1

I'm developing a web app that will be used inside Cisco Jabber as a Custom Tab.

In my app the user needs to be logged in. The first authentication is done using Spring SAML (SSO). if this authentication fail then the user fallback to one of those auth process :
- A: directly with his userid (not a real auth but needed for some client)
- B: a login form (auth against client database)

The problem is that some actions are creating popups and with Jabber those popup are opened in Internet Explorer which doesn't have any information concerning my user and thus my app tries to authenticate him again. If SSO works no problem no action required by the user, if that fails auth A works fine but if auth B is selected then I have an issue because I need the user to be authenticated without him entering his credentials.

Is there a way with Spring, Spring Security to copy the session from Jabber to IE skipping the log-in page?

I followed the advice here and tried to set the jsessionid as parameter of my popup url like this:

var logUrl = 'login.do' + (this.user === '' ? ';jsessionid=' + sessionId : '?userId=' + this.user);
var w = window.open(logUrl, number, 'width=800,height=600,resizeable=yes,scrollbars=yes,toolbar=no,location=yes,status=yes,menubar=yes');

The problem is that when the user open the popup, the jsessionid in the url is not the same as the one in Jabber. And if I try to log in with the JSESSIONID of the user in Jabber it doesn't work.

Is there some configuration parameter I haven't set for this to work?

Mateusz Chrzaszcz
  • 1,240
  • 14
  • 32
Tom
  • 11
  • 4
  • Please post solutions as answers not as updates to the question. This is to avoid confusion. I have rolled back your edit which you can see in the [revisions](https://stackoverflow.com/posts/44927940/revisions). Thank you. – Bugs Jul 13 '17 at 14:11

2 Answers2

0

The session is tracked using the JSESSIONID cookie so you could pass this as a URL parameter on referral.

However, there are security concerns around session hijacking to consider with this approach.

For example, you must use SSL/HTTPS.

See this answer for more information.

syncdk
  • 2,820
  • 3
  • 25
  • 31
  • Thanks for the answer. I have updated my problem since I'm clearly missing something I don't know – Tom Jul 06 '17 at 13:04
  • `jsessionid` in the URL is ignored for clients who are accepting cookies (https://stackoverflow.com/a/5868553/1258079). Can you set the cookie yourself before/on page load or something? – syncdk Jul 06 '17 at 13:15
  • Hmm, I don't know how I can add a cookie before/onpageload since the page loaded is directly the login page. I guess I could try to open an "unsecured" page on which I would set a cookie and then redirect to the correct page but that seems a bit weird. Actually right now I'm able to reuse the jsessionid outside the current browser. Meaning if I login on chrome (not the use case the client will do but just testing) I can copy paste the link to IE. But inside my application opening a new window still doesn't work. I'm at loss but I guess what I'am trying to achieve is not usual. – Tom Jul 06 '17 at 14:50
0

Solution: We dropped the idea of re-using the session and are now using jwt instead as it achieve basically the same thing for us.

Tom
  • 11
  • 4