Question
Tech Mahindra
CA
Last activity: 21 Jul 2017 10:52 EDT
How can we read cookies in Container Managed Authentication
Hello there,
I am trying to read cookie information from a Container Managed Authentication. As the single sign on happens Application Server side and we don't have any authentication service for this, i am getting null pointer information when trying to read the below
((javax.servlet.http.HttpServletRequest)tools.getRequestor().getRequestorPage().getObject("pxHTTPServletRequest"))
Any ideas ? As per the PEGA documentation
Only authentication activities invoked through an authentication service have
access to the pxRequestor.pxHTTPServletRequest property. After a user is
allowed access to Process Commander, subsequent requests no longer have
access to this object.
Can i change the web.xml to have Auth Service for Container Managed Authentication and have the activity there to read the cookies ? is this even allowed ?
Thanks
Naveen
***Updated by moderator: Lochan to close post***
This post has been archived for educational purposes. Contents and links will no longer be updated. If you have the same/similar question, please write a new post.
Accepted Solution
Pegasystems Inc.
US
Hi Naveen,
As you found in the documentation, when using Container Managed Authentication the pxRequestor.pxHTTPServletRequest is not populated at the time when the EstablishOperator activity is run. So you will not be able to get the cookies using this authentication type.
Why?
The HttpServletRequest object is not serializable so we can't pass it from the PRPC web tier to the PRPC ETier were activity processing is run. When using PRCustom style authentication with a Data-Admin-AuthService we use a facade object, com.pega.pegarules.priv.authentication.RequestFacade, to populate pxRequestor.pxHttpServeltRequest property. The RequestFacade object implements the same methods as the standard HttpServletRequest except for some methods are not available:
getSession()
getSession(boolean)
isUserInRole()
getAttribute(String)
getAttributeNames()
getRealPath()
getRequestDispatcher()
removeAttribute()
setAttribute()
setCharaterEncoding()
These are coded methods but return a RuntimeExceptions with an error message like "...Not available in ETier".
Using PRCustom with Container Managed Authentication:
Hi Naveen,
As you found in the documentation, when using Container Managed Authentication the pxRequestor.pxHTTPServletRequest is not populated at the time when the EstablishOperator activity is run. So you will not be able to get the cookies using this authentication type.
Why?
The HttpServletRequest object is not serializable so we can't pass it from the PRPC web tier to the PRPC ETier were activity processing is run. When using PRCustom style authentication with a Data-Admin-AuthService we use a facade object, com.pega.pegarules.priv.authentication.RequestFacade, to populate pxRequestor.pxHttpServeltRequest property. The RequestFacade object implements the same methods as the standard HttpServletRequest except for some methods are not available:
getSession()
getSession(boolean)
isUserInRole()
getAttribute(String)
getAttributeNames()
getRealPath()
getRequestDispatcher()
removeAttribute()
setAttribute()
setCharaterEncoding()
These are coded methods but return a RuntimeExceptions with an error message like "...Not available in ETier".
Using PRCustom with Container Managed Authentication:
You can switch to use a PRCustom style SSO implementation and still use Container Managed Authentication. This way you will have more access to the data you need, the cookies etc.
Since you are using Container Managed Authentication you should be able to access the user name with the following Java code:
javax.servlet.http.HttpServletRequest req = (javax.servlet.http.HttpServletRequest)tools.getRequestor().getRequestorPage().getObject("pxHTTPServletRequest");
String userName = req.getUserPricipal().getName();
or
String userName = req.getRemoteUser();
Note: This can be on a property set step as well but since you are trying to get cookies as well you should use a Java step.
To get cookie information: (I am sure you know this but just putting here for others)
String MyCookieValue = null;
Cookie[] cookies = req.getCookies();
if (cookies != null) {
for (int i = 0; i < cookies.length; i++) {
if (cookies[i].getName().equalsIgnoreCase(“[COOKIE_NAME]”)) {
MyCookieValue = cookies[i].getValue();
break;
}
}
}
If you have problems switching to use PRCustom let me know. We can do a WebEx and I can help you through it.
Pegasystems Inc.
US
Chris Koyl may have some ideas here. Can you elaborate why you need the access the cookies?
Tech Mahindra
CA
We are getting some profile information in the cookies, which can not be pulled from LDAP directly. example transit which user logged into and his authorization levels in that specific transit
Accepted Solution
Pegasystems Inc.
US
Hi Naveen,
As you found in the documentation, when using Container Managed Authentication the pxRequestor.pxHTTPServletRequest is not populated at the time when the EstablishOperator activity is run. So you will not be able to get the cookies using this authentication type.
Why?
The HttpServletRequest object is not serializable so we can't pass it from the PRPC web tier to the PRPC ETier were activity processing is run. When using PRCustom style authentication with a Data-Admin-AuthService we use a facade object, com.pega.pegarules.priv.authentication.RequestFacade, to populate pxRequestor.pxHttpServeltRequest property. The RequestFacade object implements the same methods as the standard HttpServletRequest except for some methods are not available:
getSession()
getSession(boolean)
isUserInRole()
getAttribute(String)
getAttributeNames()
getRealPath()
getRequestDispatcher()
removeAttribute()
setAttribute()
setCharaterEncoding()
These are coded methods but return a RuntimeExceptions with an error message like "...Not available in ETier".
Using PRCustom with Container Managed Authentication:
Hi Naveen,
As you found in the documentation, when using Container Managed Authentication the pxRequestor.pxHTTPServletRequest is not populated at the time when the EstablishOperator activity is run. So you will not be able to get the cookies using this authentication type.
Why?
The HttpServletRequest object is not serializable so we can't pass it from the PRPC web tier to the PRPC ETier were activity processing is run. When using PRCustom style authentication with a Data-Admin-AuthService we use a facade object, com.pega.pegarules.priv.authentication.RequestFacade, to populate pxRequestor.pxHttpServeltRequest property. The RequestFacade object implements the same methods as the standard HttpServletRequest except for some methods are not available:
getSession()
getSession(boolean)
isUserInRole()
getAttribute(String)
getAttributeNames()
getRealPath()
getRequestDispatcher()
removeAttribute()
setAttribute()
setCharaterEncoding()
These are coded methods but return a RuntimeExceptions with an error message like "...Not available in ETier".
Using PRCustom with Container Managed Authentication:
You can switch to use a PRCustom style SSO implementation and still use Container Managed Authentication. This way you will have more access to the data you need, the cookies etc.
Since you are using Container Managed Authentication you should be able to access the user name with the following Java code:
javax.servlet.http.HttpServletRequest req = (javax.servlet.http.HttpServletRequest)tools.getRequestor().getRequestorPage().getObject("pxHTTPServletRequest");
String userName = req.getUserPricipal().getName();
or
String userName = req.getRemoteUser();
Note: This can be on a property set step as well but since you are trying to get cookies as well you should use a Java step.
To get cookie information: (I am sure you know this but just putting here for others)
String MyCookieValue = null;
Cookie[] cookies = req.getCookies();
if (cookies != null) {
for (int i = 0; i < cookies.length; i++) {
if (cookies[i].getName().equalsIgnoreCase(“[COOKIE_NAME]”)) {
MyCookieValue = cookies[i].getValue();
break;
}
}
}
If you have problems switching to use PRCustom let me know. We can do a WebEx and I can help you through it.
Tech Mahindra
CA
Chris,
Thanks for the detailed information, very informative.
Here i have to go with PRCustom authentication to read cookies, to validate the user at J2EE context do we need to additional JAVA Coding or redirect back to WAS to get it done ?
Thanks
Naveen
Pegasystems Inc.
US
Naveen,
You don't need to do anyting extra at all. The container, in this case WebSphere, is handling the authentication to the resource PRPC. There is no need to do any extra validation or redirects back to WAS.
--Chris
Tech Mahindra
CA
Chris,
Could you please shed more light on how to switch to use a PRCustom style SSO implementation and still use Container Managed Authentication
Please let me know.
Thanks
Naveen
It just means using PRCustom Auth type in PRPC while still doing Authentication in the app server. Inside AuthenticationActivity in PRPC, you validate the operator ID by pulling the Subject info from the JVM using req.getUserPricipal().getName();
Tech Mahindra
CA
Thank you Chris and Vipin,
that means Check if req.getUserPricipal().getName() == null then user not authenticated otherwise the user is authenticated ?
that's it do we need to validate any LTPA token. ?
Thanks
Naveen.
Tech Mahindra
CA
Thanks Vipin.
When i am trying to update the oeprator Page in the authentication activity with information from cookies like Transit / Role which are not default properties of Data-Admin-Operator-ID i am getting a failure with following information.
Do i need to do any changes at the Data-Admin-AuthService level ?
Authentication failed because the constructed Data-Admin-Operator-ID instance failed to pass validation. The most likely cause for this is that your Data-Admin-AuthService record attempts to map directory attributes to PROPERTIES THAT DO NOT BELONG TO DATA-ADMIN-OPERATOR-ID class. Check your D-A-AuthService record for bad entries or typos.
I don't think you are supposed to update the OperatorID page to begin with in PRCustom form of authentication and definitely not update it with properties that don't exist. You've got the information you wanted in the Auth service but what you are doing with it is not allowed.
Tech Mahindra
CA
Hello Vipin,
Thanks for the response, just want to reiterate if i was not clear earlier.
I have created properties @ Data-Admin-Operator-ID in our rulesets (Transit & Role), I am getting this information in cookies, which i am setting it to "Operator" Page after successful authentication.
If this is not allowed, then reading cookies won't help me in any way.
then i have to have a foreign table with Operator ID as key with role and transit information, read it using a Declare Page.
If there is any other optimistic way please let me know.
Thanks
Naveen
Pegasystems Inc.
US
Naveen,
You can add your own properties to Data-Admin-Operator-ID in your own rulesets and set those properties during authentication. Lots of clients do this.
--Chris
Pegasystems Inc.
US
Naveen,
Drop me an email at [email protected] and let me know when you are available for a WebEX session. I will help you get this implemented and to wrap up this thread I will post a screen shot of the PRCustom authentication activity here.
--Chris
Tech Mahindra
CA
Chris,
Thanks for the response, it was silly mistake, the properties that were created are not in the unauthenticated ruleset, that's why the validation was failing.
Thank you very much for your timely response
Thanks
Naveen
I'm trying to do something similar. Were you able to pick up LTPA authentication credentials by inspecting cookies? Do you happen to use this/these cookies to validate connector calls to back end(s)?
Tech Mahindra
CA
From LTPA token, i will be validating the user principal for null, i read cookies information for authorization level of the user to which accessgorup he will be mapped dynamically.
Tech Mahindra
CA
Container managed authentication won't allow you to read cookies, they won't be passed.
Switch to Custom Authentication, you should be able to validate userPrincipal and get the cookies..
Tech Mahindra
CA
javax.servlet.http.HttpServletRequest req = null;
try{
req = (javax.servlet.http.HttpServletRequest)tools.getRequestor().getRequestorPage().getObject("pxHTTPServletRequest");
if(req.getUserPrincipal() == null)
{
errorMessage = "User Principal not passed to PEGA, Please contact System Administrator";
tools.putParamValue("Status","fail");
tools.putParamValue("errMsg",errorMessage);
tools.putParamValue("pyChallenge",errorMessage);
throw new PRRuntimeException(errorMessage);
}
javax.servlet.http.Cookie[] cookies = req.getCookies();
String token = null;
if (cookies != null) {
for (int i = 0; i < cookies.length; i++) {
if(cookies[i].getName().equals("XXXX"))
ID = cookies[i].getValue();
}
}
if(EmployeeID.equals(""))
{
ID = "ID is not available in Cookies, Please contact System Administrator";
tools.putParamValue("Status","fail");
tools.putParamValue("errMsg",errorMessage);
tools.putParamValue("pyChallenge",errorMessage);
throw new PRRuntimeException(errorMessage);
}
}catch(Exception e)
{
throw new PRRuntimeException("Custmom LDAP Exception : "+e.getMessage());
}