Closed GalTzemach closed 3 years ago
Hi Gal, Yes, this could be done by coding an extended class of JwtSessionConfigurator that will be injected at AceQL Server startup.
Please give me more details and the precise flow, so that I'm sure if it's possible; and then I will guide you on how to implement it.
I have security requirement to pass from client the access Token of Azure AD and validate the Token on AceQL server side for each request.
I talking aboute addional Token and not on the sessions manage Token. Which means, passing one more Token regardless the one of the sessions manage.
Assume that i will pass this Token as header from the client to the server. There is build in way to validate this token on server side?
No, there is no built-in way. But a user asked us recently to allows to pass headers in C#, for security and tokens concerns, he wanted to be allowed to do this: request.Headers.Add("api_key", "1234"); We implemented it. Maybe you could check with him in this thread/issue: https://github.com/kawansoft/AceQL.Client/issues/12 ?
Otherwise, please precise the exact flow (more precisely, it's still not clear enough for my understanding) and I will be glad to help.
(The header syntax is: AddRequestHeader(string name, string value)
, non static method of AceQLConnection
)
I already saw the thread of "Api key/ Authorization Headers in Aceql", i am a watcher on GitHub :) and I intend to use this functionality.
The flow: Due to security aspect, on our client App, the user should be authorize against Azure AD and get acess_token. Then we want to pass the acess_token to the server and validate the Token on server side also.
The question is whether there is exist built-in functionality to validate this acess_token against Azure AD on the server side or I should to implement this code myself? If I need to implement this myself, do you have suggestions where and how to do this correct?
It's now clear for me, thanks. I will write an howto asap.
Thanks a lot Nicolas!
בתאריך יום ב׳, 23 בנוב׳ 2020, 21:52, מאת Nicolas de Pomereu < notifications@github.com>:
It's now clear for me, thanks. I will write an howto asap.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/kawansoft/aceql-http/issues/12#issuecomment-732389152, or unsubscribe https://github.com/notifications/unsubscribe-auth/AFQUY6KLLUENMDBDTCDRKPLSRK4N7ANCNFSM4T6P6A3A .
Hi Gal, With the current architecture, there is no way to validate an Azur Token passed from AceQL client slide to AceQL server side.
The only thing you can do is put the Azur Token in a Header with the C# AceQL call AceQLConnection.AddHeader()
, then you can either:
Regards, N.
P.S: what could be done in the next AceQL server version is pass the request headers to the SessionConfigurator.verifySessionId
method, by adding the request headers as a new parameter:
Present 6.2 version: public boolean verifySessionId(String sessionId)
Future version: public boolean verifySessionId(String sessionId, String [] requestHeaders)
Then in verifySessionId
, you would be able to extract from the Headers the Azur Token and verify it against Azur servers.
For now, which point/method getting the requestHeaders from the client on the server side? There is no other point/method on the server that I can to do it than in verifySessionId() in the future?
For now, there are no point /method getting the request headers on the server side.
What I suggest: to implement one in SessionConfigurator.verifySessionId
by adding String [] requestHeaders
parameter.
This should be the most coherent way to this, but I'm open to suggestions if you have an idea that is better for you?
When this solution can be avialble for me?
I check and come back to you for eval.
Hi Gal, I will prepare a patch, it will be ready from now on to tomorrow at the latest. Regards, N.
Many thanks.
In general, what will be the next step, how and where i gonna to implement my validation?
I will update the aceql-http-6.2.jar to aceql-http-6.2-PATCH-1.jar and give a download link. I will add a small HOWTO and an implementation sample in Java that show how to parse the passed request headers to get their (name, value).
Any news?
Hi Gal, I wrote the text Friday, but forgot to post it...
Patch is here: https://www.aceql.com/rest/soft/patch/aceql-http-6.2-PATCH-1.0.jar
org.kawanfw.sql.api.server.auth.UserAuthenticator contains a new method that allows for implementation to retrieve request headers and grant or refuse access to current session:
/**
* Allows to check the request headers. If method returns false, user will not be allowed access.
* @param headers the requestheaders
* @return {@code true} if headers are OK and used is granted access, {@code false} if not.
*/
public boolean checkRequestHeaders(Map<String, String> headers);
Source of new interface is here: https://www.aceql.com/rest/soft/patch/UserAuthenticator.java
You have to code the name of your implementation in the aceql-server.properties file with the userAuthenticatorClassName property:
For example, I have my own MyUserAuthenticator.java implementation that just prints the headers names and values on stdout: https://www.aceql.com/rest/soft/patch/MyUserAuthenticator.java
So I add the class name in aceql-server.properties: userAuthenticatorClassName= org.kawanfw.test.api.server.config.MyUserAuthenticator
Please let me know if these explanations are OK, otherwise I will be glad clarify...
Regards, N.
Hi Nicolas, I will be happy to more detailed explanation, it's not clarify enough for me.
How/where can I implement your interface / my class? Where should I need to locate the new class? it should be part of your .jar file?
Many thanks!
Hi Gal,
The class you will develop must just implement the org.kawanfw.sql.api.server.auth.UserAuthenticator
interface and you overload the public boolean checkRequestHeaders(Map<String, String> headers);
In your checkRequestHeaders
, you check the headers sent by client side and grant access or not by returning true or false.
The class can be a solo .class or in a .jar, as you want.
Hi Gal, AceQL Server Version 6.3 has been released and includes now the support of request headers validation. The Maven version is already available for ease of coding:
<groupId>com.aceql</groupId>
<artifactId>aceql-http</artifactId>
<version>6.3</version>
But the implementation is slightly different from the 6.2 patched version, the method has been renamed and put in it's own interface:
1) For the purpose of clarity, the method has been renamed from
public boolean checkRequestHeaders(Map<String, String> headers) throws IOException;
to
public boolean validate(Map<String, String> headers) throws IOException;
2) For the respect of the single responsibility principle, a dedicated Interface has been created that contains the validate
method:
org.kawanfw.sql.api.server.auth.headers.RequestHeadersAuthenticator
.
See Javadoc of RequestHeadersAuthenticator
Regards, N.
Thank you Nicolas.
בתאריך יום ב׳, 7 בדצמ׳ 2020, 15:04, מאת Nicolas de Pomereu < notifications@github.com>:
Hi Gal, AceQL Server Version 6.3 has been released and includes now the support of request headers validation. The Maven version is already available for ease of coding:
com.aceql aceql-http 6.3 But the implementation is slightly different from the 6.2 patched version, the method has been renamed and put in it's own interface:
1.
For the purpose of clarity, the method has been renamed from public boolean checkRequestHeaders(Map<String, String> headers) throws IOException; to public boolean validate(Map<String, String> headers) throws IOException; 2.
For the respect of the single responsibility principle, a dedicated Interface has been created that contains the validate method: org.kawanfw.sql.api.server.auth.headers.RequestHeadersAuthenticator.
See Javadoc of RequestHeadersAuthenticator https://www.aceql.com/rest/soft/6.3/javadoc/org/kawanfw/sql/api/server/auth/headers/RequestHeadersAuthenticator.html
Regards, N.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/kawansoft/aceql-http/issues/12#issuecomment-739905763, or unsubscribe https://github.com/notifications/unsubscribe-auth/AFQUY6MQVKHHXN5KNZYMQNDSTTHHNANCNFSM4T6P6A3A .
The clienct will send some JWT Token to the AceQL server side for each request. Then I need validate the JWT Token against Azure AD on server side. Can I do it?