aspose file tools*
The moose likes JForum and the fly likes Using another user database and SSO? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of EJB 3 in Action this week in the EJB and other Java EE Technologies forum!
JavaRanch » Java Forums » Products » JForum
Bookmark "Using another user database and SSO?" Watch "Using another user database and SSO?" New topic
Author

Using another user database and SSO?

Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
Hi Rafael,
The forum looks great btw. A question if I want to run the forum off another user store am I right in thinking that all I have to do is create my own driver (overide or implement all the interfaces of the classes in net.jforum.drivers.mysql and net.jforum.drivers.mysql.security)?

[actually there is a small problem in that the ids aren't integers but UUID, so I guess some mapping table will need to be set up]

If I want to have a single sign on, with another application on the same server, what would this involve? Presumably its just setting up the correct session state, though now I'm wondering if this is possible (in a clean way)between 2 different webapps in tomcat.

thanks,

Mike.
[originally posted on jforum.net by mgoodwin]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
I have the same need to base JForum authentication on an external database. Maybe we can come up with a generic way to make it easy to implement such a coupling. We might even look into a coupling with JAAS, opening up a whole range of possible authentication solutions.

The way I look at it there are a number of tasks that need to be taken care of:

- Login authentication
- Account creation when it is the first time a specific user visits the forum
- Access control mapping (which groups does a specific user belong to)
- User rename when a username changes.
- Optionally: account deletion when the user is removed from the external system

Maybe we can discuss alternative implementations to perform these tasks?

For instance, for the user rename task I see at least three possible solutions:
1) Actively rename the user in the JForum tables when the name is changed externally
2) Passively rename the user when he/she logs in to JForum and the name has changed
since the last login.
3) Completely ignore the user name in the JForum tables and always retrieve the name of
a user from the external authentication system.

Alternative 1 has the disadvantage that the "host system" must actively instruct
JForum to rename a user. This is hard to do generically because of the wide range
of possible host systems.

Alternative 2 has the disadvantage that when the username of a user changes
this is only visible to other forum users after the user has used the forum at least
once.

Alternative 3 is probably the most complex to implement and might induce some
performance issues.


[originally posted on jforum.net by Pieter]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
There is OSUser ( http://www.opensymphony.com/osuser ), which may help.

And is not possible to delete an user if he have any message ( and I guess that removing the messages posted by the user is not an option.. )

Rafael
[originally posted on jforum.net by Rafael Steil]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
Hi thanks for the responses,

Pieter and Rafael,
I'd definitely be looking at solution 3 as the userstore I intend to work off is local (all though it itself will get user credentials (only) from an ldap server). Also I'd say its probably the most simple to implement. Though if I were to have a synchronized local version, I guess you'd just treat it like any cache. Account creation and user/group management through jforum would be disabled.

Account deletion, though, thats a tricky one. I guess if all the usernames are pulled dynamically each time, if I user got deleted one would have to have 'deleted user' as the name. Guess that means disabling users in that case instead.

The only way to create something useful for others, except for having a slightly more plugable - write your own - user driver interface, would be to opt for interoperability with an open standard userstore. I guess this brings us on to osuser and jaas.

I had a quick look at osuser and i'm not sure exactly what to make of it. (The only working documentation was the api). It seems to be a bunch of interfaces for working on top of another userstore. In what way does this differ to JAAS?

I guess what you'd (we'd) be wanting to do is to have your user system writen conformingly to one of these interfaces in some way, so then it would be easy for the user stuff to be run off one of the other systems with which osuser works. Any thoughts?

I hope all this I say makes sense ..

cheers,

Mike.
[originally posted on jforum.net by mgoodwin]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
The overview of OSUser looks promising, but the lack of documentation could be a real problem (the Wiki is unresponsive, but maybe that contains some good documentation?)

It might be an option to make all posts of a deleted user revert back to some default owner ("*Deleted*", or "Anonymous").

[originally posted on jforum.net by Pieter]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
Pieter wrote:
It might be an option to make all posts of a deleted user revert back to some default owner ("*Deleted*", or "Anonymous").


My approach is: don't delete the user, just set a flag to disable its login. There is already a field in jforum_users to handle this.

The messages posted by the user don't change at all...

Rafael
[originally posted on jforum.net by Rafael Steil]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
Jira ( http://www.atlassian.com/software/jira/ ) has support to OSUser, and I know other few systems that use it too, but I never tried.
I don't know JAAS as well, so I don't have a concrete opinion yet. I'll take a closer look into it.

So, keep going on sugestions, guys! :-D

Rafael
[originally posted on jforum.net by Rafael Steil]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
The biggest problem with deleted users is that I don't want misconceptions about who actually posted a message. In the system I want to use JForum with, deleted usernames can be reused, so I need a convincing way to flag posts by deleted users.
[originally posted on jforum.net by Pieter]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
Pieter wrote:The biggest problem with deleted users is that I don't want misconceptions about who actually posted a message. In the system I want to use JForum with, deleted usernames can be reused, so I need a convincing way to flag posts by deleted users.


I am not sure if I understood your point.

Rafael
[originally posted on jforum.net by Rafael Steil]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
Pieter wrote:
Let say player "Pieter" posts some irritating posts, flaming all over the place. Pieter's account is removed from our own system, but remains present in the JForum database. Now a new player creates an account under the name "Pieter" (which is perfectly legal in our system), and posts some innocent question.


My initial intentation was to not allow another guy named "Pieter" to register. The old "Pieter" remains in the database, but with its account locked, eg, the system will no longer allow him to log in with that username.

Pieter wrote:
Casual readers could think that the old posts under the name "Pieter" where written by the new "Pieter", leading to all kinds of misunderstandings.

If we could rename the old "Pieter" account to something like "*Deleted*", the old posts are no longer related to the name "Pieter".


Ok, let's take in account that we don't block the username, but indeed just rename it. Now all posts from the user in question will be indentified by "Deleted", and my opinioon is that it will confuse users. It may even be "harmful" to the user / forum, since even the "good" messages posted by him will have a new username's author.

Why not remove all users's messages, instead of keeping them in the database?

Is not hard to make this functionality of renaming an user. In fact, it is already done, since you can edit all user's data from the Admin Panel.
But I still believe that is not the best choice.

Rafael
[originally posted on jforum.net by Rafael Steil]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
I will try to elaborate.

Let say player "Pieter" posts some irritating posts, flaming all over the place. Pieter's account is removed from our own system, but remains present in the JForum database. Now a new player creates an account under the name "Pieter" (which is perfectly legal in our system), and posts some innocent question. Casual readers could think that the old posts under the name "Pieter" where written by the new "Pieter", leading to all kinds of misunderstandings.

If we could rename the old "Pieter" account to something like "*Deleted*", the old posts are no longer related to the name "Pieter".
[originally posted on jforum.net by Pieter]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
Rafael Steil wrote:
My initial intentation was to not allow another guy named "Pieter" to register. The old "Pieter" remains in the database, but with its account locked, eg, the system will no longer allow him to log in with that username.

I think this is the right solution for most forums, but my forum will be run on a game site with a high turnover. To avoid blocking all decent names within notime, we decided to allow reuse of names.
Rafael Steil wrote:
Ok, let's take in account that we don't block the username, but indeed just rename it. Now all posts from the user in question will be indentified by "Deleted", and my opinioon is that it will confuse users. It may even be "harmful" to the user / forum, since even the "good" messages posted by him will have a new username's author.

Is it even possible to have multiple users with the same name ("Deleted"), or do we need to add a number or something to separate multiple deleted users?
Rafael Steil wrote:
Why not remove all users's messages, instead of keeping them in the database?

This might be the best solution although not perfect because some threads will not make sense anymore when some messages are deleted.
Rafael Steil wrote:
Is not hard to make this functionality of renaming an user. In fact, it is already done, since you can edit all user's data from the Admin Panel.
But I still believe that is not the best choice.
Rafael


I don't think the perfect solution exists, but I agree that deleting the posts might be the best compromise. We might even consider to replace the deleted posts with a post containing only a message like "Post deleted because the user account was removed".


[originally posted on jforum.net by Pieter]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
Pieter wrote:
Is it even possible to have multiple users with the same name ("Deleted"), or do we need to add a number or something to separate multiple deleted users?


yes, it's possible. JForum does not check for duplicity in places other than when registering a new user. So, you could go to User Management in the Admin Panel and set the same username to many users without problem, only if you are sure that the account will not be used anymore. I emphasize this because some problems may occur when two users with the same username are in the same time in the forum.

Pieter wrote:
I don't think the perfect solution exists, but I agree that deleting the posts might be the best compromise. We might even consider to replace the deleted posts with a post containing only a message like "Post deleted because the user account was removed".


I aggree. And anyway, you could rename the user without problems.

Rafael
[originally posted on jforum.net by Rafael Steil]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
I think there is a very simple solution to this problem.

You leave the user in the DB, with the same user_id. However, you "append" a configurable suffix (e.g. "-ex00") to the name, which will change "Pietr" to "Pietr-ex01". The suffix can be fed into a MessageFormat with the counter as the argument. This allows the name to be reused over and over. If you delete two "Pietr" users, then you end up with "Pietr-ex01" and "Pietr-ex02".

Since the user, and thus their user_id, is never deleted, all messages are properly attributed to that account, and their profile is still available. Thus, the post and thread tables retain their integrity.

Then you add a table, "jforum_lockuser" or something like that. In this table, you have [ user_id, state, explanation ]. Then, when you attempt to login a user, you check this table to see if the user_id is there, and if it is you block the login. The "state" field allow you to delineate "locks", say for example temporary locks, locks until contact, and permanent locks. Finally, the explanation field allows you to add a field to the Profile page for the user explaining why their account is blocked. This way, if the user attempts to login and cannot, but does not know why they have been blocked, they can pull up their profile and see the explanation there.

Most importantly, this design allows users to be "unlocked" at a later date. They may lose their original login name, and need a new one, but their account integrity is never lost, and their threads and posts remain intact.

As for completely deleting an offensive user, I say you still only block the user_id, but you still provide some mechanism that says "Delete all posts and replies by this user".

[originally posted on jforum.net by Anonymous]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
This might be a suitable solution, and in our case we don't need the "block" table, just some way to prevent users from logging in under a blocked name (for instance by setting their password to something strange). This solution does imply that users are not allowed to choose a name that ends with a suffix that can also be generated.

This brings us to the general issue of name compatibility. We want to use our usernames directly in JForum, so users can recognize players they know from our games. This means that any username in our system must be acceptable for JForum. Are there any builtin limitations on the lusernames in JForum, like maximum name length and characters that are not allowed?

As we have an existing userbase of over 50000 active players, we do not have the option to make the rules about usernames more strict. We currently support usernames of upto 12 characters that may contain letters, digits, and the following characters: _-!$'()^{}%
Would these names constitute valid names in JForum?

If the rules about names in JForum is less strict than our rules, we can use a character that can not be used in our usernames to signal "deleted" users in JForum.

[originally posted on jforum.net by Pieter]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
Pieter wrote:
If the rules about names in JForum is less strict than our rules, we can use a character that can not be used in our usernames to signal "deleted" users in JForum.


The username should be not longer than 50 chars. That's all currently.

Rafael
[originally posted on jforum.net by Rafael Steil]
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Using another user database and SSO?
 
Similar Threads
some modification on this fourm page
Display name
some modification on this fourm page
modal dialog always on top
requesting all components at a Point