Hello,
We are trying to implement a variant of single-sign-on for OFBiz and another application. When a user logs in to the other application, the user should also have full access to all OFBiz features without having to login again. The primary approach we have been trying is to remove all security checks in OFBiz itself, and make it such that the only check OFBiz does is for the presence of a "flag" variable in the session. This flag variable would be set in the other application. However, this introduces a new problem -- how do we get the session to be shared between both applications? The other application runs on Tomcat v5.0, and the OFBiz runs an embedded version of Tomcat. It seems that most of the session replication techniques such as In-Memory Session Replication, using the Persistent Session Manager with either a RDBMs or shared filesystem, all require the modification of both Tomcats' server.xml files. Which leads to my question, does the embedded Tomcat that comes with OFBiz have a server.xml file or equivalent? If an equivalent, how similar is it? If not, and session sharing is out of the question, do you have any suggestions for a single-sign-on implementation that would behave similarly to what I just described? Thank you for your time. _________________________________________________________________ Dont just search. Find. Check out the new MSN Search! http://search.msn.click-url.com/go/onm00200636ave/direct/01/ _______________________________________________ Users mailing list [hidden email] http://lists.ofbiz.org/mailman/listinfo/users |
This may or may not be relevant to your requirements, but I think
session or persistent cookies would be a good way to do this. I implemented a single-sign-on on Tomcat that provided authentication for a remote service (written in PHP) using cookies. To authenticate the user, the remote app redirects to the single-sign-on service, which checks for the cookie, and if it is not set, presents a login page to the user. From there, the user registers or logs in, the single-sign-on service sets a persistent cookie, and redirects the user to the remote application with a URL query string that identifies the user. Next time the remote service needs authentication, the cookie has been set, so the SSO service just redirects to the remote service. Each application manages their own sessions. If your two apps are on the same network, you could use a similar approach and just have the two apps share the cookie. The cookie would contain some random string or perhaps an encrypted password which is unique to the user. Whether this works for you would depend on what kind of information you need to keep in the session (just a "flag"?), whether clients will allow cookies to be set, etc. It's best to keep the information in a session variable or cookie to a minimum anyway, and access a data store for additional information about the user as needed. The approach of attempting to bypass the security checks in OfBiz does not seem sound or maintainable to me. My two cents, Nate > -------- Original Message -------- > Subject: [OFBiz] Users - implementing single sign on with OFBiz and > another application > From: "John Donne" <[hidden email]> > Date: Wed, August 17, 2005 4:32 pm > To: [hidden email] > > Hello, > > We are trying to implement a variant of single-sign-on for OFBiz and another > application. When a user logs in to the other application, the user should > also have full access to all OFBiz features without having to login again. > The primary approach we have been trying is to remove all security checks in > OFBiz itself, and make it such that the only check OFBiz does is for the > presence of a "flag" variable in the session. This flag variable would be > set in the other application. However, this introduces a new problem -- how > do we get the session to be shared between both applications? The other > application runs on Tomcat v5.0, and the OFBiz runs an embedded version of > Tomcat. It seems that most of the session replication techniques such as > In-Memory Session Replication, using the Persistent Session Manager with > either a RDBMs or shared filesystem, all require the modification of both > Tomcats' server.xml files. > > Which leads to my question, does the embedded Tomcat that comes with OFBiz > have a server.xml file or equivalent? If an equivalent, how similar is it? > > If not, and session sharing is out of the question, do you have any > suggestions for a single-sign-on implementation that would behave similarly > to what I just described? > > Thank you for your time. > > _________________________________________________________________ > Dont just search. Find. Check out the new MSN Search! > http://search.msn.click-url.com/go/onm00200636ave/direct/01/ > > > _______________________________________________ > Users mailing list > [hidden email] > http://lists.ofbiz.org/mailman/listinfo/users _______________________________________________ Users mailing list [hidden email] http://lists.ofbiz.org/mailman/listinfo/users |
In reply to this post by John Donne
After thinking about this a little more, session replication is
preferred since it does not require cookies to be enabled, but it is more complicated. You have to not only store the session in a common place but rewrite all the URL's as well. You should be able to do this, though; hopefully someone else can answer your question about server.xml. > -------- Original Message -------- > Subject: RE: [OFBiz] Users - implementing single sign on with OFBiz and > another application > From: Nate Reed <[hidden email]> > Date: Wed, August 17, 2005 4:58 pm > To: OFBiz Users / Usage Discussion <[hidden email]> > > This may or may not be relevant to your requirements, but I think > session or persistent cookies would be a good way to do this. > > I implemented a single-sign-on on Tomcat that provided authentication > for a remote service (written in PHP) using cookies. To authenticate > the user, the remote app redirects to the single-sign-on service, which > checks for the cookie, and if it is not set, presents a login page to > the user. From there, the user registers or logs in, the > single-sign-on service sets a persistent cookie, and redirects the user > to the remote application with a URL query string that identifies the > user. Next time the remote service needs authentication, the cookie > has been set, so the SSO service just redirects to the remote service. > Each application manages their own sessions. > > If your two apps are on the same network, you could use a similar > approach and just have the two apps share the cookie. The cookie would > contain some random string or perhaps an encrypted password which is > unique to the user. > > Whether this works for you would depend on what kind of information you > need to keep in the session (just a "flag"?), whether clients will > allow cookies to be set, etc. It's best to keep the information in a > session variable or cookie to a minimum anyway, and access a data store > for additional information about the user as needed. > > The approach of attempting to bypass the security checks in OfBiz does > not seem sound or maintainable to me. > > My two cents, > Nate > > > -------- Original Message -------- > > Subject: [OFBiz] Users - implementing single sign on with OFBiz and > > another application > > From: "John Donne" <[hidden email]> > > Date: Wed, August 17, 2005 4:32 pm > > To: [hidden email] > > > > Hello, > > > > We are trying to implement a variant of single-sign-on for OFBiz and another > > application. When a user logs in to the other application, the user should > > also have full access to all OFBiz features without having to login again. > > The primary approach we have been trying is to remove all security checks in > > OFBiz itself, and make it such that the only check OFBiz does is for the > > presence of a "flag" variable in the session. This flag variable would be > > set in the other application. However, this introduces a new problem -- how > > do we get the session to be shared between both applications? The other > > application runs on Tomcat v5.0, and the OFBiz runs an embedded version of > > Tomcat. It seems that most of the session replication techniques such as > > In-Memory Session Replication, using the Persistent Session Manager with > > either a RDBMs or shared filesystem, all require the modification of both > > Tomcats' server.xml files. > > > > Which leads to my question, does the embedded Tomcat that comes with OFBiz > > have a server.xml file or equivalent? If an equivalent, how similar is it? > > > > If not, and session sharing is out of the question, do you have any > > suggestions for a single-sign-on implementation that would behave similarly > > to what I just described? > > > > Thank you for your time. > > > > _________________________________________________________________ > > Dont just search. Find. Check out the new MSN Search! > > http://search.msn.click-url.com/go/onm00200636ave/direct/01/ > > > > > > _______________________________________________ > > Users mailing list > > [hidden email] > > http://lists.ofbiz.org/mailman/listinfo/users > > > _______________________________________________ > Users mailing list > [hidden email] > http://lists.ofbiz.org/mailman/listinfo/users _______________________________________________ Users mailing list [hidden email] http://lists.ofbiz.org/mailman/listinfo/users |
Free forum by Nabble | Edit this page |