File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes JForum and the fly likes SSO question Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Products » JForum
Bookmark "SSO question" Watch "SSO question" New topic
Author

SSO question

Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
it seems as if the property
sso.implementation=net.jforum.sso.CookieUserSSO

refers to a class which doesn't exist, net.jforum.sso.CookieUserSSO is nowhere to be found in the JForum package. Can this have something to do with it?
[originally posted on jforum.net by bubblare]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
So if I've understood it correctly, I have to provide the CookieUserSSO myself. Here's my #authenticateUser method



As you can see I am not using any external classes, only standard java libraries and JForum classes. I do not have access to any DaoManagers or entity classes from the project I am implementing JForum in - is it still possible to use the SSO?
[originally posted on jforum.net by bubblare]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
When using SSO, does a user who is logged in from another context get his/her display name shown in JForum as well? I currently have SSO enabled but as soon as I use JForum it says that I am logged in as "anonymous". Also, will the logged in username be shown under "Who is online" in JForum when using the SSO cookie?

My current login.jsp cookie creation code looks like this:

and SystemGlobals.properties


Is there anything I have forgotten to set here to get basic cookie based SSO working?

Thanks!
[originally posted on jforum.net by bubblare]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
Okay so I rewrote some of my SSO implementation class, it seems as if the Wiki entry example code is deprecated and doesn't play well with the latest version of JForum. Here's the new SSO implementation class CookieUserSSO.java

Still no luck in getting it to work though




[originally posted on jforum.net by bubblare]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
Great, one step closer to getting JForum to work - now I'm receiving the exception..



I have gone through 3 versions of the Connector/J driver by now, but to no prevail (the local JForum version, an older version, and the latest Connector/J version).


[originally posted on jforum.net by bubblare]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
It seems as if when I add the following property



ConfigLoader#loadDaoImplementation throws this exception.


[originally posted on jforum.net by bubblare]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
Great, now it finds my cookie because I set the
cookie.name.data = JforumSSO (instead of sso.cookie.name which is in the documentation).

But I am still logged in as anonymous, even though ControllerUtils finds my Cookie!

Any ideas?
[originally posted on jforum.net by bubblare]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
Ok, it finds your cookie, but it detects you as a valid user?

Rafael
[originally posted on jforum.net by Rafael Steil]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
I don't know which method checks for valid users Rafael, but what really throws me off is the following if statement in ControllerUtils#checkAutoLogin(UserSession userSession)



Why would it check for all three cookie types (cookie, hashCookie and autoLoginCookie) ?? In the documentation it clearly says that you only have to rename sso.cookie.data which I set to JforumSSO.
It says nothing about setting cookie.name.autologin and cookie.name.userHash.

[originally posted on jforum.net by bubblare]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
Here is a working modified version of the cookie sso example: http://www.coderanch.com/t/576580 .
To get it working i only modified the example login object, no issues with parameters in SystemGlobals.properties encountered.

I had a cookie related issue too (can't find/load cookie created by the "main" app in the sso pool) , but i solved it simply by forcing "/jforum/" path the cookie on creation (as far as i can remember request doesn't contains cookie with path above the current directory).

I don't know which method checks for valid users Rafael, but what really throws me off is the following if statement in ControllerUtils#checkAutoLogin(UserSession userSession)


public boolean isSessionValid(UserSession userSession, HttpServletRequest request) ;


[originally posted on jforum.net by Jules]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
I think I've found the problem, and its in

ControllerUtils#refreshSession()

The method starts with


If the UserSession object is null JForum will never lookup the SSO implementation, and my UserSession object is always null since I can't share sessions in between applications (my own application and JForum).
Hopefully I can code my way around this.

I read through your code and got some pointers Jules, thanks!

[originally posted on jforum.net by bubblare]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
Hi,
I am folowing the instructions in http://www.jforum.net/doc/SSOcookies to set up the log on to use cookie for SSO. However, after setting up
sso.implementation=net.jforum.sso.CookieUserSSO in SystemGlobals.properties I am getting a CassNotFoundException on CookieUserSSO. I understand that I DO NOT have to write it myself, since it I am NOT folowing "Implementing your own SSO class". So is that an error?

Ane help would be appreciated

[originally posted on jforum.net by shlomo]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
There is a mistake in the documentation. JForum does not provide such implementation.

I upgraded the docs to clarify this.

Rafael
[originally posted on jforum.net by Rafael Steil]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
Dear forum members!

I'm just struggling with the integration of Jforum with my JSP application.

As far as I see I'm currently in a similar situation like Bubblare was in last December: I have some SSO implementation* which seems to do something (or at least it doesn't throws any exception), but finally I'm logged in as anonymous and no new user account is created in the Jforum database.

I'd like to ask whether you Bubblare or anybody else succeeded to set up a working SSO integration.

* Unfortunately I can't program in Java, however I tried to set up an SSO implementation based on the given examples and forum postings. Instead of cookies I try to pass the username to Jforum in a request parameter.

The source package I work with is 2.1.7b3. Here is my SSO code (based on RemoteUserSSO):


So if anybody of you has a really working SSO example, could you please share it?

Thank you in advance!

[originally posted on jforum.net by azimut]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
In general, there is no standard for Single Sign On, so there is no "one size fits all" / no coding involved solution.

The closest thing to a "standard" is the probably the HTTP server standard of the REMOTE_USER environment variable. (which the RemoteUserSSO class uses). This assumes that your web server will handle authentication and pass on the validated user id as the REMOTE_USER environment variable. However, this is considered by many to be an unsecure way of doing things.

So this means that there are a lot of different way that are used to do SSO/track user validation and not of them are exactly the same.

[originally posted on jforum.net by monroe]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
hi,
I'm struggling to get SSO to work as well. The sample implementation on the web site seems to be out dated for JForum v2.1.7.

http://www.jforum.net/doc/ImplementSSO.

Assuming that the web server will handle authentication and pass on the user info in a cookie. Could you provide sample (fragment) code to demonstrate how to implement my own SSO class (with v2.1.7) where it will assign the correct screen name and email address for the sign in user?

many thanks!
Terry


01 package net.jforum.sso;
02
03 import javax.servlet.http.HttpServletRequest;
04 import javax.servlet.http.HttpSession;
05 import javax.servlet.http.Cookie;
06
07 import net.jforum.ActionServletRequest;
08 import net.jforum.ControllerUtils;
09 import net.jforum.entities.UserSession;
10 import net.jforum.util.preferences.ConfigKeys;
11 import net.jforum.util.preferences.SystemGlobals;
12 import net.jforum.JForum;
13
14 // Import any other class you may need
15
16 import org.apache.log4j.Logger; // I use log4j
17
18 public class MyUserSSO implements SSO { // you must implement met.jforum.sso.SSO
19
20 static final Logger logger = Logger.getLogger(MyUserSSO.class.getName()); // init logging
21
22 public String authenticateUser(ActionServletRequest request) { // required method
23 UserVO user = new UserVO();
24 Cookie myCookie = ControllerUtils.getCookie("auto-login"); // my app login cookie
25
26 if (myCookie != null) {
27 DAOManager manager = new JndiDAOManager(); // my apps database
28 UserDAO userDAO = manager.getUserDAO(manager.getConnection());
29 user = userDAO.getUser(HexTool.hexToString(myCookie.getValue()));
30 manager.close();
31 } else
32 return null; // no cookie found
33
34 if (user.isDisabled()) {
35 logger.warn("***DISABLED_ATTEMPT on Forum: "+user.getUsername()); // log disabled attempt.
36 return null;
37 }
38
39 HttpSession session = JForum.getRequest().getSession();
40 session.setAttribute("password", user.getPassword()); // set correct password
41 session.setAttribute("email", user.getUsername()); // and email address (my username)
42 ControllerUtils.addCookie("JforumSSO",user.getScreenName(), myCookie.getMaxAge()); //refresh
43
44 return user.getScreenName(); // jforum username
45 }
...




monroe wrote:In general, there is no standard for Single Sign On, so there is no "one size fits all"

/ no coding involved solution.

The closest thing to a "standard" is the probably the HTTP server standard of the REMOTE_USER

environment variable. (which the RemoteUserSSO class uses). This assumes that your web server will

handle authentication and pass on the validated user id as the REMOTE_USER environment variable.

However, this is considered by many to be an unsecure way of doing things.

So this means that there are a lot of different way that are used to do SSO/track user validation and

not of them are exactly the same.

[originally posted on jforum.net by tcheung]
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: SSO question
 
Similar Threads
Webapp Integration -- SSO issues
RemoteSSO?
Jforum SSO - restrict direct forum access => redirect to login page if not loged in please help!!!
Using JForum SSO - a kludger's tale
SSO IMPLEMENTATION