Expand my Community achievements bar.

SOLVED

Trusted Credential in SSO

Avatar

Level 3

Hi,
I'm working in add users from other app and login into CQ5. One of the ideas is to use Trusted Credential Attribute. However, it's seems to be deprecated for security issues.

Someone can confirm this? What's the other alternative?

 

Thanks,

1 Accepted Solution

Avatar

Correct answer by
Level 10

avalers wrote...

Should be work if I use in my custom AuthenticationHandler?
 

The auth handler sits on top of the repository where as the login module acts inside the repository. The login module allows logins directly on the jcr API, eg via jcr remoting, webdav.... on the other side the auth handler only works when accessing via sling.   if you  choose to go with the AuthenticationHandler use com.day.crx.security.token.TokenUtil#createCredentials as Trusted Credentials is deprecated.

View solution in original post

10 Replies

Avatar

Level 10

This is to confirm trust_credentials_attribute is deprecated.
Workaround is implement an custom loginmodule in that override isPreAuthenticated method also & deploy as OSGi fragment.

Avatar

Level 6

Even though you see this message in error.log but it is still valid. I have implemented cookie and header based SSO in 5.6.1 using Trusted Credential Attribute in repoasitory.xml 

Avatar

Level 3

could you share with me your example? The code when you set the trusted-credentials?

Avatar

Level 3

Could you provide more information and some examples?

Thanks,

Avatar

Level 10

avalers wrote...

Could you provide more information and some examples?

Thanks,

 

High level steps at http://www.wemblog.com/2012/06/how-to-add-custom-login-module-in-cq55.html

Avatar

Level 3

thank you so much!

what's the difference with this approach:

 

https://issues.apache.org/jira/browse/JCR-3293

Should be work if I use in my custom AuthenticationHandler?

Subject s = getAndPopulateTheSubject(); Session session = Subject.doAs(s, new PrivilegedExceptionAction() {public Session run() throws RepositoryException {return repository.login(); } });

Avatar

Correct answer by
Level 10

avalers wrote...

Should be work if I use in my custom AuthenticationHandler?
 

The auth handler sits on top of the repository where as the login module acts inside the repository. The login module allows logins directly on the jcr API, eg via jcr remoting, webdav.... on the other side the auth handler only works when accessing via sling.   if you  choose to go with the AuthenticationHandler use com.day.crx.security.token.TokenUtil#createCredentials as Trusted Credentials is deprecated.

Avatar

Level 6

I've used OOTB SSO authentication handler and modified repository.xml as  follows- 

<LoginModule class=”com.day.crx.core.CRXLoginModule”>
<param name=”trust_credentials_attribute” value=”TrustedInfo”/>
<param name=”anonymous_principal” value=”anonymous”/>
</LoginModule>

And in case we need to write custom auth handler then we can write logic in extractCredentials method and direct the user in authenticationSucceeded method. 

Avatar

Level 3

Do you have information regarding tokenCredentials. I made this implementation:

 

 credentials = new SimpleCredentials(extractedUserId, extractedPassword.toCharArray());
            credentials.setAttribute(".token", "");
            credentials.setAttribute(trustCredentials, "this value is inconsequential");
            TokenCredentials tc = new TokenCredentials((String)credentials.getAttribute(".token"));
            AuthenticationInfo authInfo = new AuthenticationInfo("TOKEN", credentials.getUserID());

 

However, I received this error:

 

java.lang.IllegalArgumentException: Invalid token ''
    at org.apache.jackrabbit.api.security.authentication.token.TokenCredentials.<init>(TokenCredentials.java:42)

Avatar

Level 3

It's possible to do this without provide any user and password?