Basically, I'm trying to find a way to let a protected web app use Skeleton
Key for authentication, but do it without the user having to see the
auth-server login page.

I could pretty easily do this with a JavaScript function on an unprotected
page from the protected app.  The XHR or $.ajax (jQuery) function could
make a request to the protected app, get redirected to the auth server, get
the username and password from fields on the unprotected page and submit
the auth-server login page, and then be redirected back to the protected
app where upon seeing authentication was successful it could reload the
page or something similar.  The only problem with this is it requires cross
site scripting which is probably doable but not simple.

I was thinking another approach would be a very small WAR that cold be
installed on the same JBoss instance as the protected web app.  It could
provide a JavaScript library that could be loaded by an unprotected page
from the protected web app.  A web service in this new small WAR could make
a direct call to the auth server and programmatically login (similar to the
bearer token programatic login if this is possible) and then the JavaScript
function could redirect the browser to the protected app with the token it
got from the web service in the redirect URL. The OAuthManagedResourceValve
would handle validating this token as it would in the normal SSO scenario.

Do you think anything like this is posible or are we just stretching too
far?  Again the basic goal is to allow existing apps with their own
existing existing login forms to participate in Skeleton Key SSO without
needing to introduce the new auth-server login form.

Thanks much for taking a few minutes help.

*Doug Schnelzer*
*Technical Director, **Vizuri*

On Wed, Jun 26, 2013 at 6:32 PM, Bill Burke <> wrote:

> I'm not sure I understand what you want.  If you don't redirect the
> browser to the Auth Server, the Auth Server will not set up the
> appropriate cookies with the browser and browser SSO will not work.
> You'd have to use a bearer token for everything in that case.
> On 6/26/2013 5:46 PM, Doug Schnelzer wrote:
> > We're planning to move to Skeleton Key for SSO support for a bunch of
> > web apps hosted on JBoss EAP 6.  We'd like to come up with an approach
> > that allows protected web apps to include a username and password field
> > on an unprotected page from the protected web app (this page would be
> > unprotected) and transparently handle the SSO handshake from
> > the OAuthManagedResourceValve to the AuthServer and back.  We were
> > looking at a JavaScript function to facilitate this but haven't come up
> > with a solid way to handle Cross Site Scripting that would be a part of
> > this approach.
> >
> > I see in the docs that we can programmatically get an access token that
> > will work with the BearerTokenAuthenticatorValve for accessing REST
> > resources.
> >
> > ResteasyClient client = new ResteasyClientBuilder()
> >                                  .truststore(truststore)
> >                                  .build();
> >
> >      Form form = new Form().param("grant_type", "client_credentials");
> >      ResteasyWebTarget target ="
> https://localhost:8443/auth-server/j_oauth_token_grant";);
> >      target.configuration().register(new BasicAuthentication("
>", "password"));
> >      AccessTokenResponse res = target.request()
> >                             .post(Entity.form(form),
> AccessTokenResponse.class);
> >
> >
> > Does the Skeleton Key framework support a similar programatic approach
> > for getting a token that we can use to login a user to a SSO protected
> > application without the user having to see the auth server login page?
> >   If so can you give us a few pointers to get started?
> >
> > Thanks, Doug
> >
> >
> >
> ------------------------------------------------------------------------------
> > This email is sponsored by Windows:
> >
> > Build for Windows Store.
> >
> >
> >
> >
> >
> > _______________________________________________
> > Resteasy-users mailing list
> >
> >
> >
> --
> Bill Burke
> JBoss, a division of Red Hat
> ------------------------------------------------------------------------------
> This email is sponsored by Windows:
> Build for Windows Store.
> _______________________________________________
> Resteasy-users mailing list
This email is sponsored by Windows:

Build for Windows Store.
Resteasy-users mailing list

Reply via email to