File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes JForum and the fly likes Webapp Integration -- SSO issues Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of The Java EE 7 Tutorial Volume 1 or Volume 2 this week in the Java EE forum
or jQuery UI in Action in the JavaScript forum!
JavaRanch » Java Forums » Products » JForum
Bookmark "Webapp Integration -- SSO issues" Watch "Webapp Integration -- SSO issues" New topic
Author

Webapp Integration -- SSO issues

Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
I have searched this topic, and read a lot of information about SSO, but I still cannot see how to implement the feature that I want. Let me try to explain.

I have a webapp. This webapp implements a "portal" and part of my portal is JForum forums for the community. There will be links from the portal into the forums.

Here is what I would like. The user logs into my portal. When they log into my portal, I would like to have them automatically logged into the forums. When I say "automatically logged in", what I mean is that when they click on any of the forum links, and they are redirected to the forum, I want JForum to "recognize" the person as logged in.

I do not see how I can use SSO or any of the suggestions I have read because it seems to me that these only apply to the case of the user logging in using the login page.

Furthermore, there is no way for me to share information across sessions (between my webapp and jforum). So how will my SSO authenticator code in jforum know how you are logged into my webapp?

I hope I am making sense.

My first thought was to simply create the cookies that JForum uses for "automatic login". I figured that if I created those cookies, JForum would see them and consider me logged in. However, I think that if JForum has already run as "anonymous", there is a UserSession, so there is no call to validateLogin() and there is no consulting my cookies. Anyway, the cookies seem to have no effect.

Ideally, I would like to be able to add a new cookie "jforumValidateSession", which jforum would consult on every page, and if it is set, would re-establish the userSession using the cookies provided for autologin. Does that make sense? Is it practical? Is there any alternative?

I guess I am okay with hitting a URL to perform the same thing. Can I do this now?

Thanks,
Tim.


[originally posted on jforum.net by time]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
Ok. I have tried three things, and none of them work.

First, I tried just adding the cookies "jforumUserHash", "jforumUserId". and "jforumAutoLogin" as if the user had logged in with "autologin" checked. This had no effect. The JForum still saw me as "anonymous". I believe this could not work, because JForum had no way to know that it should remove any existing "UserSession".

Second, I tried making a URLConnection to:
/forums/jforum.page?username=USER&password=PASS&module=user&action=validateLogin&autologin=on

Hoping that this would cause JForum to do all the things related to a proper login. This did seem to work, as I saw the following on my tomcat log:
INFO [SessionFacade ] Removing session A3C4FB0D88FB27AD54B642C8DD98A00E

when my webapp connected to the url. The URLConnection returns status 200 OK, and I get some 9565 bytes of data. So, I believe that JForum validated the login and created a new UserSession for it.

Alas, there is no change in my web browser. I still appear to be user "anonymous" when I refresh my page or navigate. Of course, the browser's cookies were not changed.

Finally, I left the validateLogin call in place (and still get status 200 OK) and after the login call, I added the jforum cookies. Now, I was getting the validateLogin success, seeing JForum log the session removal, AND the browser had the proper jforum cookies that it needed.

Alas, I still appear as "anonymous" on JForum page refreshes.

I am stumped now.
[originally posted on jforum.net by time]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
Ok. Now that I think about this, there is one missing piece. I need to have the JSESSIONID from tomcat to be placed into the browser's cookies, otherwise, the browser's session cannot be tied to the JForum UserSession that was created by my validateLogin call. The problem is that the reply to validateLogin does not return any cookies.

I suspect that tomcat is deciding that my URLConnection is not capable of cookies, so it is using URL-based session ids. I will see if I can get the session cookie and see if this is the missing piece....
[originally posted on jforum.net by time]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
First question: why don't you put JForum under the same context of your main web application? this way you can share the HttpSessions without any problems.

If you don't want to do that, you can edit server.xml and set "crossContext" to "true", and then put the information in the ServletContext..
Something like "__timeLogged", "__rafael123Logged", and etc.

One more option is to write the information to a dataabse table and make the SSO class check that table.

Rafael
[originally posted on jforum.net by Rafael Steil]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
First Q: I did not know I could combine JForum under my context. How do I do this? Don't I have to combine all of the JForum webapp files and directories into my webapp? That seems like an impossible task.

I dislike using cross context's, because it is not supported under every container, and its support under each container seems to be non-standard.

As for putting the information into a database, that seems to have lots of issues, the biggest of which is that it does not solve my problem.

My problem is not validating a login when the user logs in. I can do that now.

The issue is that I wish to bypass the login process entirely, and allow any user logged into my webapp to move seamlessly between my webapp and jforum. Even if I place jforum under my webapp, I still have the exact same problem, unless I take over the jforum UserSession creation, and related login functions, which is something I want to avoid.

It seems to me that no one has a good solution for this.
[originally posted on jforum.net by time]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
Ok. The problem is definitely that I have no means of providing the session id that tomcat expects. I need to place it into a cookie to tie to the UserSession created by JForum when I validateLogin.

I see that Tomcat always uses URL rewriting for the first page that it sends, because it cannot tell if the browser supports cookies. Or maybe there is something else it is deciding to do to make that decision. As I see it, there is no standard thing to expect.

The easiest solution would be if JForum would place the session ID into a header line on the reply to validateLogin, or possibly in reply to another specific request (such as "getSessionId"). This would allow me to grab the session id and place it into the browser's cookie. Of course, none of this will work if cookies are disabled.

I think this might be too much effort for what it is worth.
It is not a shortcoming of JForum. It seems to be a general shortcoming of current technology.
[originally posted on jforum.net by time]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
I have verified that the session is the issue.

If I create the jforum cookies for autologin, then stop and restart Tomcat, then the cookies work as I expect and all is well. This is because stopping tomcat kills all sessions. When I come back up, there is no session for my browser, and JForum performs the autologin to establish me. If, however, there was already an anonymous session, then the autologin do not happen. Further, my validateLogin request creates the UserSession and session (tomcat) for the login that I want, but I have no simple means of getting that session id to set my cookie to.

I see that I get the session id as "jsessionid=" encoded URL's in the page data that is returned from my validateLogin request, but I do not think that I can count on that always being there, as it depends on the page having links with session ids embedded in them, and my ability to properly parse them.

I still do not understand how Tomcat is deciding that I should get the url encoding instead of a cookie. I realize that it needs to "test" the browser with the first page, but there is no cookie header in that first page, so how will it know if I can send one back if there is no cookie in the first place. It seems to me that the session id should be in a cookie on that first page, otherwise tomcat would have no way to know if I am cookie enabled.

It is almost as if Tomcat has already decided that I am not cookie enabled. Is there some new HTTP header that indicates this capability that I am unaware of?

[originally posted on jforum.net by time]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
Nice.

Just to let you know: you can put as many web applications as you want under the same context, as long there aren't any conflicts of url-pattern mapping.
All you have to do is to copy the files to the same directory and merge the web.xml files

Rafael
[originally posted on jforum.net by Rafael Steil]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
Ok. I finally solved the problem in a way that makes me pretty happy.

The summary boils down to this: when I log into my webapp, I call a method that makes a URLConnection to JForum's invalidateLogin. The URLConnection will return a number of cookies, including the JSESSIONID and the jforum cookies. The method then establishes these cookies inside of my webapp. Because the same browser is talking to both webapps, they both see the same cookies (respecting Path of course). Once these cookies are established, my user is logged into JForum when they log into my webapp.

The problem that I was left with - how to get the JSESSIONID - boiled down to my incorrect use of the URLConnection. I forgot that by default the connection will "follow" 3xx response codes (specifically 302 'Moved Temporarily' used by Tomcat to determine if cookies are available). Once I called setInstanceFollowRedirects( false ), I got the cookies that I was looking for, and all of the pieces fell into place.

Of course, this does not deal with the issue of the user logging out of JForum (I am tempted to remove the link!). But overall the solution is very reasonable. The user will learn what not to do, and will pay the price of login when they forget.

I will post the code in the next reply.

I sure would like some feedback from others on this solution.
[originally posted on jforum.net by time]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
Here is the method that I added to my webapp to handle "autologin" for JForum. When the user logs into my web application, the code that verifies the login and establishes the session makes a call to this method with the user name that it retrieves from jforum_users (I use the email for my login, which I then use to lookup the user in jforum_users) and the password that the user enters for my webapp (and which is stored into jforum_users when they register). I control the jforum user database record creation, so I can keep everything in sync.

This code is very rough, since I am still in alpha, but you will get the idea.


[originally posted on jforum.net by time]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
This technique is working really well for me. I like the fact that I can call the login method from basically anywhere. So, not only when an existing user logs in, but also when a new user registers, I am able to automatically log them into JForum.

Even better, if the user changes accounts within my webapp, the active account in JForum automatically changes with them. Both accounts share the same password, so even if there were a case where it did not work, the user can easily manage the login process under JForum. Except that they need to remember to use their fullname to login, instead of their email (which my webapp uses).

One nice addition to JForum that would help me would be an option to login using the user's email address (jforum_users.user_email) instead of their username. My webapp uses the email address as the login id. The ability to log into JForum using the email address would make the login identical for both webapps. I mean, if it is configured, the login field would be considered an email address instead of the username.
[originally posted on jforum.net by time]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
Time, this is great! Exactly what I was looking for.

Merging webapps is not very kosher, and basically doing so isn't SSO, because you're only dealing with one webapp anyway!

Question for you though - how do you manage creation of both accounts? Do you have to create an account in JForum AND in your own webapp? I'd like to have my own webapp's account creation screen also handle account creation in JForum.

Tony
[originally posted on jforum.net by Tony Field]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
I handle the JForum database in my application, adding new users and managing their record. When a new user registers with my site, I create all of the necessary JForum records (including the user's group) and set the password using the password the user entered for my webapp.

I then remove the "register", "logout", and "My Profile" links under JForum. I subsume the JForum profile information into my user profile page, and handle the JForum database update within my app.

That's it. It works so well, I wish it was a standard.
[originally posted on jforum.net by time]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
Hi time,

If your solution works, then stick with it. For others who are looking for a more sophisticated single sign-on solution, check out this article:

http://www-128.ibm.com/developerworks/web/library/wa-singlesign/

Mike
[originally posted on jforum.net by Anonymous]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
Time can you perhaps post this code as well? I'm going to manage users in jforum also.

Maybe this would be a great to add to confluence along with your auto-login.

Mark


time wrote:I handle the JForum database in my application, adding new users and managing their record. When a new user registers with my site, I create all of the necessary JForum records (including the user's group) and set the password using the password the user entered for my webapp.

I then remove the "register", "logout", and "My Profile" links under JForum. I subsume the JForum profile information into my user profile page, and handle the JForum database update within my app.

That's it. It works so well, I wish it was a standard.

[originally posted on jforum.net by conquest]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
In reponse to the "SSO is the more sophisticated solution" -- that my be true, but the fact is that SSO does NOT accomodate my needs.

Authentication is only part of the problem. The issue for me was to avoid two logins. NOT two user ids or passwords, but actually logging into my webapp and then logging into JForu,. I wanted my users to never see the JForum login. If you can explain how to accomplish this with SSO, I would love to hear it.

As for the code request I am not sure how useful the code I have will be. It is very integral to my webapp. However, here is the helper class that I use. (next post).
[originally posted on jforum.net by time]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424

[originally posted on jforum.net by time]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
Cool thanks! So what login mechanism are you using? Did you write your own filter or are you using something like SecurityFilter?

I'm using SecurityFilter.

Mark
[originally posted on jforum.net by conquest]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
I wanted my users to never see the JForum login. If you can explain how to accomplish this with SSO, I would love to hear it.


authentication.type=sso disables all register/login/recover password options in jforum menu.

whenever you access jforum authenticateUser() and isSessionValid() methods determine wether you are logged in or not on your main app. because i use a persistent login cookie thats what i used in those methods :-



I'm not disagreeing with anyone's aproach it's just that I used the built-in SSO stuff - and it took care of all you mentioned in above quote (cept login to forum at same time as login to host app) and its been trouble free.

Just like to use code if its already there.

-Mark.
[originally posted on jforum.net by Anonymous]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
Mark,

Thank you for clarifying the point regarding the login being disabled. I did not catch that when I was reviewing the documentation. It does appear that this resolves the issue, so once 2.1.5 is rolled out, I may try to update to SSO.

Thanks, tim.
[originally posted on jforum.net by time]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
So Mark are you running all within the same context? ie did you just copy all the jforum files and merge the web.xml?

Do you know how we can use the 2.1.5 stuff cross-context? I'm still researching and this is the last part I don't fully understand in Tomcat.

Thanks for the info!

Mark


Anonymous wrote:[

authentication.type=sso disables all register/login/recover password options in jforum menu.

whenever you access jforum authenticateUser() and isSessionValid() methods determine wether you are logged in or not on your main app. because i use a persistent login cookie thats what i used in those methods :-

I'm not disagreeing with anyone's aproach it's just that I used the built-in SSO stuff - and it took care of all you mentioned in above quote (cept login to forum at same time as login to host app) and its been trouble free.

Just like to use code if its already there.

-Mark.

[originally posted on jforum.net by conquest]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
Hi Time,
no worries, there's errors in the wiki docs regarding SSO parameters etc, and some off the source needs a tweak,(for me anyway) - the sso.redirect didn't work correctly from cvs. I still think it could be improved - but SSO certainly makes it more 'plugable'.

Your source code useful btw, some nice things in there that will save me some time

KDE rocks!

conquest wrote:So Mark are you running all within the same context? ie did you just copy all the jforum files and merge the web.xml?[


MrNice sed wrote:I approach integrating jforum into existing app by simply creating a virtual host in tomcat with multiple contexts. I don't use the tomcat webapp folder - just install the /manager app context in the virtual host:
1. your app at context /
2. forum at context /forum
3. manager at context /manager (only allow LAN access)

then I use SSO for sign-on if required by the 'root' application. I find this approach very flexible and easy to manage.

JForum rocks!



Rocks! may the source be with you... :lol:

-Mark.
[originally posted on jforum.net by Anonymuos]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
Dooh yeah Sorry Mr Nice .... I remembered reading that on my way home ops:
[originally posted on jforum.net by conquest]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
no, i don't merge the apps btw - therein lies the way to madness,
[originally posted on jforum.net by Anonymuos]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
ok - how do your users login at the moment?
[originally posted on jforum.net by Anonymuos]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
I use SecurityFilter, so I have protected pages just like JAAS which are protected via web.xml. I implement a simple class much like sso for JForum.

I'm googling how to share my session. I see in the host I can specify crossContext=true then I think I could use ServletContext.getContext() and set what I need.

Or perhaps this is getting messy.
[originally posted on jforum.net by conquest]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
I can see why this works cross context. It's essentially Tim's solution because it's using a cookie, but it's being done in the JForum webapp. I'm not using a persistent cookie.

I have everything running under a virtual host as well. I tried just dropping the right attributes in the session with no luck.
[originally posted on jforum.net by conquest]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
so you are http authenticated?

do users have to login each visit then?

Or perhaps this is getting messy.


:lol: i think adding a session cookie would be much easier

if SecurityFilter does do HTTP auth then see post i did earlier.

http://www.coderanch.com/t/575731

[originally posted on jforum.net by Anonymuos]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
ok - i looked at SecurityFilter and i think its HTTP auth (pretty sure), which means it supports getRemoteUser() method in the default SSO authenticator.

just check out the bug with 'return false'.

you will need to find a way to pass email and password if u want them in jforum profile.

-Mark.
[originally posted on jforum.net by Anonymuos]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
<a href ="http://216.239.59.104/search?q=cache:5JM6YXFRURgJ:www.junlu.com/msg/46811.html+SecurityFilter+cookies&hl=en" <br /> >SecurityFilter and cookies link (from Google cache)
[originally posted on jforum.net by Anonymous]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
Yes SecurityFilter has this but I've not implemented it yet.

Also if the user doesn't check "remember me" then they won't get this cookie.

I was just hoping to quickly add the sso attributes to the session and WAHM!


You know sort of like a Jedi mind trick!
[originally posted on jforum.net by conquest]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
i set maxAge -1 (session cookie) so when user quits browser they're forgotten. if they want to remain loged in i set maxAge(60*60*24*365).

you should be fine without cookies if you don't want auto login feature, just use getRemoteUser() method.

p.s. think this threads a bit fat now
[originally posted on jforum.net by Anonymuos]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
hi conq

put this in net.jforum.sso.RemoteUserSSO.java (replace old one)





upate SystemGlobals

rebuild jforum

login to your app then goto forum - you should be looged in as same username as app.

you won't have correct email in forum profile it will use- user@sso.com - or summink.

you can then work out how to get your user details - email/password.

any help?.....stars!!!
[originally posted on jforum.net by Anonymuos]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
Ok yes this thread is out of control ... pm me ops:
[originally posted on jforum.net by conquest]
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Webapp Integration -- SSO issues