You can enable extensions to authenticate users coming from Endeca Workbench by including an authentication token in the URL.
Oracle Commerce Workbench calculates the value of the token by generating
an SHA-256 hash from a portion of the URL and a shared secret. The portion of
the URL that is used for the hash consists of everything after the host name
and port, including the leading slash, but excluding the value of the AUTH
token itself. The shared secret is a string that is specified in
ws-extensions.xml and is also stored in the extension
itself.
For example, the following
ws-extensions.xml file defines an extension with a URL
that uses the AUTH and TS tokens:
<?xml version="1.0" encoding="UTF-8"?>
<extensions xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="extensions.xsd">
<extension id="authExtension"
defaultName="Authenticated Extension"
defaultDescription="Demonstrates token-based authentication."
url="http://localhost:8080/AuthExtension/index.jsp?timestamp=${TS}&
auth=${AUTH}"
sharedSecret="secret!@#$%^*(987654321" />
</extensions>
In this case, the value of the authentication token is the hash of a String similar to the following:
/AuthExtension/index.jsp?timestamp=1189702462936&auth=secret!@#$%^*(987654321
The extension can verify that a user is coming from Oracle Endeca
Workbench by calculating the hash of the same string and comparing the result
to the value of the
AUTH token. This ensures that the user visiting the
extension has logged in to Oracle Commerce Workbench and has the permission (if
any) that is required to access the extension.
Because the
AUTH token is based in part on the URL, it is
recommended that you include the time stamp of the request to introduce some
variation in the value of the token. The time stamp can also be used to filter
out stale requests and limit the possibility of an eavesdropper reusing the
same URL to gain access to the extension.
The following Java code shows how the extension defined in the preceding example can authenticate users from Oracle Commerce Workbench:
// These values depend on what you defined in ws-extensions.xml
String extensionSecret="secret!@#$%^*(987654321";
final String authTokenParameterName = "auth";
final String timeStampParameterName = "timestamp";
// Set the tolerance, in milliseconds, before a request is considered too old
int allowedTimeStampSlackInMS = 5 * 60 * 1000;
// Calculate the hash of the substring of the URL and the shared secret
String url = request.getRequestURI() + "?" + request.getQueryString();
String findAuthToken = "&" + authTokenParameterName + "=";
url = url.substring(0, url.indexOf(findAuthToken) + findAuthToken.length());
String authCode = request.getParameter(authTokenParameterName);
MessageDigest md = MessageDigest.getInstance("SHA-256");
byte[] secretDigest = md.digest((urlForHash + extensionSecret).getBytes("UTF-8"));
StringBuffer hashCode = new StringBuffer();
for (int i : secretDigest) {
String str = Integer.toHexString(i+128);
if (str.length() < 2) {
str = "0" + str;
}
hashCode.append(str);
}
// Compare the hash to the value of the AUTH token
if (!hashCode.toString().equals(authCode)) {
// Authentication fails because AUTH token did not match
}
// Compare the time stamp of the request to the current time stamp
long currentTime = new Date().getTime();
long ts = Long.parseLong(request.getParameter(timeStampParameterName));
if ( Math.abs(ts - currentTime) > allowedTimeStampSlackInMS) {
// Authentication fails because request is too old
}
The example extension places the
AUTH token at the end of the URL, making it more
convenient to build the substring of the URL for the hash.
However, the
AUTH token can be in any position in the URL. For
instance, the URL can be defined in
ws-extensions.xml as follows:
url="http://localhost:8080/AuthExtension/index.jsp?auth=${AUTH}&
timestamp=${TS}"
This results in a URL similar to this:
http://localhost:8080/AuthExtension/index.jsp?auth=dc40570f2e7111fbe1af820a854ca817×tamp=1189702462936
The value of the authentication token is the hash of a String similar to the following:
/AuthExtension/index.jsp?auth=×tamp=1189702462936secret!@#$%^*(987654321
In this case, the code in the extension to remove the value of the authentication token from the URL is more complex.
