wood burning stoves 2.0*
The moose likes JForum and the fly likes CookieSSO - Not working Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Java 8 in Action this week in the Java 8 forum!
JavaRanch » Java Forums » Products » JForum
Bookmark "CookieSSO - Not working" Watch "CookieSSO - Not working" New topic
Author

CookieSSO - Not working

Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
Hi
Jforum rocks and support of Raefell,monroe.

I am integrating my struts2 application with Jforum. I have two wars. Now i took the CookieSSO given by Monroe and modified my SystemGlobal.properties. Following is the cookie in my jsp

<% <br /> User userObj = (User) SecurityContextHolder.getContext().getAuthentication().getPrincipal(); <br /> String username = userObj.getEmail(); <br /> String password = userObj.getPassword(); <br /> Cookie cookie = new Cookie("sso-auto-login",username); <br /> cookie = new Cookie("sso-auto-login",password ); <br /> cookie.setMaxAge( -1 ); <br /> cookie.setPath( "/" ); <br /> response.addCookie( cookie ); <br /> out.flush(); <br /> %>

But when i put SOP in CookieSSO.java its showing the mycookie as null.

myCookie = ControllerUtils.getCookie( SSO_COOKIE_NAME );

Did i miss something in jsp or Systemglobal.properties???

I am putting both userid,password in cookie.

Cookie cookie = new Cookie("sso-auto-login",username);
cookie = new Cookie("sso-auto-login",password );

When i printed these two in jsp i am able to see them. But the whole cookie is coming as null.

SystemGlobal.prop

sso.implementation = net.jforum.sso.CookieSSO
sso.cookie.name=sso-auto-login
sso.cookie.path=/
cookie.name.data = jforumUserId
cookie.name.user = jforumUserInfo
cookie.name.autologin = jforumAutoLogin
cookie.name.userHash = jforumUserHash
authentication.type = sso
login.authenticator = net.jforum.sso.DefaultLoginAuthenticator


Please let me know where things went wrong

Thanks
Greg


[originally posted on jforum.net by gregjhonson]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
If you're using my SSOCookie implimentation, you are setting up the cookie totally wrong. It should be something like:



If you're still having problems, you will need to verify that jForum is actually getting the cookie. This is easy to do with various tools, like the WebDeveloper Firefox add-in (has a view cookie info for current page option). Or just put a jsp in the jforum context that dumps all cookies.

FWIW - I don't know where the global sso.cookie.* properties comes from. It has nothing to do with my CookieSSO code. Was that from the old out-dated documentation?


[originally posted on jforum.net by monroe]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
Hi monroe,
Thanks for your quick reply. I changed the code in Jsp and installed the Web developer toolbar. The cookie is not at all coming when i enter Jforum application from Main application. I have 2 separate wars. I am highly puzzled what else i have to do? Please find the jsp,Util class files.
I am not doing cookie.setDomain(domain); is it causing the issue?



Header.jsp[/u]:

<% <br /> User userObj = (User) SecurityContextHolder.getContext().getAuthentication().getPrincipal(); <br /> String username = userObj.getEmail(); <br /> String password = userObj.getPassword(); <br /> String encrypted = CookieUtil.makeSSOCookieValue(username, password); <br /> Cookie cookie = new Cookie("sso-auto-login", encrypted); <br /> cookie.setMaxAge(120000); // 10 hours in seconds (can be -1 for session). <br /> //cookie.setDomain(domain); // Full qualified server domain. <br /> cookie.setPath("/"); <br /> response.addCookie(cookie); <br /> %>

------------------------------------------------------------
CookieUtil:[u]

package com.mob.util;

import java.text.SimpleDateFormat;
import java.util.Date;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;

public class CookieUtil {
static SimpleDateFormat dateFormatter = new SimpleDateFormat("yyyyMMddHHmm");
static final String md5Salt = "someWeirdStringSharedByTheApps";
/**
* Makes the MD5 token used for authentication in cookies.
*
* @param userName The user id used for encryption.
* @param email The user's email (or "" if none).
* @param groupInfo The category of groups the user is to be allowed
* access to.
* @param timestamp A yyyyddMMhhmm representation of when the cookie
* was created.
* @return The hex string representation of the MD5 digested string.
* @exception NoSuchAlgorithException If for some reason, MD5 is
* not available?
*/
protected static String makeMD5Token (String userName, String password,
String timestamp )
throws NoSuchAlgorithmException {
MessageDigest md;
byte[] sig;
String plainText;
StringBuffer encryptedText = new StringBuffer();
plainText = md5Salt + "/" + userName + "/"+ password +
"/" + timestamp;
md = MessageDigest.getInstance("MD5");
sig = md.digest(plainText.getBytes());
for ( int i = 0; i < sig.length; i++ ) {
encryptedText.append(Integer.toString(( sig[i] & 0xff ) +
0x100, 16 ).substring(1));
}
return encryptedText.toString();
}


public static String makeSSOCookieValue(String userName, String password)
throws NoSuchAlgorithmException
{
String timestamp = dateFormatter.format(new Date());
return userName + "/" + password + "/" +
makeMD5Token(userName, password, timestamp );
}
}

------------------------------------------------------


Thanks
Greg

[originally posted on jforum.net by gregjhonson]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
This is my main application URL from where i will move to Jforum after clicking a link in this jsp

http://localhost:8080/MyOwnBriefcase-0.0.1/public/welcome.action

This is my Jforum URL which i get when the user moves to Jforum from main application

http://localhost:8080/jforum/forums/list.page

----------------------------------------------------------------
I have the following code in jsp where cookie is formed and then the user clicks on the hiper link. Is this not the way???


<authz:authorize ifAnyGranted="ROLE_ADMIN,ROLE_EMPLOYER,ROLE_EMPLOYEE">
<% <br /> User userObj = (User) SecurityContextHolder.getContext().getAuthentication().getPrincipal(); <br /> String username = userObj.getEmail(); <br /> String password = userObj.getPassword(); <br /> String encrypted = CookieUtil.makeSSOCookieValue(username, password); <br /> Cookie cookie = new Cookie("sso-auto-login", encrypted); <br /> cookie.setMaxAge(120000); // 10 hours in seconds (can be -1 for session). <br /> //cookie.setDomain(domain); // Full qualified server domain. <br /> cookie.setPath("/"); <br /> response.addCookie(cookie); <br /> %>
COOKIE FORUMS
</authz:authorize> </div>

[originally posted on jforum.net by gregjhonson]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
I can only think of a couple of quick things. Both are related to the fact that you're not seeing ANY cookies.

First, Cookies use HTTP response headers and some servlet containers will ignore any changes to to the HTTP Headers if the response has been "committed" (i.e. headers already sent to the browser). Generally this statement is just ignore and not Exception or other message is shown.

When using a JSP file, make sure all the code to set a cookie is BEFORE ANY HTML or doctype statements.

Alternatively you could test if this is the problem by checking the isCommitted() response and displaying an error.

Second, as you mentioned, it might be the domain not being set. The security rules for Cookies and browsers are very tight now, so not setting this could be causing the browser to ignore it. FWIW, it's easy to get this info from the request object.
[originally posted on jforum.net by monroe]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
Hey,
i am trying rigorously to fix this issue but in vein. Even in my main application i couldnt see the cookie in browser setDomain comes into picture when the user navigates to forum but atleast in main application itself the cookie should be shown in webdevelopement toolbar right?


Regards
Greg
[originally posted on jforum.net by gregjhonson]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
Another issue that comes to mind when using cookies is when you are using 'includes' - to include a page within another (e.g. in an jsp)

Using includes means that the header is already fixed, so that the included page is not allowed to write any cookies, e.g. ...
[originally posted on jforum.net by Sid]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
Hi Sid,
I put my cookie code in header.jsp and Tiles will include this in all main jsps. Even then the cookie is not getting created. Then i put the same cookie code in another main jsp(which wont be included anywhere) and even then the cookie is not getting created. I am not setting domain as i am not sure what i have to set exactly as domain.

Even in the main application itself the cookie is not visible?

My Main application URL:http://localhost:8080//MyOwnBriefcase-0.0.1

Jforum URL:http://localhost:8080//MyOwnBriefcase-0.0.1/forums/list.page

Manore told to check the isCommitted() response ? How can i do that?

Sorry to bother i am a frameworks(Struts,Spring) guy rather core stuff like servlets

Thanks
Greg


[originally posted on jforum.net by ihkris]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
If the head.jsp is being included somewhere, and you have the write cookie commands in the head.jsp it will not work - as mentioned above.

You will need to have it in the document that does the includes. This behaviour is not likely to change, as it's part of the JSP standard.

Hence, all the cookies have to be written in a document that is not included via jsp:include or similar.

We had the same issue with a different (self-written) application. We modified our code so that now the included plugins write its cookies to a "Cookiemanager". This manager is being added to the jsp code that includes the plugin pages... and writes the stored cookies out to the head. So this way we now only have one jsp that writes cookies, and all other jsps simply add the cookies to that manager.

This seems to work for us so far

As in the domain thing: You could leave it NULL or you can set it to "localhost" in your case I guess. It's the "domain name". If you hosted jforum on www.example.com then this would be your domain name ( I think ;))
[originally posted on jforum.net by Sid]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
Hi Sid,
it seems Cookies cant work with Tiles. We are using Tiles in main application. When i created a dummy jsp i am able to create a cookie. I am wondering how to create a cookie when there are tiles.


Thanks
Greg Johnson
[originally posted on jforum.net by gregjhonson]
Migrated From Jforum.net
Ranch Hand

Joined: Apr 22, 2012
Posts: 17424
Hi, maybe you could use a servlet filter to set the cookie so that it is not affected by the page structure or tiles.
Diego
[originally posted on jforum.net by andune76]
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: CookieSSO - Not working
 
Similar Threads
SSO is secure ?
How to add a user to a particular group in SSO mode?
SSO authentification
RemoteSSO?
Control Panel admin URL is missing