Webapp Integration -- SSO issues

I have searched this topic, and read a lot of information about SSO, but I still cannot see how to implement the feature that I want. Let me try to explain.

I have a webapp. This webapp implements a "portal" and part of my portal is JForum forums for the community. There will be links from the portal into the forums.

Here is what I would like. The user logs into my portal. When they log into my portal, I would like to have them automatically logged into the forums. When I say "automatically logged in", what I mean is that when they click on any of the forum links, and they are redirected to the forum, I want JForum to "recognize" the person as logged in.

I do not see how I can use SSO or any of the suggestions I have read because it seems to me that these only apply to the case of the user logging in using the login page.

Furthermore, there is no way for me to share information across sessions (between my webapp and jforum). So how will my SSO authenticator code in jforum know how you are logged into my webapp?

I hope I am making sense.

My first thought was to simply create the cookies that JForum uses for "automatic login". I figured that if I created those cookies, JForum would see them and consider me logged in. However, I think that if JForum has already run as "anonymous", there is a UserSession, so there is no call to validateLogin() and there is no consulting my cookies. Anyway, the cookies seem to have no effect.

Ideally, I would like to be able to add a new cookie "jforumValidateSession", which jforum would consult on every page, and if it is set, would re-establish the userSession using the cookies provided for autologin. Does that make sense? Is it practical? Is there any alternative?

I guess I am okay with hitting a URL to perform the same thing. Can I do this now?

Thanks,
Tim.


[originally posted on jforum.net by time]

Ok. I have tried three things, and none of them work.

First, I tried just adding the cookies "jforumUserHash", "jforumUserId". and "jforumAutoLogin" as if the user had logged in with "autologin" checked. This had no effect. The JForum still saw me as "anonymous". I believe this could not work, because JForum had no way to know that it should remove any existing "UserSession".

Second, I tried making a URLConnection to:

/forums/jforum.page?username=USER&password=PASS&module=user&action=validateLogin&autologin=on

Hoping that this would cause JForum to do all the things related to a proper login. This did seem to work, as I saw the following on my tomcat log:

INFO [SessionFacade ] Removing session A3C4FB0D88FB27AD54B642C8DD98A00E

when my webapp connected to the url. The URLConnection returns status 200 OK, and I get some 9565 bytes of data. So, I believe that JForum validated the login and created a new UserSession for it.

Alas, there is no change in my web browser. I still appear to be user "anonymous" when I refresh my page or navigate. Of course, the browser's cookies were not changed.

Finally, I left the validateLogin call in place (and still get status 200 OK) and after the login call, I added the jforum cookies. Now, I was getting the validateLogin success, seeing JForum log the session removal, AND the browser had the proper jforum cookies that it needed.

Alas, I still appear as "anonymous" on JForum page refreshes.

I am stumped now.
[originally posted on jforum.net by time]

Ok. Now that I think about this, there is one missing piece. I need to have the JSESSIONID from tomcat to be placed into the browser's cookies, otherwise, the browser's session cannot be tied to the JForum UserSession that was created by my validateLogin call. The problem is that the reply to validateLogin does not return any cookies.

I suspect that tomcat is deciding that my URLConnection is not capable of cookies, so it is using URL-based session ids. I will see if I can get the session cookie and see if this is the missing piece....
[originally posted on jforum.net by time]

First question: why don't you put JForum under the same context of your main web application? this way you can share the HttpSessions without any problems.

If you don't want to do that, you can edit server.xml and set "crossContext" to "true", and then put the information in the ServletContext..
Something like "__timeLogged", "__rafael123Logged", and etc.

One more option is to write the information to a dataabse table and make the SSO class check that table.

Rafael
[originally posted on jforum.net by Rafael Steil]

First Q: I did not know I could combine JForum under my context. How do I do this? Don't I have to combine all of the JForum webapp files and directories into my webapp? That seems like an impossible task.

I dislike using cross context's, because it is not supported under every container, and its support under each container seems to be non-standard.

As for putting the information into a database, that seems to have lots of issues, the biggest of which is that it does not solve my problem.

My problem is not validating a login when the user logs in. I can do that now.

The issue is that I wish to bypass the login process entirely, and allow any user logged into my webapp to move seamlessly between my webapp and jforum. Even if I place jforum under my webapp, I still have the exact same problem, unless I take over the jforum UserSession creation, and related login functions, which is something I want to avoid.

It seems to me that no one has a good solution for this.
[originally posted on jforum.net by time]

Ok. The problem is definitely that I have no means of providing the session id that tomcat expects. I need to place it into a cookie to tie to the UserSession created by JForum when I validateLogin.

I see that Tomcat always uses URL rewriting for the first page that it sends, because it cannot tell if the browser supports cookies. Or maybe there is something else it is deciding to do to make that decision. As I see it, there is no standard thing to expect.

The easiest solution would be if JForum would place the session ID into a header line on the reply to validateLogin, or possibly in reply to another specific request (such as "getSessionId"). This would allow me to grab the session id and place it into the browser's cookie. Of course, none of this will work if cookies are disabled.

I think this might be too much effort for what it is worth.
It is not a shortcoming of JForum. It seems to be a general shortcoming of current technology.
[originally posted on jforum.net by time]

I have verified that the session is the issue.

If I create the jforum cookies for autologin, then stop and restart Tomcat, then the cookies work as I expect and all is well. This is because stopping tomcat kills all sessions. When I come back up, there is no session for my browser, and JForum performs the autologin to establish me. If, however, there was already an anonymous session, then the autologin do not happen. Further, my validateLogin request creates the UserSession and session (tomcat) for the login that I want, but I have no simple means of getting that session id to set my cookie to.

I see that I get the session id as "jsessionid=" encoded URL's in the page data that is returned from my validateLogin request, but I do not think that I can count on that always being there, as it depends on the page having links with session ids embedded in them, and my ability to properly parse them.

I still do not understand how Tomcat is deciding that I should get the url encoding instead of a cookie. I realize that it needs to "test" the browser with the first page, but there is no cookie header in that first page, so how will it know if I can send one back if there is no cookie in the first place. It seems to me that the session id should be in a cookie on that first page, otherwise tomcat would have no way to know if I am cookie enabled.

It is almost as if Tomcat has already decided that I am not cookie enabled. Is there some new HTTP header that indicates this capability that I am unaware of?

[originally posted on jforum.net by time]

Nice.

Just to let you know: you can put as many web applications as you want under the same context, as long there aren't any conflicts of url-pattern mapping.
All you have to do is to copy the files to the same directory and merge the web.xml files

Rafael
[originally posted on jforum.net by Rafael Steil]

Ok. I finally solved the problem in a way that makes me pretty happy.

The summary boils down to this: when I log into my webapp, I call a method that makes a URLConnection to JForum's invalidateLogin. The URLConnection will return a number of cookies, including the JSESSIONID and the jforum cookies. The method then establishes these cookies inside of my webapp. Because the same browser is talking to both webapps, they both see the same cookies (respecting Path of course). Once these cookies are established, my user is logged into JForum when they log into my webapp.

The problem that I was left with - how to get the JSESSIONID - boiled down to my incorrect use of the URLConnection. I forgot that by default the connection will "follow" 3xx response codes (specifically 302 'Moved Temporarily' used by Tomcat to determine if cookies are available). Once I called setInstanceFollowRedirects( false ), I got the cookies that I was looking for, and all of the pieces fell into place.

Of course, this does not deal with the issue of the user logging out of JForum (I am tempted to remove the link!). But overall the solution is very reasonable. The user will learn what not to do, and will pay the price of login when they forget.

I will post the code in the next reply.

I sure would like some feedback from others on this solution.
[originally posted on jforum.net by time]

Here is the method that I added to my webapp to handle "autologin" for JForum. When the user logs into my web application, the code that verifies the login and establishes the session makes a call to this method with the user name that it retrieves from jforum_users (I use the email for my login, which I then use to lookup the user in jforum_users) and the password that the user enters for my webapp (and which is stored into jforum_users when they register). I control the jforum user database record creation, so I can keep everything in sync.

This code is very rough, since I am still in alpha, but you will get the idea.

public void loginForum( HttpServletRequest request, HttpServletResponse response, String user, String pass ) throws Exception { InputStream in = null; HttpURLConnection urlConn = null; try { String urlStr = "http://" + request.getRemoteHost() + ":" + request.getLocalPort() + _Configured_JForum_Context_From_DB_ + "/jforum.page?username=" + user + "&password=" + pass + "&module=user" + "&action=validateLogin" + "&autologin=on"; URL url = new URL( urlStr ); urlConn = (HttpURLConnection) url.openConnection(); urlConn.setRequestMethod( "GET" ); urlConn.setDoOutput( true ); urlConn.setDoInput( true ); urlConn.setUseCaches( false ); urlConn.setAllowUserInteraction( false ); urlConn.setFollowRedirects( false ); ((HttpURLConnection) urlConn).setInstanceFollowRedirects( false ); urlConn.setRequestProperty( "Accept", "*/*" ); urlConn.setRequestProperty( "User-Agent", "Mozilla/5.0" ); urlConn.connect(); int respCode = urlConn.getResponseCode(); String respMessage = urlConn.getResponseMessage(); for ( int i = 0 ; ; ++i ) { String hdrV = urlConn.getHeaderField( i ); String hdrK = urlConn.getHeaderFieldKey( i ); if ( hdrK == null && hdrV == null ) break; if ( hdrK != null && hdrK.equals( "Set-Cookie" ) ) { this.establishCookie( response, hdrV ); } } in = urlConn.getInputStream(); int len = 0; byte[] buf = new byte[1024]; for ( ; ; ) { int numRd = in.read( buf ); if ( numRd == -1 ) break; len += numRd; } } catch ( Exception ex ) { ex.printStackTrace( System.err ); } finally { if ( in != null ) in.close(); } } public void establishCookie( HttpServletResponse response, String cookieStr ) { String name = null; String value = null; String path = null; String exp = null; StringTokenizer toker = new StringTokenizer( cookieStr, ";" ); int cnt = toker.countTokens(); for ( int i = 0 ; i < cnt ; ++i ) { String toke = toker.nextToken().trim(); int idx = toke.indexOf( "=" ); if ( idx == -1 ) { // BAD COOKIE? continue; } String key = toke.substring( 0, idx ); String val = toke.substring( idx + 1 ); if ( key.equals( "Path" ) ) { path = val; } else if ( key.equals( "Expires" ) ) { exp = val; } else { name = key; value = val; } } if ( name != null && value != null && path != null ) { Cookie cookie = null; cookie = new Cookie( name, value ); cookie.setMaxAge( 3600 * 24 * 365 ); // UNDONE parse exp cookie.setPath( path ); response.addCookie( cookie ); } }
[originally posted on jforum.net by time]

This technique is working really well for me. I like the fact that I can call the login method from basically anywhere. So, not only when an existing user logs in, but also when a new user registers, I am able to automatically log them into JForum.

Even better, if the user changes accounts within my webapp, the active account in JForum automatically changes with them. Both accounts share the same password, so even if there were a case where it did not work, the user can easily manage the login process under JForum. Except that they need to remember to use their fullname to login, instead of their email (which my webapp uses).

One nice addition to JForum that would help me would be an option to login using the user's email address (jforum_users.user_email) instead of their username. My webapp uses the email address as the login id. The ability to log into JForum using the email address would make the login identical for both webapps. I mean, if it is configured, the login field would be considered an email address instead of the username.
[originally posted on jforum.net by time]

Time, this is great! Exactly what I was looking for.

Merging webapps is not very kosher, and basically doing so isn't SSO, because you're only dealing with one webapp anyway!

Question for you though - how do you manage creation of both accounts? Do you have to create an account in JForum AND in your own webapp? I'd like to have my own webapp's account creation screen also handle account creation in JForum.

Tony
[originally posted on jforum.net by Tony Field]

I handle the JForum database in my application, adding new users and managing their record. When a new user registers with my site, I create all of the necessary JForum records (including the user's group) and set the password using the password the user entered for my webapp.

I then remove the "register", "logout", and "My Profile" links under JForum. I subsume the JForum profile information into my user profile page, and handle the JForum database update within my app.

That's it. It works so well, I wish it was a standard.
[originally posted on jforum.net by time]

Hi time,

If your solution works, then stick with it. For others who are looking for a more sophisticated single sign-on solution, check out this article:

http://www-128.ibm.com/developerworks/web/library/wa-singlesign/

Mike
[originally posted on jforum.net by Anonymous]

Time can you perhaps post this code as well? I'm going to manage users in jforum also.

Maybe this would be a great to add to confluence along with your auto-login.

Mark

time wrote:I handle the JForum database in my application, adding new users and managing their record. When a new user registers with my site, I create all of the necessary JForum records (including the user's group) and set the password using the password the user entered for my webapp.

I then remove the "register", "logout", and "My Profile" links under JForum. I subsume the JForum profile information into my user profile page, and handle the JForum database update within my app.

That's it. It works so well, I wish it was a standard.

[originally posted on jforum.net by conquest]

In reponse to the "SSO is the more sophisticated solution" -- that my be true, but the fact is that SSO does NOT accomodate my needs.

Authentication is only part of the problem. The issue for me was to avoid two logins. NOT two user ids or passwords, but actually logging into my webapp and then logging into JForu,. I wanted my users to never see the JForum login. If you can explain how to accomplish this with SSO, I would love to hear it.

As for the code request I am not sure how useful the code I have will be. It is very integral to my webapp. However, here is the helper class that I use. (next post).
[originally posted on jforum.net by time]

import java.io.InputStream; import java.net.HttpURLConnection; import java.net.URL; import java.sql.Connection; import java.sql.PreparedStatement; import java.sql.ResultSet; import java.security.MessageDigest; import java.security.NoSuchAlgorithmException; import java.util.StringTokenizer; import javax.servlet.http.Cookie; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.sql.DataSource; /** * This class provides utility method related to JForum. * * @author Tim Endres, * */ public class JForumHelper { public JForumHelper() { } public void loginJForumUser( HttpServletRequest request, HttpServletResponse response, Connection jfConn, String email, String password ) throws Exception { String context = "/turtletalk"; // UNDONE HIGH String jfEncEmail = this.urlEncodeUsername( email ); System.err.println( "[JFORUM_HELPER] encEmail: " + jfEncEmail ); this.loginForum ( request, response, jfEncEmail, password, context ); } public void loginJForumUserByName( HttpServletRequest request, HttpServletResponse response, Connection jfConn, String email, String password ) throws Exception { String jfUser = this.getJForumUsername( jfConn, email ); if ( jfUser != null ) { String jfEncUser = this.urlEncodeUsername( jfUser ); this.loginForum ( request, response, jfEncUser, password, "/turtletalk" ); // UNDONE HIGH } } public String urlEncodeUsername( String userName ) { int len = userName.length(); StringBuffer sBuf = new StringBuffer( len * 4 ); for ( int i = 0 ; i < len ; ++i ) { char ch = userName.charAt( i ); if ( ch == ' ' ) { sBuf.append( "+" ); } else if ( (ch >= 'A' && ch <= 'Z') || (ch >= 'a' && ch <= 'z') || (ch >= '0' && ch <= '9') ) { sBuf.append( ch ); } else { sBuf.append( '%' ); String hx = Integer.toHexString( (int)ch ).toUpperCase(); if ( hx.length() == 1 ) sBuf.append( "0" ); if ( hx.length() > 2 ) hx = hx.substring( 0, 2 ); sBuf.append( hx ); } } return sBuf.toString(); } private static final String SELECT_FORUM_USER = "SELECT user_id, username, user_avatar " + " FROM jforum_users WHERE user_email = ? "; public int getJForumUserId( Connection jfConn, String email ) throws Exception { int result = -1; ResultSet rS = null; PreparedStatement pS = null; try { pS = jfConn.prepareStatement( SELECT_FORUM_USER ); pS.setString( 1, email ); rS = pS.executeQuery(); if ( rS.next() ) { result = rS.getInt( 1 ); } } finally { if ( pS != null ) pS.close(); } return result; } public String getJForumUsername( Connection jfConn, String email ) throws Exception { String result = null; ResultSet rS = null; PreparedStatement pS = null; try { pS = jfConn.prepareStatement( SELECT_FORUM_USER ); pS.setString( 1, email ); rS = pS.executeQuery(); if ( rS.next() ) { result = rS.getString( 2 ); } } finally { if ( pS != null ) pS.close(); } return result; } public String getJForumUserAvatar( Connection jfConn, String email ) throws Exception { String result = null; ResultSet rS = null; PreparedStatement pS = null; try { pS = jfConn.prepareStatement( SELECT_FORUM_USER ); pS.setString( 1, email ); rS = pS.executeQuery(); if ( rS.next() ) { result = rS.getString( 3 ); } } finally { if ( pS != null ) pS.close(); } return result; } private static final String SELECT_USER_POST_COUNT = "SELECT count(*) FROM jforum_posts WHERE user_id = ? "; public int getJForumUserPostCount( Connection jfConn, int user_id ) throws Exception { int result = 0; ResultSet rS = null; PreparedStatement pS = null; try { pS = jfConn.prepareStatement( SELECT_USER_POST_COUNT ); pS.setInt( 1, user_id ); rS = pS.executeQuery(); if ( rS.next() ) { result = rS.getInt( 1 ); } } finally { if ( pS != null ) pS.close(); } return result; } private static final String SELECT_LATEST_USER_POST = "SELECT post_id " + " FROM jforum_posts " + " WHERE user_id = ? " + " ORDER BY post_time DESC " + " LIMIT 1 "; public int getJForumUserLatestPost( Connection jfConn, int user_id ) throws Exception { int result = -1; ResultSet rS = null; PreparedStatement pS = null; try { pS = jfConn.prepareStatement( SELECT_LATEST_USER_POST ); pS.setInt( 1, user_id ); rS = pS.executeQuery(); if ( rS.next() ) { result = rS.getInt( 1 ); } } finally { if ( pS != null ) pS.close(); } return result; } public void loginForum( HttpServletRequest request, HttpServletResponse response, String user, String pass, String forumCtxPath ) throws Exception { InputStream in = null; HttpURLConnection urlConn = null; try { String urlStr = "http://" + request.getServerName() + ":" + request.getServerPort() + forumCtxPath + "/jforum.page?username=" + user + "&password=" + pass + "&module=user&action=validateLogin&autologin=on"; System.err.println( "[LOGIN] URL '" + urlStr + "'" ); URL url = new URL( urlStr ); // if ( debug ) { System.err.println( "[LOGIN] Protocol: " + url.getProtocol() ); System.err.println( "[LOGIN] Hostname: " + url.getHost() ); System.err.println( "[LOGIN] Hostport: " + url.getPort() ); System.err.println( "[LOGIN] URLFile: " + url.getFile() ); } urlConn = (HttpURLConnection) url.openConnection(); // if ( debug ) System.err.println( "[LOGIN] Connection: " + urlConn.getClass().getName() ); urlConn.setRequestMethod( "GET" ); urlConn.setDoOutput( true ); urlConn.setDoInput( true ); urlConn.setUseCaches( false ); urlConn.setAllowUserInteraction( false ); urlConn.setFollowRedirects( false ); ((HttpURLConnection) urlConn).setInstanceFollowRedirects( false ); urlConn.setRequestProperty( "Accept", "*/*" ); urlConn.setRequestProperty( "User-Agent", "Mozilla/5.0" ); // if ( debug ) System.err.println( "[LOGIN] Connecting..." ); urlConn.connect(); // if ( debug ) System.err.println( "[LOGIN] Reading..." ); try { int respCode = urlConn.getResponseCode(); String respMessage = urlConn.getResponseMessage(); // if ( debug ) { System.err.println( "[LOGIN] Response-code: " + respCode ); System.err.println( "[LOGIN] Response-message: " + respMessage ); System.err.println( "[LOGIN] Content-type: " + urlConn.getContentType() ); System.err.println( "[LOGIN] Content-length: " + urlConn.getContentLength() ); } for ( int i = 0 ; ; ++i ) { String hdrV = urlConn.getHeaderField( i ); String hdrK = urlConn.getHeaderFieldKey( i ); System.err.println( "[LOGIN] HDR["+i+"] " + hdrK + ": " + hdrV ); if ( hdrK == null && hdrV == null ) break; if ( hdrK != null && hdrK.equals( "Set-Cookie" ) ) { this.establishCookie( response, hdrV ); } } // System.err.println( "[LOGIN] DONE WITH HDRS" ); in = urlConn.getInputStream(); int len = 0; byte[] buf = new byte[1024]; for ( ; ; ) { int numRd = in.read( buf ); if ( numRd == -1 ) break; // System.err.println( "[LOGIN] -- '" + new String( buf, 0, numRd ) + "'" ); len += numRd; } System.err.println( "[LOGIN] BYTES READ = " + len ); } catch ( Exception ex ) { ex.printStackTrace( System.err ); System.err.println( "[LOGIN] EXCEPTION " + ex.getMessage() ); } } catch ( Exception ex ) { ex.printStackTrace( System.err ); } finally { if ( in != null ) in.close(); } } public void establishCookie( HttpServletResponse response, String cookieStr ) { String name = null; String value = null; String path = null; String exp = null; System.err.println( "[LOGINCOOKIE] '" + cookieStr + "'" ); StringTokenizer toker = new StringTokenizer( cookieStr, ";" ); int cnt = toker.countTokens(); for ( int i = 0 ; i < cnt ; ++i ) { String toke = toker.nextToken().trim(); int idx = toke.indexOf( "=" ); if ( idx == -1 ) { // BAD COOKIE? continue; } String key = toke.substring( 0, idx ); String val = toke.substring( idx + 1 ); if ( key.equals( "Path" ) ) { path = val; } else if ( key.equals( "Expires" ) ) { exp = val; } else { name = key; value = val; } } if ( name != null && value != null && path != null ) { Cookie cookie = null; cookie = new Cookie( name, value ); cookie.setMaxAge( 3600 * 24 * 365 ); // UNDONE LOW cookie.setPath( path ); response.addCookie( cookie ); } } }
[originally posted on jforum.net by time]

Cool thanks! So what login mechanism are you using? Did you write your own filter or are you using something like SecurityFilter?

I'm using SecurityFilter.

Mark
[originally posted on jforum.net by conquest]

I wanted my users to never see the JForum login. If you can explain how to accomplish this with SSO, I would love to hear it.

authentication.type=sso disables all register/login/recover password options in jforum menu.

whenever you access jforum authenticateUser() and isSessionValid() methods determine wether you are logged in or not on your main app. because i use a persistent login cookie thats what i used in those methods :-

package net.jforum.sso; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpSession; import javax.servlet.http.Cookie; import net.jforum.ActionServletRequest; import net.jforum.ControllerUtils; import net.jforum.entities.UserSession; import net.jforum.util.preferences.ConfigKeys; import net.jforum.util.preferences.SystemGlobals; import net.jforum.JForum; import com.mysite.ambrosia.database.*; import com.mysite.ambrosia.security.*; import org.apache.log4j.Logger; public class AmbrosiaUserSSO implements SSO { static final Logger logger = Logger.getLogger(AmbrosiaUserSSO.class.getName()); public String authenticateUser(ActionServletRequest request) { UserVO user = new UserVO(); Cookie cookie = ControllerUtils.getCookie("auto-login"); if (cookie != null ) { DAOManager manager = new JndiDAOManager(); UserDAO userDAO = manager.getUserDAO(manager.getConnection()); user = userDAO.getUser(EncryptTool.ToString(cookie.getValue())); manager.close(); if (user.isDisabled()) { logger.warn("**DISABLED_LOGIN_ATTEMPT** on Forum: "+user.getUsername()) ;// catch disabled user. return new String(); } } HttpSession session = JForum.getRequest().getSession(); session.setAttribute("password", user.getPassword()); session.setAttribute("email", user.getUsername()); return user.getScreenName(); } public boolean isSessionValid(UserSession userSession, HttpServletRequest request) { UserVO user = new UserVO(); String remoteUser = null; Cookie cookie = ControllerUtils.getCookie("auto-login"); if (cookie != null ) { DAOManager manager = new JndiDAOManager(); UserDAO userDAO = manager.getUserDAO(manager.getConnection()); user = userDAO.getUser(HexTool.hexToString(cookie.getValue())); manager.close(); remoteUser = user.getScreenName(); } // user has since logged out if(remoteUser == null && userSession.getUserId() != SystemGlobals.getIntValue(ConfigKeys.ANONYMOUS_USER_ID)) { return false; // user has since logged in } else if(remoteUser != null && userSession.getUserId() == SystemGlobals.getIntValue(ConfigKeys.ANONYMOUS_USER_ID)) { return false; // user has changed user } else if(remoteUser != null && !remoteUser.equals(userSession.getUsername())) { return false; } return true; } }

I'm not disagreeing with anyone's aproach it's just that I used the built-in SSO stuff - and it took care of all you mentioned in above quote (cept login to forum at same time as login to host app) and its been trouble free.

Just like to use code if its already there.

-Mark.
[originally posted on jforum.net by Anonymous]

Mark,

Thank you for clarifying the point regarding the login being disabled. I did not catch that when I was reviewing the documentation. It does appear that this resolves the issue, so once 2.1.5 is rolled out, I may try to update to SSO.

Thanks, tim.
[originally posted on jforum.net by time]

So Mark are you running all within the same context? ie did you just copy all the jforum files and merge the web.xml?

Do you know how we can use the 2.1.5 stuff cross-context? I'm still researching and this is the last part I don't fully understand in Tomcat.

Thanks for the info!

Mark

Anonymous wrote:[

authentication.type=sso disables all register/login/recover password options in jforum menu.

whenever you access jforum authenticateUser() and isSessionValid() methods determine wether you are logged in or not on your main app. because i use a persistent login cookie thats what i used in those methods :-

I'm not disagreeing with anyone's aproach it's just that I used the built-in SSO stuff - and it took care of all you mentioned in above quote (cept login to forum at same time as login to host app) and its been trouble free.

Just like to use code if its already there.

-Mark.

[originally posted on jforum.net by conquest]

Hi Time,
no worries, there's errors in the wiki docs regarding SSO parameters etc, and some off the source needs a tweak,(for me anyway) - the sso.redirect didn't work correctly from cvs. I still think it could be improved - but SSO certainly makes it more 'plugable'.

Your source code useful btw, some nice things in there that will save me some time

KDE rocks!

conquest wrote:So Mark are you running all within the same context? ie did you just copy all the jforum files and merge the web.xml?[

MrNice sed wrote:I approach integrating jforum into existing app by simply creating a virtual host in tomcat with multiple contexts. I don't use the tomcat webapp folder - just install the /manager app context in the virtual host:
1. your app at context /
2. forum at context /forum
3. manager at context /manager (only allow LAN access)

then I use SSO for sign-on if required by the 'root' application. I find this approach very flexible and easy to manage.

JForum rocks!

Rocks! may the source be with you... :lol:

-Mark.
[originally posted on jforum.net by Anonymuos]

Dooh yeah Sorry Mr Nice .... I remembered reading that on my way home ops:
[originally posted on jforum.net by conquest]

no, i don't merge the apps btw - therein lies the way to madness,
[originally posted on jforum.net by Anonymuos]

ok - how do your users login at the moment?
[originally posted on jforum.net by Anonymuos]

I use SecurityFilter, so I have protected pages just like JAAS which are protected via web.xml. I implement a simple class much like sso for JForum.

I'm googling how to share my session. I see in the host I can specify crossContext=true then I think I could use ServletContext.getContext() and set what I need.

Or perhaps this is getting messy.
[originally posted on jforum.net by conquest]

I can see why this works cross context. It's essentially Tim's solution because it's using a cookie, but it's being done in the JForum webapp. I'm not using a persistent cookie.

I have everything running under a virtual host as well. I tried just dropping the right attributes in the session with no luck.
[originally posted on jforum.net by conquest]

so you are http authenticated?

do users have to login each visit then?

Or perhaps this is getting messy.

:lol: i think adding a session cookie would be much easier

if SecurityFilter does do HTTP auth then see post i did earlier.

https://coderanch.com/t/575731

[originally posted on jforum.net by Anonymuos]

ok - i looked at SecurityFilter and i think its HTTP auth (pretty sure), which means it supports getRemoteUser() method in the default SSO authenticator.

just check out the bug with 'return false'.

you will need to find a way to pass email and password if u want them in jforum profile.

-Mark.
[originally posted on jforum.net by Anonymuos]

<a href ="http://216.239.59.104/search?q=cache:5JM6YXFRURgJ:www.junlu.com/msg/46811.html+SecurityFilter+cookies&hl=en" <br /> >SecurityFilter and cookies link (from Google cache)
[originally posted on jforum.net by Anonymous]

Yes SecurityFilter has this but I've not implemented it yet.

Also if the user doesn't check "remember me" then they won't get this cookie.

I was just hoping to quickly add the sso attributes to the session and WAHM!


You know sort of like a Jedi mind trick!
[originally posted on jforum.net by conquest]

i set maxAge -1 (session cookie) so when user quits browser they're forgotten. if they want to remain loged in i set maxAge(60*60*24*365).

you should be fine without cookies if you don't want auto login feature, just use getRemoteUser() method.

p.s. think this threads a bit fat now
[originally posted on jforum.net by Anonymuos]

hi conq

put this in net.jforum.sso.RemoteUserSSO.java (replace old one)


/* * Copyright (c) Rafael Steil * All rights reserved. * * Redistribution and use in source and binary forms, * with or without modification, are permitted provided * that the following conditions are met: * * 1) Redistributions of source code must retain the above * copyright notice, this list of conditions and the * following disclaimer. * 2) Redistributions in binary form must reproduce the * above copyright notice, this list of conditions and * the following disclaimer in the documentation and/or * other materials provided with the distribution. * 3) Neither the name of "Rafael Steil" nor * the names of its contributors may be used to endorse * or promote products derived from this software without * specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT * HOLDERS AND CONTRIBUTORS "AS IS" AND ANY * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, * BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF * MERCHANTABILITY AND FITNESS FOR A PARTICULAR * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL * THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, * EXEMPLARY, OR CONSEQUENTIAL DAMAGES * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, * OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER * IN CONTRACT, STRICT LIABILITY, OR TORT * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE * * Created on Mar 28, 2005 7:36:00 PM * The JForum Project * http://www.jforum.net */ package net.jforum.sso; import javax.servlet.http.HttpServletRequest; import net.jforum.ActionServletRequest; import net.jforum.entities.UserSession; import net.jforum.util.preferences.ConfigKeys; import net.jforum.util.preferences.SystemGlobals; /** * Simple SSO authenticator. * This class will try to validate an user by simple * checking <code>request.getRemoteUser()</code> is not * null. * @author Rafael Steil * @author Daniel Campagnoli * @version $Id: RemoteUserSSO.java,v 1.5 2005/07/26 03:05:34 rafaelsteil Exp $ */ public class RemoteUserSSO implements SSO { /** * @see net.jforum.sso.SSO#authenticateUser(net.jforum.ActionServletRequest) */ public String authenticateUser(ActionServletRequest request) { return request.getRemoteUser(); } public boolean isSessionValid(UserSession userSession, HttpServletRequest request) { String remoteUser = request.getRemoteUser(); // user has since logged out if(remoteUser == null && userSession.getUserId() != SystemGlobals.getIntValue(ConfigKeys.ANONYMOUS_USER_ID)) { return false; // user has since logged in } else if(remoteUser != null && userSession.getUserId() == SystemGlobals.getIntValue(ConfigKeys.ANONYMOUS_USER_ID)) { return false; // user has changed user } else if(remoteUser != null && !remoteUser.equals(userSession.getUsername())) { return false; } return true; } }


upate SystemGlobals

rebuild jforum

login to your app then goto forum - you should be looged in as same username as app.

you won't have correct email in forum profile it will use- user@sso.com - or summink.

you can then work out how to get your user details - email/password.

any help?.....stars!!!
[originally posted on jforum.net by Anonymuos]

Ok yes this thread is out of control ... pm me ops:
[originally posted on jforum.net by conquest]