API, eg via jcr remoting, webdav.... on the other side the auth handler only works when accessing via sling. if you choose to go with the AuthenticationHandler use com.day.crx.security.token.TokenUtil#createCredentials as Trusted Credentials is deprecated.

S

Sam205505050

Level 6

I've used OOTB SSO authentication handler and modified repository.xml as follows-

And in case we need to write custom auth handler then we can write logic in extractCredentials method and direct the user in authenticationSucceeded method.

A

avalersAuthor

Level 3

Do you have information regarding tokenCredentials. I made this implementation:

credentials = new SimpleCredentials(extractedUserId, extractedPassword.toCharArray());
credentials.setAttribute(".token", "");
   credentials.setAttribute(trustCredentials, "this value is inconsequential");
   TokenCredentials tc = new TokenCredentials((String)credentials.getAttribute(".token"));
   AuthenticationInfo authInfo = new AuthenticationInfo("TOKEN", credentials.getUserID());

However, I received this error:

java.lang.IllegalArgumentException: Invalid token ''
at org.apache.jackrabbit.api.security.authentication.token.TokenCredentials.<init>(TokenCredentials.java:42)

A

avalersAuthor

Level 3

It's possible to do this without provide any user and password?

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded