aspose file tools*
The moose likes JForum and the fly likes Using JForum SSO - a kludger's tale Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Products » JForum
Bookmark "Using JForum SSO - a kludger Watch "Using JForum SSO - a kludger New topic
Author

Using JForum SSO - a kludger's tale

Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
here i have tried to provide an example of how I implemented jforum SSO.

I am not a guru and have no other experience of jforum. This seems to be something people wan't to do often and can seem a bit confusing at first.

There are some wiki docs and useful threads you can read (jforum search for SSO) but the source code is the most useful documentation at present ;)

-Mark.


what's SSO?
--------------
JForum provides a simlpe SSO facility which allows jforum to be easily integrated with existing auth[orisation|entication] systems, typically a web-app that already supports user login.


how is SSO implemented
------------------------------
you create a class that implements the SSO interface, which has two methods - one to authenticate the user, and one to check the session is valid; called authenticateUser() and isSessionValid() (funnily enough).

There are also a few properties in the SystemGlobals that need to be changed..


how does JForum SSO work
-----------------------------------

when a user visits Jforum, SSO checks to see if the user is logged in (on your app) using the authenticateUser() method, which simply returns the username. If a username is returned Jforum will check to see if there is a matching jforum userid.

If there is not an existing JForum userid, one is created on the fly. the user is then logged in to jforum.

All the Jforum login/logout/register/password retreival stuff will be removed from the JForum menus.

If the user is not logged in on your app and trys to access a restricted area on the forum they will be redirected to your apps login page - with a path parameter so you can send the user back to the right forum page once logged in.

SSO manages various use case scenarios, such as user changeing id etc, using the isSessionValid() mehtod.


How to get it
--------------
You need 2.1.5 (currently cvs) to use SSO.


How ro run it
---------------
my setup is Apache -> mod_jk -> tomcat -> postgres. I run my app on a virtual host, under context '/' and JForum uses '/forum'. I have the tomcat /manager app installed for restarts/redeploys etc. I don't use webapps dir or do any cross-context stuff.

If you use HTTP authentication in your app then the default authenticator net.jforum.sso.RemoteUserSSO.java can be used, but it dosen't automatically pass the users email/password details (see example below how to do this). There is also a logic bug - the final 'return false' in isSessionValid() should read 'return true' or else you will be creating a new session with every request.

The automatic registration process will work fine without the email and password session parameters, but the users email address will be sso@user.com. u can change this in the SystemGlobals.

I don't use HTTP auth and so created my own SSO class, net.jforum.sso.AmbrosiaUserSSO.java below, which uses my existing login cookie to authenticate.

Whatever authentication you use, the example below should make things a bit clearer, your milage may vary.

if you already have a login cookie with the username you're practically finished! - in my case I had to do some kludging with a 'shadow' cookie (JforumSSO) to hold the username as I use email address in my cookie.

My login cookie is always set maxAge -1 (session) unless the user has selected 'keep me logged in' in which case its a year.

I refresh the JforumSSO cookie automatically in authenticateUser() to prevent the case of forum not being logged in while app is logged in (e.g. if user deletes JforumSSO cookie)

I overloaded the ControllerUtils addCookie() method to accept an expiration parameter (maxAge).

I implemented the add/remove of JforumSSO cookie in my apps login and logout actions.

I wanted the users email and password in their forum profile so I do a lookup on my user database in the authenitcateUser() method. I jar'd up needed classes from my app and placed in the JForum WEB-INF/lib folder.




in net.jforum.view.forum.common.ViewCommon.java update the contextToLogin() method if needed - the redirect is for when un-authenticated users try to access restricted jforum page.

i added an error message and URLencoded the return page cos request parameters were going missing. i also dropped the getContext() guff cos i run my app and jforum on different contexts.



make sure the following SystemGlobals.properties are set correctly:-

authentication.type=sso
sso.implementation = net.jforum.sso.MyUserSSO //your classname
sso.password.attribute = password
sso.email.attribute = email
sso.redirect = http://mysite.com/login.jsp //I use full url, you may not need to.

now rebuild and deploy, login to your app, visit forum and look in your profile to check things are working as expected.


handy other things
--------------------------
after registration confirmation myapp sends the user to a welcome post on the forum. This creates the forum account automatically with correct date/time and also makes the user immediatelly availble for receiving Private Messages.

if you provide a simple method for getting the Jforum user's userid from the jforum database, you can present the correct 'my profile' and 'my bookmarks' urls in your main-site menus (the others will work already.

If you want to go further and do things like display recent topics within your app's pages, or do sign-on integration from your app rather than jforum, then there's some excellent code here, written by Time, that's worth looking at.
[originally posted on jforum.net by Anonymuos]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
there is some other stuff in the net.jforum.sso folder for authenticating via LDAP.

anyone got it working wiv ldap yet?

-TIA.

[originally posted on jforum.net by Anonymuos]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
Amazing

Wouldn't you like to add it to Confluence? It will be such big improvement to the documentation!

Rafael
[originally posted on jforum.net by Rafael Steil]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
i was thinking about that - seems like more work for nothing though :lol:
i'll see what i can do...

JForum Rocks!

-Mark.

[originally posted on jforum.net by Anonymuos]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
Well, is worth work . All good documentation should be in Confluence, so we have a central point of data. Also, it provides exporting to PDF, which is good.

If you don't want / don't have time to add to confluence, I'll do it myself, but your help would be very valuable!

Rafael
[originally posted on jforum.net by Rafael Steil]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
i understand - i was only joking (of course) - i'll do it.

-Mark.
[originally posted on jforum.net by Anonymuos]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
hehehe.. right

Rafael
[originally posted on jforum.net by Rafael Steil]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
Now Mark if only this was completed a few days ago

My integration is almost complete. And yes I've done things the way you've listed. I will have to fix View common though didn't know about that.

Thanks for all your help!

I agree putting this in confluence is a great idea!

Yes JForum rocks! And it will soon be a part of my site ...

http://www.fencechat.com

The only thing I don't know how to do is login as the Admin now with sso turned on.


Mark
[originally posted on jforum.net by conquest]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
Well, I don't know how are you handling all of this, but if you're using jforum_users in the end (and I guess you're), then all you need to have is the the user you want to be the Administrator within the correspondent group.

Rafael
[originally posted on jforum.net by Rafael Steil]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
Yes I'm using the jforum_users table still.

DUH ... yeah I guess I can just mark the user that I'm using as the admin.

edit: I did read another post which stated that you can't designate just anyone as an Admin, that would be useful.

And Mark .. clever username, I started at it for a while when we were pm'ing thinking ... why is this guy Anonymous?? :?
[originally posted on jforum.net by conquest]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
If I understand this correctly, you base your authentication on the value of the cookie named "auto-login".

The value of this cookie determines the loged in user. For each user, this value remains the same for different logins of the user (it does not change like the session cookie).

So if I know the value for a particular user, and I issue a "hand made" request to jforum with this value, then jforum will think that I have been authenticated without ever giving a login and password!!!

This isn't what it should be. I came accross this issue while trying to implement my own SSO class. But I tried to use the session cookie which is different for the /forum context and my root context (where the actual authentication is beeing made).
[originally posted on jforum.net by Anonymous]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
Anonymous wrote:

So if I know the value for a particular user, and I issue a "hand made" request to jforum with this value, then jforum will think that I have been authenticated without ever giving a login and password!!!


No, it won't. There is a security hash for each user. You can try to change the cookie's value, but it will not work.

Rafael
[originally posted on jforum.net by Rafael Steil]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
Rafael Steil wrote:

No, it won't. There is a security hash for each user. You can try to change the cookie's value, but it will not work.

Rafael


ok.... I take your word on this.
The main issue is that the solution you are proposing can't be used in a more general way, as usually people rely on some session attribute (the session created automatically by the container). This session is not propagated to the forum context (different context->different session).

I have to give this some more thought

Thanks for the answer

Stefanos
[originally posted on jforum.net by Anonymous]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
Well, and what if you use some approach like Login Authenticators?
I mean, SSO that will ask for validation to another piece of code, instead of trying to receive the auth information from the beggining.

Rafael
[originally posted on jforum.net by Rafael Steil]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
Stefanos does have a point regarding the example using the auto-login cookie. i.e. it is possible to spoof a user with a cookie value set to a plain-text username (with a cookie editor for example).

In the real world you would (of course!) encrypt the cookie value. It is a simple example to demonstrate the mechanism of SSO using cookies.

You could also look at http authentication too, which uses the same SSO mechanism but avoids cookies. I'll be updatnig the wiki docs once I have set it up to work across contexts.



conquest: how's it going? - like the use of google map on ur site 8)
[originally posted on jforum.net by Anonymuos]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
Hi every body,

I�m trying to understand the above example, but I have a couple of questions:

1. At line 39 where is created a HttpSession. I don�t find the method "getRequest()" in the class JForum.java, where is it?


2. I'm working with Webpshere Portal and it generates a encrypted cookie, Do you know a way to dencrypt it? Does your class HexTool could help me?


[originally posted on jforum.net by rosaisela06]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
It is now JForumExecutionContext.getRequest()

Rafael
[originally posted on jforum.net by Rafael Steil]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
But the method JForumExecutionContext.getRequest() returns a RequestServlet object, not HttpSession, could you please clarify this!?

Thank you
[originally posted on jforum.net by rosaisela06]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
JForumExecutionContext.getRequest().getSession()...
[originally posted on jforum.net by monroe]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
I have just set up SSO using Tomcat authentication inside JBoss 4.2.1. I would like to add to the documentation that SSO or session sharing needs to be configured in the application server for JForum SSO with authentication to work.

With Tomcat inside JBoss 4.2.1, you just have enable the SSO Valve. (just uncomment its configuration).
1.- Edit the [JBOSS_HOME]/server/default/deploy/jboss-web.deployer/server.xml
2.- Uncomment the following line:
<Valve className="org.apache.catalina.authenticator.SingleSignOn" />

That's all, hope it helps some of your to get it working.

Let me know if I should post this information somewhere else.


[originally posted on jforum.net by andune76]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
Hi,

Another question. Let's say, I got my main application, which is somewhere under www.myhost.com/myapp and a JForum under www.myhost.com/jforum, SSO is configured and so on. What happens if I go direct to myapp, not to JForum? Is it possible, that the user will be logged in JForum in this case too?

Thank you!
[originally posted on jforum.net by August]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
Yes...


Oh... I guess you want more details..

A lot depends on how your authentication system works. Basically, you have to be able to tell the different web apps that the request from the browser is OK and from user X.

As mentioned above, an easy why to do this is to use your application container's SSO method. With Tomcat (and JBoss using Tomcat), you can do that by turning on the SSO Valve, the protecting both ANY web app by using the J2EE Web.xml file security features.

Then with jForum, you just use the RemoteUserSSO implimentation to get the user id that Tomcat manages for you. It doesn't matter which application you first log onto, all apps in the same Realm will get the same principal object attached to the request.

If you can't use your container's SSO mechanism, then you will need to figure out a common cookie mechanism. In this case, when you log onto any of your applications, you'll need to set a cookie that is shared across all applications that can identify the user and "autolog" them on.
[originally posted on jforum.net by monroe]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
Hi,

thanks for the quick answer, but somehow it doesn't work. I changed the SystemGlobals.properties according the SSO description and activated the SSO valve in server.xml. No effect :-( I still see the login page of the forum and I'm not logged in the forum after login on the redirect-page. (Yes, I redeployed JForum and restarted JBoss after these changes :-) )
[originally posted on jforum.net by August]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
One thing you didn't mention was modifying the WEB.XML file. Are both your webapps using the Servlet Spec's authentication and security constraints? In other words, do both webapps have info in there WEB.XML like the XML below.

One thing to note here is that the "REALM NAME HERE" part MUST be the same for both apps.

With a security constraint like this, you should always see a non-jforum login screen before you even get to any jforum page.

Also note that in addition to the SSO valve setting up container level security requires a Realm definition in the Server.xml file to define where your user info is coming from. See the Tomcat docs for details about that.

Finally, a Tomcat "trick" is that the Realm tag has an undocumented allRolesMode attribute that can be used to allow "*" to mean either any defined role or any authenticated user. I generally use a value of "strictAuthOnly" which means that if no SecurityRole elements are included in the web.xml, * means any authenticated user. If roles are defined, it means any user in any role.


[originally posted on jforum.net by monroe]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
Hi

thanks for a fast answer. I implemented my own SSO-class and so was the problem solved (at least I hope that).

Again, thanks a lot for your help!
[originally posted on jforum.net by August]
Toni Mergeani
Greenhorn

Joined: Aug 26, 2014
Posts: 4
Hi guys, i'm a little bit noobie at this, so i could really use your help. Please if someone could help and explain to me with this SSO integration. Thanks a lot !
 
Don't get me started about those stupid light bulbs.
 
subject: Using JForum SSO - a kludger's tale