I don't know which method checks for valid users Rafael, but what really throws me off is the following if statement in ControllerUtils#checkAutoLogin(UserSession userSession)
01 package net.jforum.sso;
02
03 import javax.servlet.http.HttpServletRequest;
04 import javax.servlet.http.HttpSession;
05 import javax.servlet.http.Cookie;
06
07 import net.jforum.ActionServletRequest;
08 import net.jforum.ControllerUtils;
09 import net.jforum.entities.UserSession;
10 import net.jforum.util.preferences.ConfigKeys;
11 import net.jforum.util.preferences.SystemGlobals;
12 import net.jforum.JForum;
13
14 // Import any other class you may need
15
16 import org.apache.log4j.Logger; // I use log4j
17
18 public class MyUserSSO implements SSO { // you must implement met.jforum.sso.SSO
19
20 static final Logger logger = Logger.getLogger(MyUserSSO.class.getName()); // init logging
21
22 public String authenticateUser(ActionServletRequest request) { // required method
23 UserVO user = new UserVO();
24 Cookie myCookie = ControllerUtils.getCookie("auto-login"); // my app login cookie
25
26 if (myCookie != null) {
27 DAOManager manager = new JndiDAOManager(); // my apps database
28 UserDAO userDAO = manager.getUserDAO(manager.getConnection());
29 user = userDAO.getUser(HexTool.hexToString(myCookie.getValue()));
30 manager.close();
31 } else
32 return null; // no cookie found
33
34 if (user.isDisabled()) {
35 logger.warn("***DISABLED_ATTEMPT on Forum: "+user.getUsername()); // log disabled attempt.
36 return null;
37 }
38
39 HttpSession session = JForum.getRequest().getSession();
40 session.setAttribute("password", user.getPassword()); // set correct password
41 session.setAttribute("email", user.getUsername()); // and email address (my username)
42 ControllerUtils.addCookie("JforumSSO",user.getScreenName(), myCookie.getMaxAge()); //refresh
43
44 return user.getScreenName(); // jforum username
45 }
...
monroe wrote:In general, there is no standard for Single Sign On, so there is no "one size fits all"
/ no coding involved solution.
The closest thing to a "standard" is the probably the HTTP server standard of the REMOTE_USER
environment variable. (which the RemoteUserSSO class uses). This assumes that your web server will
handle authentication and pass on the validated user id as the REMOTE_USER environment variable.
However, this is considered by many to be an unsecure way of doing things.
So this means that there are a lot of different way that are used to do SSO/track user validation and
not of them are exactly the same.
Don't get me started about those stupid light bulbs. |