Kerberos Auto Redirection From External Navigation

This knowledge base provides guidance for users who have implemented the Kerberos Directory Manager Plugin within their Joget platform to facilitate seamless Single Sign-On (SSO).

Problem Statement

Users who navigate directly to Joget links, such as those embedded in emails sent by the Email Tool, may still be prompted to enter login details, even after setting up Single Sign-On (SSO).

Solution

To ensure seamless SSO when directly accessing Joget app assignment views:

1. Develop a custom web filter to manage the SSO process via an AJAX call and subsequently redirect to the intended URL.
2. Compile the web filter into a JAR file and place it in your Joget server's tomcat directory: [tomcat directory]/webapps/jw/WEB-INF/lib.

Below is a sample script for the web filter:

package org.joget.sample;

import java.io.IOException;
import javax.servlet.*;
import javax.servlet.annotation.WebFilter;
import javax.servlet.http.*;
import org.joget.apps.app.service.AppUtil;
import org.joget.commons.util.ResourceBundleUtil;
import org.joget.workflow.model.service.WorkflowUserManager;
import org.springframework.security.web.savedrequest.*;

@WebFilter(filterName = "KerberosLoginFilter", urlPatterns = {"/web/login"})
public class KerberosLoginFilter implements Filter {

    private static final String SSO_URL = "http://localhost:8080/jw/web/json/plugin/org.joget.plugin.kerberos.KerberosDirectoryManager/service";

    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
        WorkflowUserManager userManager = (WorkflowUserManager) AppUtil.getApplicationContext().getBean("workflowUserManager");
        HttpServletRequest httpReq = (HttpServletRequest) request;
        HttpServletResponse httpResp = (HttpServletResponse) response;
        String savedUrl = getSavedRequestUrl(httpReq, httpResp);

        if (userManager.isCurrentUserAnonymous() && savedUrl.contains("assignment")) {
            writeRedirectScript(httpResp, savedUrl);
            return;
        }

        chain.doFilter(request, response);
    }

    private String getSavedRequestUrl(HttpServletRequest request, HttpServletResponse response) {
        SavedRequest savedRequest = new HttpSessionRequestCache().getRequest(request, response);
        String url = (savedRequest != null) ? savedRequest.getRedirectUrl() : request.getHeader("referer");
        return (url != null) ? url.replaceAll("ulogin", "userview") : "";
    }

    private void writeRedirectScript(HttpServletResponse response, String redirectUrl) throws IOException {
        String htmlResponse = "<html><head><script type='text/javascript' src='" + request.getContextPath() + "/wro/common.js?build=" + ResourceBundleUtil.getMessage("build.number") + "'></script>"
            + "<script type='text/javascript' src='" + request.getContextPath() + "/js/jquery/jquery-3.5.1.min.js'></script>"
            + "<script>$(function() { $.ajax({method: 'GET', url: '" + SSO_URL + "'}).done(function() { window.location = '" + redirectUrl + "'; }); });</script></head>"
            + "<body>Please wait...</body></html>";

        response.getWriter().write(htmlResponse);
        response.setContentType("text/html;charset=UTF-8");
    }

    public void init(FilterConfig fConfig) throws ServletException {}
    public void destroy() {}
}

Download the required plugin to implement this solution:

• Kerberos Filter Plugin (ZIP)

For additional information or support, see the related knowledge base Joget SSO to Active Directory with Kerberos or contact your system administrator.