4

I am planning to integrate jasper server with my web application as Single Sign on. I went through Jasper Authentication cookbook and jasper suggest Token based authentication as one of the solution (as authentication is already done by my web application)

What Jasper suggests is this

you pass the token in specific format (as defined below under tokenFormatMapping) to jasper server , jasper will authenticate the request.

So valid tokens can be

   u=user|r=role1|o=org1|pa1=PA11|pa2=PA21|exp=2001404150601

Invalid token can be 

   u1=user|r=role1|o=org1|pa1=PA11|pa2=PA21|exp=2001404150601
   r=role1|u=user|o=org1|pa1=PA11|pa2=PA21|exp=2001404150601

My question is this really a secured process because as soon hacker knows the pattern, he can simply login to jasper server ? To me looks like security can be compromised here. Am i missing something here? 

<bean class="com.jaspersoft.jasperserver.api.security.externalAuth.wrappers.spring.preauth.JSPreAuthenticatedAuthenticationProvider">
 ....................
      <property name="tokenPairSeparator" value="|" />
      <property name="tokenFormatMapping">
        <map>
          <entry key="username" value="u" />
          <entry key="roles" value="r" />
          <entry key="orgId" value="o" />
          <entry key="expireTime" value="exp" />
          <entry key="profile.attribs">
            <map>
              <entry key="profileAttrib1" value="pa1" />
              <entry key="profileAttrib2" value="pa2" />
            </map>
          </entry>
        </map>
      </property>
      <property name="tokenExpireTimestampFormat" value="yyyyMMddHHmmssZ" />
    </bean>
  </property>
</bean>
Alex K
  • 22,315
  • 19
  • 108
  • 236
emilly
  • 10,060
  • 33
  • 97
  • 172

2 Answers2

1

According to the Jasper Reports Authentication cookbook, using token-based authentication the user is not directly logged in, meaning that only certain operations can be done using this method.

Furthermore, it specifies the following:

JasperReports Server will accept any properly formatted token; therefore, you need to protect the integrity of the token using measures such as the following:

  • Connect to JasperReports Server using SSL to protect against token interception.
  • Encrypt the token to protect against tampering.
  • Configure the token to use a timestamp to protect against replay attacks. Without a timestamp, when you include the token in a web page or REST web service URL, the URL can be copied and used by unauthorized people or systems. Setting the expire time for the token will stop tokens/URLs from being used to authenticate beyond the indicated time. You can set the expiry time depending on your use case. For a user who is logged into the application/portal and is requesting access to JasperReports Server, expiry time of a minute or less from the request time is appropriate.

All communications need to be made through an SSL tunnel. Otherwise, anyone could establish a connection to your JR server, send tokens and get information from it.

ibelcomputing
  • 152
  • 12
  • "In token-based authentication, the JasperReports Server login screen is not displayed to the user and the user does not log in directly." line is very confusing to me. Books nowhere mentions "What kind of operations can be done using token based method". My gut feeting is that user can do any kind of operation if token is correct based on the role passed in token. – emilly Jan 22 '15 at 16:10
  • The documentation is very clear regarding that. When token-based authentication is used, it is extremely important that your external system is configured properly to prevent an attacker from forging the token. It should also be noted that the more methods tou use to secure your system (role based permissions, SSL tunnel, token encryption, short TTL, changing the default known port, not giving away information about if / how your server is serving Jasper Reports) the better. If I would be that concerned about security I would go as far as to see if the token format can be modified. – ibelcomputing Jan 22 '15 at 16:19
  • My point is not about modification of token but about exposing the pattern. Say i am developer and knows that pipe is the delimiter and u,r,exp are the expected keys. I can hit jasper server with any dummy username ,role and exp value against u,r and exp values and access the system. Is n't it ? – emilly Jan 22 '15 at 16:49
  • You can't log-in with a token filled with random data since before serving the response a synchronization of external users and roles is performed so that "the JasperReports Server environment reflects the user’s roles and organization as defined in the token". That would certainly be absurd. – ibelcomputing Jan 22 '15 at 17:11
  • And for completeness' sake, the token format can indeed be modified from the default. The separator can't be the equals sign, commas, or question marks, however. – ibelcomputing Jan 22 '15 at 17:27
  • yes i understand that. But once authentication is successful , what happens during synchronization is just that if there is no role(passed under token) found , it will create new external role in jasper internal db. Is n't it? – emilly Jan 22 '15 at 17:28
  • That's right. Roles created this way are flagged as external roles. https://community.jaspersoft.com/documentation/jasperreports-server-authentication-cookbook/synchronization-roles#default_2597648658_1012953 In any case, I consider the original question to be answered. – ibelcomputing Jan 22 '15 at 17:44
  • 1
    those Jasper docs are confusing: encryption itself does not protect from tampering (google that), and a timestamp does not prevent replay attacks – Hans Z. Jan 26 '15 at 11:54
  • you can override encrypt(), decrypt() to write your own logic, but where to provide timestamp & expiry_time for token? – Satish Patro Jul 03 '19 at 13:04
0

I was also looking to implement token based SSO with Jasper Server and got stuck on exactly the same question. This approach doesn't seem secure to me as the authentication is never denied if the request is properly formatted which is a simple thing to do.

The other alternative (If you are not using CAS or LDAP providers) would be to authenticate based on request as mentioned in section 7.4 "Authentication Based on Request" in the authentication cook-book. Create your own custom authentication provider and configure it in the applicationContext-externalAuth.xml :

<bean id="customAuthenticationManager" class="org.springframework.security.
providers.ProviderManager">
<property name="providers">
<list>
<ref bean="${bean.myCustomProvider}"/>
<ref bean="${bean.daoAuthenticationProvider}"/>
</list>
</property>
</bean>
Tripti
  • 75
  • 1
  • 4
  • Thanks Tripti. CAS or LDAP is not an option for me as my webapp does not support them at this point of time. With more research, i found Token based authentication can be made secure based on ecryption and decryption say based on shared key. So it seems safe to me. – emilly Jan 24 '15 at 13:31
  • Regarding custom authentication provider, as authbook , as auth book says that "When your user request has sufficient information for your custom authentication method to authenticate directly from the request..". Even in this i can not think what sufficient information you will pass as part of request so that jasper can authenticate it. (i Can think of some kind of token only here which takes me back to token based authentication only) – emilly Jan 24 '15 at 15:35