Can't log out from Oracle SSO - java

I’m building a J2EE web application which uses Oracle SSO with an OID back-end as the means for authenticating users.
If a user wants to use the application, first he must provide a valid login/password at SSO's login page.
When the user is done using the application, he may click on the logout button; behind the scenes, the action associated with this button invalidates the user’s session and clears up the cookies using the following Java code:
private void clearCookies(HttpServletResponse res, HttpServletRequest req) {
res.setContentType("text/html");
for (Cookie cookie : req.getCookies()) {
cookie.setMaxAge(0);
cookie.setPath("/");
cookie.setDomain(req.getHeader("host"));
res.addCookie(cookie);
}
}
Also, I have an onclick JavaScript event associated with the logout button, which is supposed to delete the SSO cookies by calling the delOblixCookie() function (as found in some Oracle forum):
function delCookie(name, path, domain) {
var today = new Date();
// minus 2 days
var deleteDate = new Date(today.getTime() - 48 * 60 * 60 * 1000);
var cookie = name + "="
+ ((path == null) ? "" : "; path=" + path)
+ ((domain == null) ? "" : "; domain=" + domain)
+ "; expires=" + deleteDate;
document.cookie = cookie;
}
function delOblixCookie() {
// set focus to ok button
var isNetscape = (document.layers);
if (isNetscape == false || navigator.appVersion.charAt(0) >= 5) {
for (var i=0; i<document.links.length; i++) {
if (document.links.href == "javascript:top.close()") {
document.links.focus();
break;
}
}
}
delCookie('ObTEMC', '/');
delCookie('ObSSOCookie', '/');
// in case cookieDomain is configured delete same cookie to all subdomains
var subdomain;
var domain = new String(document.domain);
var index = domain.indexOf(".");
while (index > 0) {
subdomain = domain.substring(index, domain.length);
if (subdomain.indexOf(".", 1) > 0) {
delCookie('ObTEMC', '/', subdomain);
delCookie('ObSSOCookie', '/', subdomain);
}
domain = subdomain;
index = domain.indexOf(".", 1);
}
}
However, my users are not getting logged out from SSO after they hit the logout button: although a new session is created if they try to access the index page, the SSO login page is not presented to them and they can go straight to the main page without having to authenticate. Only if they manually delete the cookies from the browser, the login page shows up again - not what I need: the users must provide their login/password every time they log out from the application, so I believe there must be something wrong in the code that deletes the cookies.
I’d greatly appreciate any help with this problem, thanks in advance.

Oracle have two web SSO products - Oracle Access Manager and Oracle Single Sign On. The Javascript code you have posted is for Access Manager, so it won't help you. Besides, you shouldn't need to do anything in Javascript to log the user out.
Have a look at the logout section of the OSSO docs. It recommends using the following code:
// Clear application session, if any
String l_return_url := return url to your application
response.setHeader( "Osso-Return-Url", l_return_url);
response.sendError( 470, "Oracle SSO" );

You need a page, with a name of logout, that includes those JavaScript functions.
That's what the documentation says:
The WebGate logs a user out when it receives a URL containing
"logout." (including the "."), with the exceptions of logout.gif and
logout.jpg, for example, logout.html or logout.pl. When the WebGate
receives a URL with this string, the value of the ObSSOCookie is set
to "logout.

Cookies don't "delete" untill the browser is closed.

Related

How to save the response data return by Facebook in Java class using Spring MVC

I am trying to save the user data which is return by the Facebook response.
I am using Facebook Javascript.Response is in JSon format and I want to parse it first and then save it in to my database using java.
<script>
// This is called with the results from from FB.getLoginStatus().
function statusChangeCallback(response) {
console.log('statusChangeCallback');
console.log(response);
// The response object is returned with a status field that lets the
// app know the current login status of the person.
// Full docs on the response object can be found in the documentation
// for FB.getLoginStatus().
if (response.status === 'connected') {
// Logged into your app and Facebook.
/* var uid = response.authResponse.userID;
var accessToken = response.authResponse.accessToken;
console.log("User id is" + uid);
console.log(accessToken); */
document.getElementById('accesstoken').value=response.authResponse.accessToken;
console.log(response.authResponse.accessToken);
testAPI();
} else if (response.status === 'not_authorized') {
// The person is logged into Facebook, but not your app.
document.getElementById('status').innerHTML = 'Please log ' +
'into this app.';
} else {
// The person is not logged into Facebook, so we're not sure if
// they are logged into this app or not.
document.getElementById('status').innerHTML = 'Please log ' +
'into Facebook.';
}
}
// This function is called when someone finishes with the Login
// Button. See the onlogin handler attached to it in the sample
// code below.
function checkLoginState() {
FB.getLoginStatus(function(response) {
statusChangeCallback(response);
});
}
window.fbAsyncInit = function() {
FB.init({
appId : 'xxxxxxxxxxxxxxxxxxxx',
cookie : true, // enable cookies to allow the server to access
// the session
xfbml : true, // parse social plugins on this page
version : 'v2.2' // use version 2.2
});
// Now that we've initialized the JavaScript SDK, we call
// FB.getLoginStatus(). This function gets the state of the
// person visiting this page and can return one of three states to
// the callback you provide. They can be:
//
// 1. Logged into your app ('connected')
// 2. Logged into Facebook, but not your app ('not_authorized')
// 3. Not logged into Facebook and can't tell if they are logged into
// your app or not.
//
// These three cases are handled in the callback function.
FB.getLoginStatus(function(response) {
statusChangeCallback(response);
});
};
// Load the SDK asynchronously
(function(d, s, id) {
var js, fjs = d.getElementsByTagName(s)[0];
if (d.getElementById(id)) return;
js = d.createElement(s); js.id = id;
js.src = "//connect.facebook.net/en_US/sdk.js";
fjs.parentNode.insertBefore(js, fjs);
}(document, 'script', 'facebook-jssdk'));
// Here we run a very simple test of the Graph API after login is
// successful. See statusChangeCallback() for when this call is made.
function testAPI() {
// window.location="http://localhost:8080/SpringMvcHibernateJavaBased/list";
console.log('Welcome! Fetching your information.... ');
FB.api('/me', function(response) {
console.log('Successful login for: ' + response.name);
console.log(response);
document.getElementById('status').innerHTML =
'Thanks for logging in, ' + response.name + '!';
document.getElementById('usernamefb').value=response.name;
document.getElementById('userId').value=response.id;
document.getElementById('emailfb').value=response.email;
});
}
function checkLogoutState(){
FB.logout(function(response) {
FB.Auth.setAuthResponse(null, 'unknown');
});
};
function checkData()
{
return $.ajax({
})
}
</script>
I am using Spring MVC approach fully JAVA based not using any xml files.
I have searched lot but didn't get any solution
In "if (response.status === 'connected') {}" block you need to call another API of Facebook to fetch the user's details by passing user id and token and after receiving the data you can call your own controller through Ajax and save into DB if required.
Another solution can be, you may use "http://projects.spring.io/spring-social/" on server side itself.
Krish

How to use facebook api taggable_friends by Open Graph tag friend

How to use facebook api taggable_friends by Open Graph tag friend.
my app use taggable_friends api i want to tag my friend in friends wall.
to use Mentioning friends or Tagging friends
https://developers.facebook.com/docs/opengraph/using-actions/v2.0#capabilities
And I use Open Graph doc Step by Step to try
but give me "You, or this app's Open Graph Test User, must have published this action at least once" how to setting?
https://developers.facebook.com/docs/apps/review/opengraph
On FB javascript sdk,
-* fb dashboard -> Open Graph
Create a story
List item make sure you enable the 'capabilities' features such as -tags, -user messages, -place, etc. in your action type.
-* in your js
1. call the js sdk
window.fbAsyncInit = function() {
FB.init({
appId : {YOUR_APP_ID} , // App ID
version: 'v2.0',
status : true, // check login status
cookie : true, // enable cookies to allow the server to access the session
oauth : true, // enable OAuth 2.0
xfbml : true // parse XFBML
});
};
// Load the SDK Asynchronously
(function(d){
var js, id = 'facebook-jssdk'; if (d.getElementById(id)) {return;}
js = d.createElement('script'); js.id = id; js.async = true;
js.src = "//connect.facebook.net/en_US/sdk.js";
d.getElementsByTagName('head')[0].appendChild(js);
}(document));
}
3. Login into FB asking with these scopes
function Login()
{
FB.login(function(response) {
if (response.authResponse)
{
console.log(response.authResponse); // Get User Information.
} else
{
console.log('Authorization failed.');
}
},{scope: 'user_friends, publish_actions, status_update, read_stream, manage_friendlists'});// ' user_interests, user_likes, etc.. '
}
4. Get the logged user taggable_friends with a function such as:
var var friendsIDarray = [];
var user_friend_list;
function meTaggableFriends(){
FB.api(
"/me/taggable_friends",
function (response) {
if (response && !response.error) {
/* handle the result */
console.log(response)
for(var i=0; i<response.data.length; i++){
var data = response.data;
friendsIDarray.push(data[i].id);
}
user_friend_list = friendsIDarray.join();
}
}
);
5. Now, we have stored the token ids in user_friend_list for those friends we want to tag in our post
and we can use an Open Graph action like this in order to tag friends:
FB.api(
'me/{namespace}:{action}',
'post',
{
{object-type}:'http://example.com/object/', // make sure to have the apropiate og:type meta set
place:'https://example.com/place/', // open graph page with metas for location, id for a location page etc
tags: user_friend_list, // the tokens ids for those friens you wanna tag and you got on previous step
title: 'whatever',
message: 'like this, you tag friends #['+ONE_TOKEN_ID_FROM_TAGGABLE_FRIENDS+'] , #['+ONE_TOKEN_ID_FROM_TAGGABLE_FRIENDS+'] etc'
},
function(response) {
console.log(response)
}
);
you can find more information about it on:
https://developers.facebook.com/docs/opengraph/using-actions/v2.1
Hope you find it useful.
the error message "You, or this app's Open Graph Test User, must have published this action at least once" means: before you require this permission, you must call the api at least once.
I have occur this kind error before. when I require publish_actions permission, the facebook tell me this:
then I used my app call /me/feed api post a feed, then the error disappeared.
if you are the owner, developers or test users of the app, you can use these api before review approval. you can add roles for app in dashboard.

Tomcat response mix-up

Have been seeing a very unique situation. Need some input.
Background: We have tomcat servers on ec2 instances with ELB. Our application is a spring application which does not use sessions cause we didn't want the load balancer to track sessions. We use cookies to identify the user. We use Memcache to store some basic session information. For the most part everything works great.
Problem: In some remote cases 0.01% of the time (we analyzed) the response is getting mixed up between the users. And the users are usually coming from the same clientIP. We know this because our application is being used extensively by schools. The client cookie and the cookie we read in the servlet matches. We are positive our application is not looking up the wrong info in the DB. But the response (the view) that is getting rendered is for another user. We know both users are logged in at the same time.
Is this something Tomcat related? Or Network related?
Controller Code:
#RequestMapping("/kids")
public ModelAndView kids(HttpServletRequest request, HttpServletResponse response) {
StudentUserSession studentUserSession = BaseController.getStudentUserSession(request);
if(studentUserSession != null) {
ModelAndView mv = new ModelAndView("kids");
mv.addObject("studentUserSession", studentUserSession);
return mv;
} else {
return new ModelAndView("redirect:/signin");
}
}
JSP Code:
var acookie = readCookie("sp_utkn");
var studentId = ${studentUserSession.studentId};
$.getJSON("/getStudentProfile", function(data){
var sId = -1;
$.each(data, function (key, value) {
if(key == 'studentId'){
sId = value;
}
});
dojo.xhrGet({
url:"/logStudentEvent?cookie=" + acookie+"&stuId="+studentId+"&aId="+sId+"&ref="+otherInfo.join(','),
});
});
The JSON Get Call is getting the same object . aId matches with the cookie but studentId doesn't. The other data on the page are also for another user. But the cookies are consistent and accurate.

Tomcat - SSO Without Realm?

I'm trying to enable SSO under Tomcat such that users who go to http://mydomain.com and http://www.mydomain.com will have their session cookie available for requests made to http://subdomain.mydomain.com. All three of these domains go to the same webapp, so ideally I'd like to not mess with SSO at all and just set the domain on the standard JSESSIONID cookie.
However, that doesn't seem possible, so I'm trying to enable Tomcat's SSO Valve. The problem is that the Valve requires a definition of a Realm, and a Realm is supposed to specify a database of users and roles. However, I am not using container-based authentication nor role-based authorization, so I do not need or want to configure a Realm. All I want is for the session cookie(s) to be able to be shared across each of these different subdomains.
Is there any straightforward way to do this?
Edit
My current workaround for this is to have the server redirect every incoming request to the "canonical" server name. This works well enough, but obviously it is not actually solving the problem.
We were having the same problem and created a Tomcat Valve that would overwrite or set the Domain part of the session Cookie. Quite a simple thing and it already works for many years. The code goes like this:
public class CrossSubdomainSessionValve extends ValveBase {
public CrossSubdomainSessionValve() {
super();
info = "common-tomcat-CrossSubdomainSessionValve";
}
#Override
public void invoke(Request request, Response response) throws IOException, ServletException {
// cookie will only need to be changed, if this session is created by this request.
if (request.getSession(true).isNew()) {
Cookie sessionCookie = findSessionCookie(response.getCookies());
if (sessionCookie != null) {
String cookieDomainToSet = getCookieDomainToSet(request.getServerName());
if (cookieDomainToSet != null) {
// changing the cookie only does not help, because tomcat immediately sets
// a string representation of this cookie as MimeHeader, thus we also
// have to change this representation
replaceCookie(response.getCoyoteResponse().getMimeHeaders(), sessionCookie, cookieDomainToSet);
}
}
}
// process the next valve
getNext().invoke(request, response);
}
protected Cookie findSessionCookie(Cookie[] cookies) {
if (cookies != null)
for (Cookie cookie : cookies)
if (Globals.SESSION_COOKIE_NAME.equals(cookie.getName())) {
return cookie;
return null;
}
protected void replaceCookie(MimeHeaders headers, Cookie originalCookie, String domainToSet) {
// if the response has already been committed, our replacementstrategy will have no effect
// find the Set-Cookie header for the existing cookie and replace its value with new cookie
for (int i = 0, size = headers.size(); i < size; i++) {
if (headers.getName(i).equals("Set-Cookie")) {
MessageBytes value = headers.getValue(i);
if (value.indexOf(originalCookie.getName()) >= 0) {
if (originalCookie.getDomain() == null) {
StringBuilder builder = new StringBuilder(value.getString()).append("; Domain=").append(domainToSet);
value.setString(builder.toString());
} else {
String newDomain = value.getString().replaceAll("Domain=[A-Za-z0-9.-]*", "Domain=" + domainToSet);
value.setString(newDomain);
}
}
}
}
}
protected String getCookieDomainToSet(String cookieDomain) {
String[] parts = cookieDomain.split("\\.");
if (parts.length >= 3) {
return "." + parts[parts.length - 2] + "." + parts[parts.length - 1];
}
return null;
}
public String toString() {
return ("CrossSubdomainSessionValve[container=" + container.getName() + ']');
}
}
The algorithm works like this:
- Only if the session is new - find the session cookie
- Get the requested host name
- Split the host name with '.'
- If it has at least 3 parts (like www.google.de), remove first part (to .google.de)
- Reset the cookie
In your Context configuration you can apply the valve like this
<Valve className="my.package.CrossSubdomainSessionValve" httpOnlyEnabled="true" />
Caveat: In the code the Valve creates a session if no session was created before and does not care if you need a session at all...
Hope that helps... Good luck!

How to check whether JavaScript is enabled in client browser using Java code

can anyone help me in trying to check whether JavaScript is enabled in client browser using Java code.
Assuming you're writing a Java web application, one technique that I've used successfully is to have the first page that's accessed—typically a login form—write a session cookie when the page loads. Then have the Java code that the form submits to check for the existence of that cookie.
On the client:
<script type="text/javascript">
function createCookie(name, value, days) {
var expires = "";
if (days) {
var date = new Date();
date.setTime(date.getTime() + (days * 24 * 60 * 60 * 1000));
expires = "; expires=" + date.toGMTString();
}
var cookie = name + "=" + value + expires + "; path=" + "/";
document.cookie = cookie;
}
createCookie("JavaScriptEnabledCheck", 1, 0);
</script>
On the server:
/**
* Returns <code>true</code> if the session cookie set by the login form
* is not present.
*
* #param request The HTTP request being processed
* #return <code>true</code> if JavaScript is disabled, otherwise <code>false</code>
*/
private boolean isJavaScriptDisabled(HttpServletRequest request)
{
boolean isJavaScriptDisabled = true;
Cookie[] cookies = request.getCookies();
if (cookies != null)
{
for (int i = 0; i < cookies.length; i++)
{
if ("JavaScriptEnabledCheck".equalsIgnoreCase(cookies[i].getName()))
{
isJavaScriptDisabled = false;
break;
}
}
}
return isJavaScriptDisabled;
}
In yourform for you can put code like this:
<noscript>
<input type="hidden" name="JavaScript" value="false" />
</noscript>
The parameter should only be submitted if the browser has scripts turned off. In your Java applications you can check it like so:
boolean javaScript = request.getParameter("JavaScript") == null;
If a form submit is performed, you can put a hidden input in the form and fill out its value with javascript (from OnSubmit) and check that on the server side.
A simple thing would be to do a call back from the page, such as an AJAX call. I don't think there's any other way to determine this, at least not universally.
Are you trying to do this server-side or on the client in an applet?
If a browser does not support javascript (or has it turned off), it's highly unlikely they will have support for Java applets.
If you have PHP support just copy and paste the code below.
<noscript>
<input type="hidden" name="JavaScript" value="false" />
</noscript>
/*This code is developed by Lankeshwer(nick name only) and can be used as open source by anyone*/
<?PHP
if($_POST['JavaScript']!='false'){
echo "<run your javascript code here>";} //replace this line with your actual javascript code
else
echo "<html><head><meta http-equiv="refresh" content="0;url=www.kharida.com"></head</html>";
?>
wish you a good luck and don't forget to make your code open

Categories

Resources