File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
The moose likes HTML, CSS and JavaScript and the fly likes Is it feasible, SSO from JS? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Engineering » HTML, CSS and JavaScript
Bookmark "Is it feasible, SSO from JS?" Watch "Is it feasible, SSO from JS?" New topic

Is it feasible, SSO from JS?

dema rogatkin
Ranch Hand

Joined: Oct 09, 2002
Posts: 294
I'm working on a portal allowing to access different web sites requiring authentication. For example, enter in different e-mail system like yahoo, hotmail or gmail. My portal can keep user credentials for every such site. So, JS sends requests to servlet asking for sign in in required site, and send back session cookie. Then JS tries to open the site using received session cookie. It seems browser security won't allow that. What other solution can be? I do not want to send password information in JS variable, for sake of security.

Tough in space?, <a href="" target="_blank" rel="nofollow">Get J2EE servlet container under 150Kbytes here</a><br />Love your iPod and want it anywhere?<a href="" target="_blank" rel="nofollow">Check it here.</a><br /><a href="" target="_blank" rel="nofollow">Curious about generic in Java?</a><br /><a href="" target="_blank" rel="nofollow">Hate ant? Use bee.</a><br /><a href="" target="_blank" rel="nofollow">Need contacts anywhere?</a><br /><a href="" target="_blank" rel="nofollow">How to promote your business with a search engine</a>
Eric Pascarello

Joined: Nov 08, 2001
Posts: 15385
The only way is to change the browser security settings or you may be able to get a signed script, but I am not sure about that. This security is there so people can not manipulate your data on other websites. Imagine a bank account!

dema rogatkin
Ranch Hand

Joined: Oct 09, 2002
Posts: 294
Actually, it's my goal. I'm frequent flyer, so sometimes I have to check my account from public web terminals. I have no idea what kind of software can be installed on them, like keylogger, traffic sniffers and other stuff. So, I want to my server I can trust to login to a bank account and provide me only responses, or give me a cookie, so current browser can be considerd signed in. When I finish I can just close my session and browser. 1st approach when my server plays role a proxy seems feasible, however I'd like to find a simpler solution if any.

Edit: you may ask since I need to login to my server it can be also logged, so in this case a hacker can get access to all my accounts so it's worse. To avoid that I use one time login accounts, so I can login only once with these my credentials. I have a set of such credentials or a PDA based generator of them.
[ November 21, 2005: Message edited by: dema rogatkin ]
I agree. Here's the link:
subject: Is it feasible, SSO from JS?
It's not a secret anymore!