Tuesday, July 12, 2016

ADF BC REST Authentication with JSESSIONID Cookie

I have described how to apply ADF Security for ADF BC REST in my previous post - Oracle JET and ADF BC REST Basic Authentication. I will show how you can authenticate on first request and for the next requests rely on JSESSIONID cookie from the first request. This is useful for mobile clients and JET, there is no need to keep user credentials during requests (enough to keep cookie), as this is sensitive data.

Let's see how it works. In the first request we must authenticate. We are going to use basic authentication with GET operation and provide user credentials:


Request is authenticated and data is returned:


Along with data, extra information is returned with response - cookie and header. Cookie JSESSIONID value identifies authenticated session context. We can use this value for the next requests, this way server would assume us as trusted and would not ask to authenticate again (similar principle as in ADF web). Copy cookie value:


Now you can close and open Postman, to guarantee nothing is shared from previous request. Remove authentication header and add new header variable called Cookie. Value must be set as JSESSIONID=Cookie Value. Execute GET operation:


If session associated to this cookie is still active on the server, you will get response data, as it would be expected (no need to provide user credentials again):


ADF BC REST sample application - ADFBCRESTApp_v7.zip is protected by ADF Security with authentication and authorization:


REST servlet is mapped with appropriate security constraint in web.xml:

7 comments:

Anonymous said...

Hi Andrejus,

I'm testing this using ADF 12.2.1.1.0 and I am not seeing JSessionID cookie. I attempted this using both my own application as well your sample application, utilizing Postman. Any suggestions?

Thanks,

Alex

Andrej Baranovskij said...

Hi,

I was testing thisusing 12.2.1.1.0, JSESSIONID was visible. This is Web session identifier, it must be returned.

Regards,
Andrejus

Anonymous said...

Hi,

Found the issue. Postman extension to show cookies was missing. Another question... In the scenario where an external source is authenticating (JET,Angular,etc.) How would you recommend the external source ending the session (logout)?

Thanks,

Alex

Andrej Baranovskij said...

You could execute URL call for adfAuthentication servlet with logout=true and session ID. I plan to post it on the blog.

Regards,
Andrejus

Unknown said...

Hi Andrejus,

I have implemented this and it works perfectly. I have another question though: In our prepareSession method we are performing an LDAP invocation to get an employee's id (employee logs in with user name). However issue is that prepareSession is getting invoked every call, even when passing the JSESSION ID. Any recommendations to prevent this unnecessary work and latency?

Thanks,

Alex

Andrej Baranovskij said...

You need this call for ADF BC to establish DB connection.

Regards,
Andrejus

Anonymous said...

Hi Andrejus,

Issue was resolved by storing the value in a transient view object and not invoking LDAP if row was there. Another question: Our client is considering switching authentication via JSON Web Token. Does ADF BC Rest allow for this to be passed out of the box and if not, any recommendations for passing it in the response? I see that JWT's are supported in 12.2.1 but not sure if there's an easy way to implement it with our current use case.

Thanks,

Alex