I’m in charge of maintaining a web application (Lives on a Tomcat server) which has two different access points, through two Apache HTTPD servers which are outside of my reach.
The two access points are meant to log in user either through a third-party SSO system or a good ol’ authentication page which prompts for login and password.
The trick is, this SSO puts a limit on the size of files which can be uploaded or downloaded. As SSO users will need to retrieve and send things heavier than that, I need a workaround for this, most likely simply offering a link pointing to the correct resource location through the other server.
What concerns me here is security, in case someone enters a cleverly guessed address to get a document he’s not supposed to. The person in charge doesn’t want to hear about a SessionManager to make sure the user has the rights to retrieve the documents, but suggested that I could simply use their JSESSSION_ID to confirm their identity…
I am not sure about how to implement this, and have a serious gut feeling that this will backfire in a quite horrible fashion.
Can anyone who had to deal with a similar problem points some of the pitfalls and possibly share a few useful tips on how to securely bypass this SSO ?
One possible way to implement this is to protect the resources on the non-restricted site with a one-time password with a very short life time.
Example:
The password should only be valid for say 30 seconds. You may also record the user’s ip-address and validate that.
You should not use the jsession id for this. It is not a good practise to expose the jsession id in a parameter on the address bar or in an html page.
However, you say that the other access point is protected by username and password. If so, will not the user have to log in here anyway? And if so, does not that login protect the resources?