Unable to create user session in Crowd programmatically

lokesh · November 5, 2018, 4:17am

I am developing a plugin for the crowd where I need to create user session programmatically. Previously, I was using Crowd HTTP authenticator for creating a user session in 2.11 and 2.12 but according to the release notes for 3.0(link is given below), it is not available for plugin developer from 3.0.0. So I am looking for an alternative solution(alternative Crowd APIs). I have tried to use other authenticators given in the Crowd JAVA API Docs, for example, HttpAuthenticator even tried to set the Token in the crowd.token_key cookie manually but it did not help.

https://confluence.atlassian.com/crowd/crowd-3-0-upgrade-notes-905088628.html

Any help will be appreciated. Thanks in advance.

mkempa · November 7, 2018, 7:18am

Hi @lokesh!

Thanks for posting this question. In order to help you with that I would first like to understand what are you trying to achieve. I mean what is your end goal here. Are you writing a custom plugin for Crowd that would provide an authenticator for Crowd itself so that users logging in to Crowd would be logging in some custom way? Or maybe you are trying to integrate some custom (web?) application with Crowd (potentially using Spring?).
Please note that the reference you provided only mentions the API not being accessible by P2 plugins in Crowd not that it cannot be used in other standalone integrations.

Having more context of what you are trying to achieve would help us to provide you the best answer for this particular problem.

Best Regards,
Marcin Kempa

lokesh · November 8, 2018, 5:43am

Hi @mkempa ,

Thanks for your response.

We have a SAML Plugin for Crowd used to SSO in the Crowd Server as well as a connected Application from any SAML compliant IDP like ADFS, Azure AD, OKTA, G Suite etc.

So based on the SAML Response received from SAML IdP, we need to login user in Crowd Server.

Right now We are using the code given below.

RestCrowdHttpAuthenticationFactory.getAuthenticator().authenticateWithoutValidatingPassword(request, response, username);

Since the CrowdHttpAuthenticator is not accessible by the plugin developer from Crowd 3.0.0 so We are looking for an alternative solution to make the plugin compatible with Crowd 3.0.0 and later version.

Let me know if you need further help.

Thanks,
Lokesh

lokesh · November 22, 2018, 6:53am

Hi @mkempa,

Do you have any update on this?

Thanks,
Lokesh

pgruszczynski · November 22, 2018, 4:42pm

Hi @lokesh

Have you tried the following:

get the cookie via REST (/rest/usermanagement/1/session?validate-password=false) with crowd app credentials
request.setAttribute(“crowd.token.key”, token);
set session cookie
If we can find a better solution we will let you know.

Pawel

lokesh · November 29, 2018, 10:17am

Hi @pgruszczynski

Yes, I have tried the above solution. I got the token using the REST call and set in the request and cookie i.e. crowd.token.key but it is still not working.

Thanks for your time.

Thanks,
Lokesh

pgruszczynski · November 29, 2018, 2:22pm

How does it fail?
Were the validation factors provided correctly to the rest call?

lokesh · December 5, 2018, 11:07am

@pgruszczynski,

Thanks for getting back to me.

Yes, I have tried with the validation factor as well.

Here is my JSON request posted on https://localhost:8443/crowd/rest/usermanagement/1/session?validate-password=false with the Basic Auth.

{
  "username":"abc",
  "password":"djbjdkndkk",
   "validation-factors":{
      "validationFactors":[{
              "name":"remote_address",
               "value":"127.0.0.1"
       }]
  }
}

and I got a response from Crowd Server with the Token.

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<session expand="user">
	<token>2WAB0aDgaBGAOUgittX6IA00</token>
	<user name="abc">
		<link href="https://localhost:443/crowd/rest/usermanagement/1/user?username=abc" rel="self"/>
	</user>
	<link href="https://localhost:8443/crowd/rest/usermanagement/1/session/2WAB0aDgaBGAOUgittX6IA00" rel="self"/>
	<created-date>2018-12-05T15:09:26.936+05:30</created-date>
	<expiry-date>2018-12-05T16:03:52.827+05:30</expiry-date>
</session>

Here’s my code to add the token to crowd.token_key:

request.setAttribute("crowd.token_key", crowdToken);
Cookie cookie = new Cookie("crowd.token_key", crowdToken);
cookie.setPath("/");
HttpOnlyCookies.addHttpOnlyCookie(response, cookie);

**crowdToken contains the received token, which is set correctly, I can see it in from browser console.

After visiting any crowd page, it was still redirecting me to the login form.

Am I missing something? Please let me know.

Thanks,
Lokesh

pgruszczynski · December 5, 2018, 11:46am

@lokesh

Remember that remote_address has to be the address of the user, because that’s what is validated when the user comes back with the cookie. Simply use request.getRemoteAddr().

I’ve just created the cookie with this endpoint, copied it to browser and I was logged in.

lokesh · December 5, 2018, 12:19pm

@pgruszczynski

Thanks for your help. It is working now.

Thanks again,
Lokesh