[OpenAM] Querying for Tokens with custom property in PostAuthenticationPlugin

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[OpenAM] Querying for Tokens with custom property in PostAuthenticationPlugin

Christian Metzler
Hi,

is there a way to query for SSOTokens which have set a custom property
in a PostAuthenticationPlugin?
If not, how could I fetch a list of all valid SSOTokens (e.g. which are
associated with the current user)?

Background: I store a custom property in my PostAuthenticationPlugin's
onLoginSuccess with

ssoToken.setProperty("myproperty","myvalue");

Now in the onLogout method I want to get all SSOTokens which have the
property "myproperty" set to "myvalue" and actually invalidate them.

Kind regards,

Christian
_______________________________________________
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [OpenAM] Querying for Tokens with custom property in PostAuthenticationPlugin

Kolev, Ivo
Wouldn't this do the work? http://docs.forgerock.org/en/openam/11.0.0/apidocs/com/iplanet/sso/SSOTokenManager.html#getValidSessions(com.iplanet.sso.SSOToken,%20java.lang.String)

I would be concerned about the performance though if each logout polls sessions and investigates their properties. Probably server should manage thousands of sessesion before the performance impact becomes noticable, but still something to take into account. Also, onLogout is not called when session timeouts; user must explictly logout in order your code to be executed.

If I may ask a question ... What is the business case for attempting to synch these sessions? It seems like you have multiple sessions per user but you want to logout all of them at once. Why not using one session only then? Feel free to ignore the question.

Cheers, Ivo Kolev




-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Christian Metzler
Sent: Tuesday, April 22, 2014 5:14 PM
To: Users
Subject: [OpenAM] Querying for Tokens with custom property in PostAuthenticationPlugin

Hi,

is there a way to query for SSOTokens which have set a custom property in a PostAuthenticationPlugin?
If not, how could I fetch a list of all valid SSOTokens (e.g. which are associated with the current user)?

Background: I store a custom property in my PostAuthenticationPlugin's onLoginSuccess with

ssoToken.setProperty("myproperty","myvalue");

Now in the onLogout method I want to get all SSOTokens which have the property "myproperty" set to "myvalue" and actually invalidate them.

Kind regards,

Christian
_______________________________________________
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam

Information in this e-mail and any attachments is confidential, and may not be copied or used by anyone other than the addressee, nor disclosed to any third party without our permission. There is no intention to create any legally binding contract or other binding commitment through the use of this electronic communication unless it is issued in accordance with the Experian Limited standard terms and conditions of purchase or other express written agreement between Experian Limited and the recipient. Although Experian has taken reasonable steps to ensure that this communication and any attachments are free from computer viruses, you are advised to take your own steps to ensure that they are actually virus free.

Experian Ltd is authorised and regulated by the Financial Conduct Authority.
Companies Act information: Registered name: Experian Limited. Registered office: Landmark House, Experian Way, NG2 Business Park, Nottingham, NG80 1ZZ, United Kingdom. Place of registration: England and Wales. Registered number: 653331.
_______________________________________________
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [OpenAM] Querying for Tokens with custom property in PostAuthenticationPlugin

Christian Metzler
Hi Ivo,

> Wouldn't this do the work? http://docs.forgerock.org/en/openam/11.0.0/apidocs/com/iplanet/sso/SSOTokenManager.html#getValidSessions(com.iplanet.sso.SSOToken,%20java.lang.String)
I tried this but this approach has two problems:
- Only with a valid admin SSOToken I get a result from this query - if
it happens as a normal user the returned set is empty
- Even as an admin, when I get all valid session tokens, I cannot
destroy the sessions (it throws a SSOException because of invalid
session id)
>
> I would be concerned about the performance though if each logout polls sessions and investigates their properties. Probably server should manage thousands of sessesion before the performance impact becomes noticable, but still something to take into account. Also, onLogout is not called when session timeouts; user must explictly logout in order your code to be executed.
As in our use case we talk about a maximum of 600 sessions at a time,
there should not arise a performance issue.
>
> If I may ask a question ... What is the business case for attempting to synch these sessions? It seems like you have multiple sessions per user but you want to logout all of them at once. Why not using one session only then? Feel free to ignore the question.
We are currently working on a SSO solution which lets a user log in with
a JAVA application using the OpenAM SDK and then connect the systems
default browser with a One Time Password. After that he is authenticated
in the browser as well. But for Single Logout we now have to delete both
SSOTokens (the one which has been received by the client sdk as well as
the one associated with the browser). Unfortunately I cannot easily
destroy the Tokens for this special user, because the user could have
also been logged in on a different device (tablet, smart phone or
perhaps a different computer). The SLO should be device dependent. So
actually the information which is stored as a property in the SSOToken,
is a kind of generated deviceId for the users device.  I think it would
be to difficult to explain the complete workflow, but yes we have at
least two sessions, one for the JAVA client and one for the browser. I
cannot imagine a way to reuse the same session for both.

>
> Cheers, Ivo Kolev
>
>
>
>
> -----Original Message-----
> From: [hidden email] [mailto:[hidden email]] On Behalf Of Christian Metzler
> Sent: Tuesday, April 22, 2014 5:14 PM
> To: Users
> Subject: [OpenAM] Querying for Tokens with custom property in PostAuthenticationPlugin
>
> Hi,
>
> is there a way to query for SSOTokens which have set a custom property in a PostAuthenticationPlugin?
> If not, how could I fetch a list of all valid SSOTokens (e.g. which are associated with the current user)?
>
> Background: I store a custom property in my PostAuthenticationPlugin's onLoginSuccess with
>
> ssoToken.setProperty("myproperty","myvalue");
>
> Now in the onLogout method I want to get all SSOTokens which have the property "myproperty" set to "myvalue" and actually invalidate them.
>
> Kind regards,
>
> Christian
> _______________________________________________
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
>
> Information in this e-mail and any attachments is confidential, and may not be copied or used by anyone other than the addressee, nor disclosed to any third party without our permission. There is no intention to create any legally binding contract or other binding commitment through the use of this electronic communication unless it is issued in accordance with the Experian Limited standard terms and conditions of purchase or other express written agreement between Experian Limited and the recipient. Although Experian has taken reasonable steps to ensure that this communication and any attachments are free from computer viruses, you are advised to take your own steps to ensure that they are actually virus free.
>
> Experian Ltd is authorised and regulated by the Financial Conduct Authority.
> Companies Act information: Registered name: Experian Limited. Registered office: Landmark House, Experian Way, NG2 Business Park, Nottingham, NG80 1ZZ, United Kingdom. Place of registration: England and Wales. Registered number: 653331.
> _______________________________________________
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
>


_______________________________________________
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [OpenAM] Querying for Tokens with custom property in PostAuthenticationPlugin

Kolev, Ivo
Yep, this is issue indeed. Unfortunately I'm not aware of other way.

A clumsy solution would be to put some cache aside OpenAM and track the linking between sessions (probably a multi-map <user, sessiions>) externaly. But this comes with many complications - security, scalability and memory cleaning (when users just close the browser w/o logout).

Have you seen this https://bugster.forgerock.org/jira/browse/OPENAM-1721? Not that I have clear idea how would this jelp you.

Cheers, Ivo Kolev

-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Christian Metzler
Sent: Tuesday, April 22, 2014 6:06 PM
To: Users
Subject: Re: [OpenAM] Querying for Tokens with custom property in PostAuthenticationPlugin

Hi Ivo,

> Wouldn't this do the work?
> http://docs.forgerock.org/en/openam/11.0.0/apidocs/com/iplanet/sso/SSO
> TokenManager.html#getValidSessions(com.iplanet.sso.SSOToken,%20java.la
> ng.String)
I tried this but this approach has two problems:
- Only with a valid admin SSOToken I get a result from this query - if it happens as a normal user the returned set is empty
- Even as an admin, when I get all valid session tokens, I cannot destroy the sessions (it throws a SSOException because of invalid session id)
>
> I would be concerned about the performance though if each logout polls sessions and investigates their properties. Probably server should manage thousands of sessesion before the performance impact becomes noticable, but still something to take into account. Also, onLogout is not called when session timeouts; user must explictly logout in order your code to be executed.
As in our use case we talk about a maximum of 600 sessions at a time, there should not arise a performance issue.
>
> If I may ask a question ... What is the business case for attempting to synch these sessions? It seems like you have multiple sessions per user but you want to logout all of them at once. Why not using one session only then? Feel free to ignore the question.
We are currently working on a SSO solution which lets a user log in with a JAVA application using the OpenAM SDK and then connect the systems default browser with a One Time Password. After that he is authenticated in the browser as well. But for Single Logout we now have to delete both SSOTokens (the one which has been received by the client sdk as well as the one associated with the browser). Unfortunately I cannot easily destroy the Tokens for this special user, because the user could have also been logged in on a different device (tablet, smart phone or perhaps a different computer). The SLO should be device dependent. So actually the information which is stored as a property in the SSOToken, is a kind of generated deviceId for the users device.  I think it would be to difficult to explain the complete workflow, but yes we have at least two sessions, one for the JAVA client and one for the browser. I cannot imagine a way to reuse the same session for both.

>
> Cheers, Ivo Kolev
>
>
>
>
> -----Original Message-----
> From: [hidden email]
> [mailto:[hidden email]] On Behalf Of Christian Metzler
> Sent: Tuesday, April 22, 2014 5:14 PM
> To: Users
> Subject: [OpenAM] Querying for Tokens with custom property in
> PostAuthenticationPlugin
>
> Hi,
>
> is there a way to query for SSOTokens which have set a custom property in a PostAuthenticationPlugin?
> If not, how could I fetch a list of all valid SSOTokens (e.g. which are associated with the current user)?
>
> Background: I store a custom property in my PostAuthenticationPlugin's
> onLoginSuccess with
>
> ssoToken.setProperty("myproperty","myvalue");
>
> Now in the onLogout method I want to get all SSOTokens which have the property "myproperty" set to "myvalue" and actually invalidate them.
>
> Kind regards,
>
> Christian
> _______________________________________________
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
>
> Information in this e-mail and any attachments is confidential, and may not be copied or used by anyone other than the addressee, nor disclosed to any third party without our permission. There is no intention to create any legally binding contract or other binding commitment through the use of this electronic communication unless it is issued in accordance with the Experian Limited standard terms and conditions of purchase or other express written agreement between Experian Limited and the recipient. Although Experian has taken reasonable steps to ensure that this communication and any attachments are free from computer viruses, you are advised to take your own steps to ensure that they are actually virus free.
>
> Experian Ltd is authorised and regulated by the Financial Conduct Authority.
> Companies Act information: Registered name: Experian Limited. Registered office: Landmark House, Experian Way, NG2 Business Park, Nottingham, NG80 1ZZ, United Kingdom. Place of registration: England and Wales. Registered number: 653331.
> _______________________________________________
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
>


_______________________________________________
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam

Information in this e-mail and any attachments is confidential, and may not be copied or used by anyone other than the addressee, nor disclosed to any third party without our permission. There is no intention to create any legally binding contract or other binding commitment through the use of this electronic communication unless it is issued in accordance with the Experian Limited standard terms and conditions of purchase or other express written agreement between Experian Limited and the recipient. Although Experian has taken reasonable steps to ensure that this communication and any attachments are free from computer viruses, you are advised to take your own steps to ensure that they are actually virus free.

Experian Ltd is authorised and regulated by the Financial Conduct Authority.
Companies Act information: Registered name: Experian Limited. Registered office: Landmark House, Experian Way, NG2 Business Park, Nottingham, NG80 1ZZ, United Kingdom. Place of registration: England and Wales. Registered number: 653331.
_______________________________________________
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [OpenAM] Querying for Tokens with custom property in PostAuthenticationPlugin

Joel Pearson
Administrator
In reply to this post by Christian Metzler
Christian Metzler wrote
> Wouldn't this do the work? http://docs.forgerock.org/en/openam/11.0.0/apidocs/com/iplanet/sso/SSOTokenManager.html#getValidSessions(com.iplanet.sso.SSOToken,%20java.lang.String)
I tried this but this approach has two problems:
- Only with a valid admin SSOToken I get a result from this query - if
it happens as a normal user the returned set is empty
- Even as an admin, when I get all valid session tokens, I cannot
destroy the sessions (it throws a SSOException because of invalid
session id)
I presume you were using http://docs.forgerock.org/en/openam/11.0.0/apidocs/com/iplanet/sso/SSOTokenManager.html#destroyToken(com.iplanet.sso.SSOToken, com.iplanet.sso.SSOToken) to destroy the session?  In our Java webapp we successfully use this to programmatically logout the user without redirecting them to the logout url.  So I'm surprised that you're getting an SSOException.

What's wrong with needing a valid admin SSOToken? Can't your application simply request one?
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Querying for Tokens with custom property in PostAuthenticationPlugin

Christian Metzler
Am 23.04.2014 02:24, schrieb joelpearson:

> Christian Metzler wrote
>>> Wouldn't this do the work?
>>> http://docs.forgerock.org/en/openam/11.0.0/apidocs/com/iplanet/sso/SSOTokenManager.html#getValidSessions(com.iplanet.sso.SSOToken,%20java.lang.String)
>> I tried this but this approach has two problems:
>> - Only with a valid admin SSOToken I get a result from this query - if
>> it happens as a normal user the returned set is empty
>> - Even as an admin, when I get all valid session tokens, I cannot
>> destroy the sessions (it throws a SSOException because of invalid
>> session id)
> I presume you were using
> http://docs.forgerock.org/en/openam/11.0.0/apidocs/com/iplanet/sso/SSOTokenManager.html#destroyToken(com.iplanet.sso.SSOToken,
> com.iplanet.sso.SSOToken) to destroy the session?  In our Java webapp we
> successfully use this to programmatically logout the user without
> redirecting them to the logout url.  So I'm surprised that you're getting an
> SSOException.
It seems that the TokenManager returns a set of sso tokens with
restricted access rights. I compared the TokenID and it is not exactly
the same to the one issued in the cookie.
>
> What's wrong with needing a valid admin SSOToken? Can't your application
> simply request one?
I am working with a PostAuthentication Plugin. The interface

public void onLogout(HttpServletRequest httpServletRequest,
HttpServletResponse httpServletResponse, SSOToken ssoToken)

only gives me a token for the user who wants to logout. I don't know how
to get an admin sso token in this context. But it seems to me, that the
real problem is that I cannot destroy the session even with an admin token.

>
>
> --
> View this message in context: http://openam.27691.n7.nabble.com/OpenAM-Querying-for-Tokens-with-custom-property-in-PostAuthenticationPlugin-tp7p11.html
> Sent from the OpenAM mailing list archive at Nabble.com.
> _______________________________________________
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
>


_______________________________________________
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Querying for Tokens with custom property in PostAuthenticationPlugin

Christian Metzler
In reply to this post by Kolev, Ivo
Am 22.04.2014 18:49, schrieb Kolev, Ivo:
> Yep, this is issue indeed. Unfortunately I'm not aware of other way.
>
> A clumsy solution would be to put some cache aside OpenAM and track the linking between sessions (probably a multi-map <user, sessiions>) externaly. But this comes with many complications - security, scalability and memory cleaning (when users just close the browser w/o logout).
>
> Have you seen this https://bugster.forgerock.org/jira/browse/OPENAM-1721? Not that I have clear idea how would this jelp you.
This was indeed a good hint. I found a way to manage it - in
AMLoginModule there is a method to get an admin sso session. So the
solution works for PostAuthenticationPlugin as well:

  try {

             SSOToken ssoAuthSession = AuthD.getAuth().getSSOAuthSession();
             SSOTokenManager ssoTokenManager =
SSOTokenManager.getInstance();
             Set validSessions =
ssoTokenManager.getValidSessions(ssoAuthSession, "jupiter.abasag.intra");
             for (Object token : validSessions) {
                 SSOToken ssoToken = (SSOToken)token;
                 String myValue = ssoToken.getProperty("myProperty");
                 if(null != myValue) {
                     ssoTokenManager.destroyToken(ssoAuthSession, ssoToken);

                 }
             }
         } catch (SSOException e) {
             e.printStackTrace();
         }

Thanks a lot!

Regards,


Christian

>
> Cheers, Ivo Kolev
>
> -----Original Message-----
> From: [hidden email] [mailto:[hidden email]] On Behalf Of Christian Metzler
> Sent: Tuesday, April 22, 2014 6:06 PM
> To: Users
> Subject: Re: [OpenAM] Querying for Tokens with custom property in PostAuthenticationPlugin
>
> Hi Ivo,
>
>> Wouldn't this do the work?
>> http://docs.forgerock.org/en/openam/11.0.0/apidocs/com/iplanet/sso/SSO
>> TokenManager.html#getValidSessions(com.iplanet.sso.SSOToken,%20java.la
>> ng.String)
> I tried this but this approach has two problems:
> - Only with a valid admin SSOToken I get a result from this query - if it happens as a normal user the returned set is empty
> - Even as an admin, when I get all valid session tokens, I cannot destroy the sessions (it throws a SSOException because of invalid session id)
>> I would be concerned about the performance though if each logout polls sessions and investigates their properties. Probably server should manage thousands of sessesion before the performance impact becomes noticable, but still something to take into account. Also, onLogout is not called when session timeouts; user must explictly logout in order your code to be executed.
> As in our use case we talk about a maximum of 600 sessions at a time, there should not arise a performance issue.
>> If I may ask a question ... What is the business case for attempting to synch these sessions? It seems like you have multiple sessions per user but you want to logout all of them at once. Why not using one session only then? Feel free to ignore the question.
> We are currently working on a SSO solution which lets a user log in with a JAVA application using the OpenAM SDK and then connect the systems default browser with a One Time Password. After that he is authenticated in the browser as well. But for Single Logout we now have to delete both SSOTokens (the one which has been received by the client sdk as well as the one associated with the browser). Unfortunately I cannot easily destroy the Tokens for this special user, because the user could have also been logged in on a different device (tablet, smart phone or perhaps a different computer). The SLO should be device dependent. So actually the information which is stored as a property in the SSOToken, is a kind of generated deviceId for the users device.  I think it would be to difficult to explain the complete workflow, but yes we have at least two sessions, one for the JAVA client and one for the browser. I cannot imagine a way to reuse the same session for both.
>> Cheers, Ivo Kolev
>>
>>
>>
>>
>> -----Original Message-----
>> From: [hidden email]
>> [mailto:[hidden email]] On Behalf Of Christian Metzler
>> Sent: Tuesday, April 22, 2014 5:14 PM
>> To: Users
>> Subject: [OpenAM] Querying for Tokens with custom property in
>> PostAuthenticationPlugin
>>
>> Hi,
>>
>> is there a way to query for SSOTokens which have set a custom property in a PostAuthenticationPlugin?
>> If not, how could I fetch a list of all valid SSOTokens (e.g. which are associated with the current user)?
>>
>> Background: I store a custom property in my PostAuthenticationPlugin's
>> onLoginSuccess with
>>
>> ssoToken.setProperty("myproperty","myvalue");
>>
>> Now in the onLogout method I want to get all SSOTokens which have the property "myproperty" set to "myvalue" and actually invalidate them.
>>
>> Kind regards,
>>
>> Christian
>> _______________________________________________
>> OpenAM mailing list
>> [hidden email]
>> https://lists.forgerock.org/mailman/listinfo/openam
>>
>> Information in this e-mail and any attachments is confidential, and may not be copied or used by anyone other than the addressee, nor disclosed to any third party without our permission. There is no intention to create any legally binding contract or other binding commitment through the use of this electronic communication unless it is issued in accordance with the Experian Limited standard terms and conditions of purchase or other express written agreement between Experian Limited and the recipient. Although Experian has taken reasonable steps to ensure that this communication and any attachments are free from computer viruses, you are advised to take your own steps to ensure that they are actually virus free.
>>
>> Experian Ltd is authorised and regulated by the Financial Conduct Authority.
>> Companies Act information: Registered name: Experian Limited. Registered office: Landmark House, Experian Way, NG2 Business Park, Nottingham, NG80 1ZZ, United Kingdom. Place of registration: England and Wales. Registered number: 653331.
>> _______________________________________________
>> OpenAM mailing list
>> [hidden email]
>> https://lists.forgerock.org/mailman/listinfo/openam
>>
>
> _______________________________________________
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
>
> Information in this e-mail and any attachments is confidential, and may not be copied or used by anyone other than the addressee, nor disclosed to any third party without our permission. There is no intention to create any legally binding contract or other binding commitment through the use of this electronic communication unless it is issued in accordance with the Experian Limited standard terms and conditions of purchase or other express written agreement between Experian Limited and the recipient. Although Experian has taken reasonable steps to ensure that this communication and any attachments are free from computer viruses, you are advised to take your own steps to ensure that they are actually virus free.
>
> Experian Ltd is authorised and regulated by the Financial Conduct Authority.
> Companies Act information: Registered name: Experian Limited. Registered office: Landmark House, Experian Way, NG2 Business Park, Nottingham, NG80 1ZZ, United Kingdom. Place of registration: England and Wales. Registered number: 653331.
> _______________________________________________
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
>



_______________________________________________
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Querying for Tokens with custom property in PostAuthenticationPlugin

Peter Major
In reply to this post by Christian Metzler
Hi,

> It seems that the TokenManager returns a set of sso tokens with
> restricted access rights. I compared the TokenID and it is not exactly
> the same to the one issued in the cookie.

Are you talking about restricted tokens? Do you have anti cookie
hijacking mode enabled? I would doubt that the method would return
restricted tokens as well..

>> What's wrong with needing a valid admin SSOToken? Can't your application
>> simply request one?
> I am working with a PostAuthentication Plugin. The interface
>
> public void onLogout(HttpServletRequest httpServletRequest,
> HttpServletResponse httpServletResponse, SSOToken ssoToken)
>
> only gives me a token for the user who wants to logout. I don't know how
> to get an admin sso token in this context. But it seems to me, that the
> real problem is that I cannot destroy the session even with an admin token.

Please also note that the SessionCount way to get tokens for a user only
really works if session quota is enabled.

You shouldn't need a token to log someone out, just call
SSOTokenManager.getInstance().destroyToken(token)
If the received token is already invalid there will be an SSOException,
but that should mean that the session is already invalid..

If you really need an admin token you can always use this snippet:
AccessController.doPrivileged(AdminTokenAction.getInstance());

On the server side this will create a token for the internal admin user.
On client side this will get you a token for the user configured in
AMConfig.properties.

cheers,
Peter
_______________________________________________
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Querying for Tokens with custom property in PostAuthenticationPlugin

Peter Major
In reply to this post by Christian Metzler
Hi,

> This was indeed a good hint. I found a way to manage it - in
> AMLoginModule there is a method to get an admin sso session. So the
> solution works for PostAuthenticationPlugin as well:
>
>   try {
>
>              SSOToken ssoAuthSession = AuthD.getAuth().getSSOAuthSession();

Don't use AuthD, it's internal API. See my other mail on how to get
admin tokens.

>              SSOTokenManager ssoTokenManager =
> SSOTokenManager.getInstance();
>              Set validSessions =
> ssoTokenManager.getValidSessions(ssoAuthSession, "jupiter.abasag.intra");

That's a bit shortsighted, what about the other OpenAM servers?
Retrieving ALL the sessions can be quite timeconsuming thing as well, do
you REALLY want to do that?

Either you should enable session quota and use SessionCount or just use
CTS and perform direct LDAP queries in the directory. I wouldn't really
recommend using this code..

cheers,
Peter
_______________________________________________
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Querying for Tokens with custom property in PostAuthenticationPlugin

Christian Metzler
Hi Peter,

Am 23.04.2014 08:59, schrieb Peter Major:

> Hi,
>
>> This was indeed a good hint. I found a way to manage it - in
>> AMLoginModule there is a method to get an admin sso session. So the
>> solution works for PostAuthenticationPlugin as well:
>>
>>   try {
>>
>>              SSOToken ssoAuthSession =
>> AuthD.getAuth().getSSOAuthSession();
>
> Don't use AuthD, it's internal API. See my other mail on how to get
> admin tokens.
ok will use the other way to get admin tokens - if I really need it.

>
>>              SSOTokenManager ssoTokenManager =
>> SSOTokenManager.getInstance();
>>              Set validSessions =
>> ssoTokenManager.getValidSessions(ssoAuthSession,
>> "jupiter.abasag.intra");
>
> That's a bit shortsighted, what about the other OpenAM servers?
> Retrieving ALL the sessions can be quite timeconsuming thing as well,
> do you REALLY want to do that?
No I do not want to get all sessions at all. It would be sufficient to
get all sessions for the user who wants to logout. But at the moment I
could not figure out a different way.
>
> Either you should enable session quota and use SessionCount or just
> use CTS and perform direct LDAP queries in the directory. I wouldn't
> really recommend using this code..
Session quota is not what I exactly need. In our use case the user can
be logged in on multiple devices but I only want to log him out on one
particular device (this is what I track in my custom property). But as
there is no direct association between the browser session and the Java
SDK session, I have to destroy at least two sessions, when the user logs
out. The one in the browser and the one in the Java SSO client. It does
not really matter whether the user logs out in the browser or in the
Java SSO client. So I store a mapping externally to achieve this.

How could I directly access the CTS in my PostAuth plugin? Or would it
be better to store the SSO TokenIDs in my external mapping storage like
Ivo suggested?

Regards,

Christian

>
> cheers,
> Peter
> _______________________________________________
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
>

_______________________________________________
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Loading...