I plan to integrate the jasper server with my web application as Single Sign on. I went through the Jasper Authentication cookbook
and jasper to offer token-based authentication as one of the solutions (since authentication is already performed by my web application)
What Jasper offers is
you pass the token in a specific format (as defined below in the tokenFormatMapping section) to the jasper server, jasper will authenticate the request.
So, valid tokens can be
u=user|r=role1|o=org1|pa1=PA11|pa2=PA21|exp=2001404150601
Invalid token may be
u1=user|r=role1|o=org1|pa1=PA11|pa2=PA21|exp=2001404150601
r=role1|u=user|o=org1|pa1=PA11|pa2=PA21|exp=2001404150601
My question is really a secure process, because as soon as the hacker knows the template, can he just log into the jasper server? It seems to me that security can be compromised here. Am I missing something here?
<bean class="com.jaspersoft.jasperserver.api.security.externalAuth.wrappers.spring.preauth.JSPreAuthenticatedAuthenticationProvider">
....................
<property name="tokenPairSeparator" value="|" />
<property name="tokenFormatMapping">
<map>
<entry key="username" value="u" />
<entry key="roles" value="r" />
<entry key="orgId" value="o" />
<entry key="expireTime" value="exp" />
<entry key="profile.attribs">
<map>
<entry key="profileAttrib1" value="pa1" />
<entry key="profileAttrib2" value="pa2" />
</map>
</entry>
</map>
</property>
<property name="tokenExpireTimestampFormat" value="yyyyMMddHHmmssZ" />
</bean>
</property>
</bean>
source
share