Java web app (no Spring) Okta integration

dev1 · March 20, 2019, 1:31pm

Hi, I am trying to integrate Okta authentication to an existing java web application implemented using java’s servlet-api. There is no quick start example for “Generic Java” server side option using Okta Sign-in page (please see below). Since our application is a web application, is Okta Sign-in page option the right way to proceed? Are there any examples available? Thanks!

dragos · March 20, 2019, 2:25pm

Hi @dev1

The selection between sign-in widget integrated on your website versus redirect to Okta depends on the current design and flow of the application that you are building.

You can use the authentication SDK available here to authenticate the users to Okta or the Java JWT verifier to verify the tokens that you are receiving from Okta. Both repositories contain examples on how to use them.

bdemers · March 20, 2019, 2:44pm

@dev1
What stack are you on? We have been thinking about creating a few more non-spring examples.

dev1 · March 20, 2019, 3:04pm

Thanks for the quick response! App is using Java servlet-api/JSP/Struts framework.

dev1 · March 20, 2019, 3:19pm

Hi @dragos, I am interested in Java JWT verifier approach.

Even though our application is a web application, should I be pursuing sign-in widget approach?
Should the app maintain the received token and authenticate as part of every request?
How the session time-out and other similar features available in typical web apps work with this type of authentication?

Thanks!

dragos · March 20, 2019, 4:00pm

Hi @dev1

If you are integrating the sign-in widget, then the widget’s JS code will be hosted on your end. The advantage here would be that you can customize the sign-in widget to fit the design that you currently have for the application.
Your application should validate the JWT token through the verifier and, if the token is valid, use the subject claim to create a local session for the user inside the application. This would be created and maintained by your application’s logic.
If you have API Access Management, then you can customize the lifetime of the access token (5 min - 1 day) and refresh token (10 min - unlimited). If you don’t have, then the lifetime of the tokens will be 60 min for access tokens and ID tokens (ID tokens have a static lifetime in both use cases) and 100 days for refresh tokens. In some use-cases, I’ve seen the lifetime of the JWT token (exp claim) being used as the lifetime of the session.

abhihandoojam2007 · June 13, 2020, 12:04pm

Hi @dragos @bdemers,

I want to implement java based okta oAuth2.0 approach.

My application is jsp,servlet based only so cannot use spring boot implementation.
Please help!
Thanks,
Abhimanu Handoo

DanCiry · April 8, 2022, 10:23am

Hi all,
I’m sorry to UP an old thread, but I’m searching for documentation to integrate Okta-SSO with Java-JSP Web-Application.
We don’t use Spring, our stack is:
Java/JSP + Maven + Jersey (javax.servlet).
We use “filtering” declared into web.xml to perform AuthenticationFilter and secure all pages, in this way we check the cookie session.

My approach was substituite the Login Page with the “Redirect” to “Okta-Login” and then use the Okta-SDK Methods to validate the token into the above mentioned “filter”.

Could you advise to direct me to correct documentation or similar to help to realize what I’m trying to do?
If you have better recommendations, they are very welcome. Thank you

Regards
Daniele

DanCiry · April 8, 2022, 10:53am

I prepared a very simple “AuthenticationFilter” class to better explain my thought.

package dev.myapp.servlet.filter;
import java.io.IOException;
import jakarta.servlet.Filter;
import jakarta.servlet.FilterChain;
import jakarta.servlet.FilterConfig;
import jakarta.servlet.ServletContext;
import jakarta.servlet.ServletException;
import jakarta.servlet.ServletRequest;
import jakarta.servlet.ServletResponse;
import jakarta.servlet.annotation.WebFilter;

@WebFilter("/AuthenticationFilter")
public class AuthenticationFilter implements Filter {
	private ServletContext context;
	public void init(FilterConfig fConfig) throws ServletException {
		this.context = fConfig.getServletContext();
	}
	
	public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
		HttpServletRequest req = (HttpServletRequest) request;
		HttpServletResponse res = (HttpServletResponse) response;
		String uri = req.getRequestURI();
		HttpSession session = req.getSession(false);
		Cookie[] cookies = req.getCookies();

		if(<session_is_invalid>){    //I supposed to use a SDK-Okta Method
				// Unauthorized access request
				res.sendRedirect("login.html");
		}else{
				// pass the request to the filter chain
				chain.doFilter(request, response);
		}
	}