用JS反向代理访问SSO下的REST服务

Posted 2021-04-25 信息安全club

            “一花独放不是春,百花齐放春满园”——《古今贤文》

周日是《百花齐放》栏目，接收team内同学的原创文章，比如incident 成功案例的总结等。也会有不定期的代码道场，小型编程比赛等活动。

第一期的文章来自Michael song，大家鼓掌

 

Coordinate SSOand backend restful request with javascript reverse proxy

 

Problem(s)solved

1)      A desktopapplication communicates with remote server through restful API. All http(s)request are protected by SSO (single sign-on) server. In other words, eachrequest should be authenticated by SSO server (SSO server generates identitycookie), if not, it will redirect to SSO’s login URL. However, a desktopapplication cannot popup browser get SSO authentication.

2)     Normally, user accesses website viabrowser.  In some special cases, he (she)need to open local desktop application. It’s bad experience to ask him (her) tologin again in application.

3)     Sometimes, the same user login website andapplication at same time, it’s helpful if the both connections share samesession.

 

Priorsolutions

Currently, an applet application can inherit IE’s session/cookieand append them to its restful request. Till now, only IE support applet.Firefox and Chrome do not support applet in recent version. If your applicationis written in Java, there is no way to inherit web session.

Another one is a very tricky way that server encrypts cookieswith private key and show it on page. User copy it and input it on application,then application decrypt it with public key. Honestly, it’s not strongaccording security policy.

For the second solution, a same SSO authentication is activein two places. To gain high security, the SSO server would renew the cookievalue. In that case, the client will get non-authentication exception.

 

 

Description

Our solution is to setup a reverse proxy on browser withJavaScript. We call it JsProxy . Localhost application listens to a localhostport after starting up. JsProxy keep a long connection with server to handleserver’s initiative data. In the meantime, it setups another long connection tolocal application. via JsProxy, local application and server can communicate eachother.

 

Advantages

1)     This solution resolve the requirement how tocommunicate each other through SSO protection.

2)     Share unique session between website and localapplication.

 

Title

Coordinate SSO and backend restful request with JavaScriptreverse proxy

 

Abstract

We setup reverse proxy (JsProxy) with JavaScript in browserafter user login. Through JsProxy, local application bypass SSO authenticationto communicate with server.  The webpageand local application share the same user session.