Search code examples
javascriptjavasecurityagentopenam

Check logged in user session status OpenAM

Hello I have the following case. Ajax based Javascript Application, OpenAM agent and OpenAM and JBoss With REST java web services.

If I understand correctly the OpenAM documentation, the OpenAM Web Agent Works as mediator in between the web server part and the OpenAM. My understanding is that for simple services like login, logout, checked logged in status it should be enough to use OpenAM apis and the OpenAM agent. Fore example it is the agent that takes care of the token and to redirect us to Login page and back to the original page which Access was requested.

The token is kept in an HTTPOnly cookie which makes it unaccessible.

At the same time the coockie is accessible from the JBoss server, so theoreticaly I can implement services that validate the token against OpenAM. Also logout service. My understanding is that such implementation would be a hack because in first place we are not supposed to end up on the JBoss server if the session is invalid. It should be the agent that should perform this check for us.

My question is how to check logged in status when I don|t have Access to the token from the browser (HTTPOnly cookie) without doing a roundtrip to the JBoss server only to get Access to the cookie. Also how to implement Logout without involving the JBoss server again.

Solution

  • how to check logged in status when I don|t have Access to the token from the browser (HTTPOnly cookie) without doing a roundtrip to the JBoss server only to get Access to the cookie.

    If you are in a client (browser) in HTTPOnly cookie mode and want to check the validity of the SSOToken cookie (default name iPlanetDirectoryPro) then you can call the sessions endpoint on the AM server. You don't need to get the cookie - the browser will add it to the outgoing request - and it will return details of the token if successfully validated. This way you don't get the token itself in the client-side code, but you can resolve it and answer your question.

    Request:

    POST /openam/json/sessions?_action=getSessionInfo HTTP/1.1
Host: myserver.com:8080
Content-Type: application/json
Cookie: iPlanetDirectoryPro=... <-- added by browser, not in code
Accept-API-Version: protocol=1.0,resource=2.0
Cache-Control: no-cache

{}

    Response:

    {
    "username": "demo",
    "universalId": "id=demo,ou=user,dc=openam,dc=forgerock,dc=org",
    "realm": "/",
    "latestAccessTime": "2017-09-28T20:15:17Z",
    "maxIdleExpirationTime": "2017-09-28T20:45:17Z",
    "maxSessionExpirationTime": "2017-09-28T22:15:16Z",
    "properties": {}
}