Clarity

We have a requirement to display a monitoring consent form before a user can login.

In 13.3, I hijacked the index.html page to show the consent with a set of buttons (accept / decline).  The decline button redirect to a general inner portal page.  The accept button performed the redirect that was original index.html page.

So this work great.  Now on 14.3, it doesn't appear that the index.html (welcome-file tag in web.xml) is being used.

Does anyone else have this type of requirement and if so any work arounds to get this to work?

V/r,

Gene

Hi Gene,

As of 14.x they started restricting the directories you could access. Have you added the file or directory where your file lives in? I strongly suspect it is this!

• In the web.xml file find <filter id="Clarity Content Filter"> 
• add the path into the param list.

We have a few other options such as web-proxy or script inside ca ppm (On login) and other "hacks" which I won't mention here.

So, 14.3 works just like 13.3 for the index.html page.  For some reason my modified index.html page was replaced with the original contents (maybe the NSA does this?).

After spending more time learning about TomCat that I wanted to, I have figured out a way to display my consent page.

Request from a user a client certificate off a smart card via a custom realm which forces a ssl renegotiation to obtain the user’s client certification.

I am now working on just logging in the user base on a valid two factor authentication with the smart card.

My next question is: does anyone know if the technique shown in the sso-template-jsp.txt still work?

V/r,

Gene

So for anyone wondering if sso-template-jsp.txt still works -- it does but you now have to make sure that the UtilityThreadLocal TenantInstance matches the TenantInstance in the SecurityIdentifier which is obtained via the webRequest.getSecurityIdentifier() method.

Here is how I did it.

    public Boolean loginUser(String username) {
        Boolean initialized = false;
        String tenantId = "";

        if (username == null || username.length() == 0) return initialized;
        try {

            WebRequest webRequest = new DefaultWebRequest(this.getRequest());
            WebResponse webResponse = new DefaultWebResponse(this.getResponse());
            Tenants tenants = configurationManager.getTenants();
            for (int i = 0; i < tenants.getTenantInstanceCount(); i++) {
                TenantInstance tenantInstance = tenants.getTenantInstance(i);
                tenantId = tenantInstance.getId();
                if (tenantId != null && tenantId.length() > 0) break;
            }

            UtilityThreadLocal.init(tenantId);

            WebSession webSession = new WebSession(webResponse, webRequest, this.getPageContext().getServletContext());
            UserSessionController usController = UserSessionControllerFactory.getInstance();
            SecurityIdentifier newSecId = usController.init(username, webRequest.getSecurityIdentifier());

            if (newSecId != null && newSecId.isUserLoggedIn()) {
                String userStatus = newSecId.getUserStatus();
                if (!SecurityIdentifier.INACTIVE_STATUS.equals(userStatus) &&
                        !SecurityIdentifier.LOCKED_STATUS.equals(userStatus)) {
                    webSession.setSecurityIdentifier(newSecId);
                    if (!webSession.getSessionInitialized()) {
                        webSession.initSessions(newSecId);
                    }
                    initialized = true;
                }
            }
        } catch (Exception ex) {
            log.error(ex);
        }
        return initialized;
    }

I get the username via a smartcard certificate which contains the user's email address (in SubjectAlternativeNames).  Once I pull the email address out, I query (via web services) a simple NSQL that gives me id, username and email.

    public String getEmailCertificateUser() {
        X509Certificate[] x509Certificates = (X509Certificate[]) this.getRequest().getAttribute("javax.servlet.request.X509Certificate");
        return getEmailCertificateUser(x509Certificates);
    }

    public String getEmailCertificateUser(X509Certificate[] x509Certificates) {

        String emailAddress = "";
        String userName = "";

        try {
            for (X509Certificate x509Certificate : x509Certificates) {
                if (!checkCertificateValidity(x509Certificate)) continue;
                String issuerDn = x509Certificate.getIssuerDN().getName();
                if (!issuerDn.toUpperCase().startsWith("CN=DOD EMAIL")) continue;
                Collection<List<?>> subjectAlternativeNames = x509Certificate.getSubjectAlternativeNames();
                if (subjectAlternativeNames == null) continue;
                Iterator<List<?>> iterator = subjectAlternativeNames.iterator();
                while (iterator.hasNext()) {
                    List list = (List) iterator.next();
                    if (((Integer) list.get(0)).intValue() != 1) continue;
                    emailAddress = list.get(1).toString().toLowerCase();
                    break;
                }
                if (emailAddress.length() > 0) break;
            }

            if (emailAddress.length() > 0) {
                emailAddress = emailAddress.toLowerCase();
                configurationManager = ConfigurationManager.getInstance();
                ApplicationServerInstance nsa = configurationManager.getApplicationServerInstance("nsa");
                nsa.getServicePassword();
                userName = getUserName(nsa.getServicePassword(), emailAddress);
            }
        } catch (Exception ex) {
            log.error(ex);
        }
        return userName;
    }

V/r,

Gene