File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes Servlets and the fly likes Can I log user into numerous sites at once? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of OCM Java EE 6 Enterprise Architect Exam Guide this week in the OCMJEA forum!
JavaRanch » Java Forums » Java » Servlets
Bookmark "Can I log user into numerous sites at once?" Watch "Can I log user into numerous sites at once?" New topic
Author

Can I log user into numerous sites at once?

Dan Bizman
Ranch Hand

Joined: Feb 25, 2003
Posts: 387
I'm developing a web application for a company that also has two other web
applications. All are Java web server apps. They are all on different
servers (each is load-balanced too, so each site is technically on diff.
servers from itself too), with diff. IP's and diff. web addresses. They
want me to find a way to allow a user to go to any ONE of the websites, log
in, and be logged in to all three sites. So if they go to "someweb.com" and
log in and then point their browser to "someotherweb.com", they'll already
be logged in.

I know I can't use cookies (since browsers only let you read cookies
written by your own domain). Is there a way to use certificates? Or
something else? Is there something that the first site can write/send to
the client that the other sites can also read/check?
Scott Johnson
Ranch Hand

Joined: Aug 24, 2005
Posts: 518
Dan,

I have some experience with this. Here's one way to do it:

Assume Site A is the primary site and manages the login. Site B is a secondary site.

A user can go to Site A and click a link to go to Site B. Or the user can go to Site B directly.

If a user is on Site B and does something that requires authentication, Site B checks to see if the user is logged in locally. If the user is logged in, the user is allowed to proceed.

If the user is not logged in to Site B, the client browser is redirected to Site A. Site A checks to see if the user is logged in there, if so, a packet containing encrypted profile information is built and attached to a client-side redirect back to Site B. Site B reads and validates the packet and the user can continue.

If the user is not logged in on Site A, Site A displays a login page, authenticates the user, builds the encrypted profile packet, appends it to a client-side redirect back to site B, etc.

I've found that passing the data, encrypted, through the client to be sufficiently secure and solves an issue regarding session management. (Site A and B store the session ids in cookies which are not readable by the other site. So it's not possible to do server-to-server HTTP requests to an existing session on the other site.)

The key (no pun intended) is choosing a secure encryption algorithm and implementing it correctly including key management and rotation.

To make this more secure you can include a timestamp in the plaintext data to eliminate replay attacks (resubmitting the same encypted data in a later session.) Site B can validate the timestamp is less than, say, 1 minute old.

Also, you can hash the plaintext data and append the hash to the plaintext before encrypting. Site B can recalculate the hash to detect any tampering with or corruption of the data.

I hope you were able to follow that. Let me know if you have any questions.

Regards,
Scott
Dan Bizman
Ranch Hand

Joined: Feb 25, 2003
Posts: 387
Thanks! I'm going to read your suggestion more thoroughly and try it out. if I have any questions I'll post them here...well, i do have one:

You say a packet is "attached to a client-side redirect back to Site B". What exactly do you mean by "attached"? Do you mean it's posted to Site B? Put into the HTTP Header? put in a query string? Or something else?

Thanks!
Scott Johnson
Ranch Hand

Joined: Aug 24, 2005
Posts: 518
I was referring to the query string. Depending on the amount of data you are sending, it should fit comfortably in the query string.
 
wood burning stoves
 
subject: Can I log user into numerous sites at once?