PSoftPros

Jim Marion

Generating an AuthToken for SwitchUser

As the name implies, the PeopleCode SwitchUser function allows developers to switch the logged in Operator ID from one user to another. For security reasons, you can only switch identities if you either have another user's operator ID and password or another user's valid authentication token (AuthToken). While I'm sure there are numerous uses for this function, here are my top two:

  • Presenting a sign on Pagelet to a GUEST user
  • Switching the runtime context of Integration Broker PeopleCode

In both of these scenarios, PeopleCode is already running as one user, but you need to switch the runtime context to a different user. For example, if we build a web service that exposes Approval Workflow Engine (AWE) approvals, we must authenticate the caller to ensure the caller has access to a specific approval.

The PeopleCode SwitchUser function takes four parameters. If you use the first two parameters, UserID and Password, then you don't use the third. Likewise, if you use the third parameter, AuthToken, then you don't use the first and second. They are mutually exclusive. The fourth parameter is irrelevant for this discussion. Since the first two parameters are self explanatory, the remainder of this discussion will focus on the third parameter, the AuthToken.

Let's further consider the AWE example. Here is the scenario:

Managers want to approve AWE transactions from their mobile devices (BlackBerry, iPhone, etc). PeopleSoft, however, does not support mobile browsers. One method to enable mobile access is to create a stand alone web application that communicates with PeopleSoft using web services. The initial page for this web application will prompt the user for a PeopleSoft user name and password. The second page of this web application will display information about an approval and provide the manager with action buttons to approve, deny, or push back the transaction. When the manager selects one of the action buttons, the web application will use web services to update the PeopleSoft AWE transaction.

The process flow in this scenario requires the web application to call at least two PeopleSoft web services. Since web services are stateless, we need to authenticate the user on each call. Because these web service calls span multiple request/response cycles, the web application will need to store that authentication information between mobile client requests, making session variables the logical place to store this information. At this point, the question we need to ask is, "What authentication information do we want to store in a session variable?" User name and password? As an alternative, we could store an AuthToken in a session variable and use that as a parameter to SwitchUser. Unlike user names and passwords, authentication tokens can be invalidated and are subject to configurable expiration rules.

How do you generate an AuthToken? Here is the method I use: I create an HTTP connection to my PeopleSoft server's sign on URL and then parse the returned cookies. Here is an example that uses Java and Jakarta Commons HttpClient:

HttpClient client = new HttpClient();// Posting to the PS login URL
PostMethod post = new PostMethod("http://my.ps-server.com/psp/hrms/?cmd=login");

post.addParameter("userid", username);

post.addParameter("pwd", password);



// expect redirect response code

if(client.executeMethod(post) != 302) {

    throw new Exception("Expected a redirect response code.");

}



Cookie[] cookies = client.getState().getCookies();

Cookie pstokenCookie = null;

String pstoken = null;



for (int cookieIdx = 0; cookieIdx < cookies.length; cookieIdx++) {

    Cookie cookie = cookies[cookieIdx];

    if (cookie.getName().equals("PS_TOKEN") && 

        cookie.getDomain().equals(".ps-server.com")) {

        pstoken = cookie.getValue();

        pstokenCookie = cookie;

    }

}



if (pstoken == null) {

    throw new Exception("Ack! Didn't find PS_TOKEN cookie");

}

With my AuthToken (PS_TOKEN) identified, I can store it in a session variable, pass it along to Integration Broker, and then invalidate it when the mobile user logs out. Here is some sample code that demonstrates how to invalidate an AuthToken:

HttpClient client = new HttpClient();client.getState().addCookie(pstokenCookie);


GetMethod get = new GetMethod("http://my.ps-server.com/psp/hrms/?cmd=logout");



int httpResponseCode = client.executeMethod(get);

// TODO: validate response code

View the original post

Tags: java, peoplecode, peopletools, security

Comments are closed for this blog post

Custom Search

Latest PeopleSoft Jobs

Business Analyst

New York , New York

PeopleSoft HR Support

Jersey City , New Jersey

PeopleSoft Administrator

Green Bay , Wisconsin

PeopleSoft Functional Analyst(s)

Green Bay , Wisconsin

Coldfusion Developer

Detroit , Michigan

© 2010   Created by Derek Tomei

Badges  |  Report an Issue  |  Privacy  |  Terms of Service

Sign in to chat!