Trusted Credential in SSO | Community
Skip to main content
Level 3
October 16, 2015
Solved

Trusted Credential in SSO

  • October 16, 2015
  • 10 replies
  • 2217 views

Hi,
I'm working in add users from other app and login into CQ5. One of the ideas is to use Trusted Credential Attribute. However, it's seems to be deprecated for security issues.

Someone can confirm this? What's the other alternative?

 

Thanks,

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.
Best answer by Sham_HC

avalers wrote...

Should be work if I use in my custom AuthenticationHandler?
 

The auth handler sits on top of the repository where as the login module acts inside the repository. The login module allows logins directly on the jcr API, eg via jcr remoting, webdav.... on the other side the auth handler only works when accessing via sling.   if you  choose to go with the AuthenticationHandler use com.day.crx.security.token.TokenUtil#createCredentials as Trusted Credentials is deprecated.

10 replies

Sham_HC
Level 10
October 16, 2015

This is to confirm trust_credentials_attribute is deprecated.
Workaround is implement an custom loginmodule in that override isPreAuthenticated method also & deploy as OSGi fragment.

Level 6
October 16, 2015

Even though you see this message in error.log but it is still valid. I have implemented cookie and header based SSO in 5.6.1 using Trusted Credential Attribute in repoasitory.xml 

avalersAuthor
Level 3
October 16, 2015

could you share with me your example? The code when you set the trusted-credentials?

avalersAuthor
Level 3
October 16, 2015

Could you provide more information and some examples?

Thanks,

Sham_HC
Level 10
October 16, 2015

avalers wrote...

Could you provide more information and some examples?

Thanks,

 

High level steps at http://www.wemblog.com/2012/06/how-to-add-custom-login-module-in-cq55.html

avalersAuthor
Level 3
October 16, 2015

thank you so much!

what's the difference with this approach:

 

https://issues.apache.org/jira/browse/JCR-3293

Should be work if I use in my custom AuthenticationHandler?

Subject s = getAndPopulateTheSubject(); Session session = Subject.doAs(s, new PrivilegedExceptionAction() {public Session run() throws RepositoryException {return repository.login(); } });
Sham_HC
Sham_HCAccepted solution
Level 10
October 16, 2015

avalers wrote...

Should be work if I use in my custom AuthenticationHandler?
 

The auth handler sits on top of the repository where as the login module acts inside the repository. The login module allows logins directly on the jcr API, eg via jcr remoting, webdav.... on the other side the auth handler only works when accessing via sling.   if you  choose to go with the AuthenticationHandler use com.day.crx.security.token.TokenUtil#createCredentials as Trusted Credentials is deprecated.

Level 6
October 16, 2015

I've used OOTB SSO authentication handler and modified repository.xml as  follows- 

<LoginModule class=”com.day.crx.core.CRXLoginModule”>
<param name=”trust_credentials_attribute” value=”TrustedInfo”/>
<param name=”anonymous_principal” value=”anonymous”/>
</LoginModule>

And in case we need to write custom auth handler then we can write logic in extractCredentials method and direct the user in authenticationSucceeded method. 

avalersAuthor
Level 3
October 16, 2015

Do you have information regarding tokenCredentials. I made this implementation:

 

 credentials = new SimpleCredentials(extractedUserId, extractedPassword.toCharArray());
            credentials.setAttribute(".token", "");
            credentials.setAttribute(trustCredentials, "this value is inconsequential");
            TokenCredentials tc = new TokenCredentials((String)credentials.getAttribute(".token"));
            AuthenticationInfo authInfo = new AuthenticationInfo("TOKEN", credentials.getUserID());

 

However, I received this error:

 

java.lang.IllegalArgumentException: Invalid token ''
    at org.apache.jackrabbit.api.security.authentication.token.TokenCredentials.<init>(TokenCredentials.java:42)

avalersAuthor
Level 3
October 16, 2015

It's possible to do this without provide any user and password?