[OFBiz] Users - implementing single sign on with OFBiz and another application

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

[OFBiz] Users - implementing single sign on with OFBiz and another application

John Donne
Hello,

We are trying to implement a variant of single-sign-on for OFBiz and another
application. When a user logs in to the other application, the user should
also have full access to all OFBiz features without having to login again.
The primary approach we have been trying is to remove all security checks in
OFBiz itself, and make it such that the only check OFBiz does is for the
presence of a "flag" variable in the session. This flag variable would be
set in the other application. However, this introduces a new problem -- how
do we get the session to be shared between both applications? The other
application runs on Tomcat v5.0, and the OFBiz runs an embedded version of
Tomcat. It seems that most of the session replication techniques such as
In-Memory Session Replication, using the Persistent Session Manager with
either a RDBMs or shared filesystem, all require the modification of both
Tomcats' server.xml files.

Which leads to my question, does the embedded Tomcat that comes with OFBiz
have a server.xml file or equivalent?  If an equivalent, how similar is it?

If not, and session sharing is out of the question, do you have any
suggestions for a single-sign-on implementation that would behave similarly
to what I just described?

Thank you for your time.

_________________________________________________________________
Don’t just search. Find. Check out the new MSN Search!
http://search.msn.click-url.com/go/onm00200636ave/direct/01/

 
_______________________________________________
Users mailing list
[hidden email]
http://lists.ofbiz.org/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

RE: [OFBiz] Users - implementing single sign on with OFBiz and another application

Nate Reed-2
This may or may not be relevant to your requirements, but I think
session or persistent cookies would be a good way to do this.

I implemented a single-sign-on on Tomcat that provided authentication
for a remote service (written in PHP) using cookies.  To authenticate
the user, the remote app redirects to the single-sign-on service, which
checks for the cookie, and if it is not set, presents a login page to
the user.  From there, the user registers or logs in, the
single-sign-on service sets a persistent cookie, and redirects the user
to the remote application with a URL query string that identifies the
user.   Next time the remote service needs authentication, the cookie
has been set, so the SSO service just redirects to the remote service.
Each application manages their own sessions.

If your two apps are on the same network, you could use a similar
approach and just have the two apps share the cookie.  The cookie would
contain some random string or perhaps an encrypted password which is
unique to the user.  

Whether this works for you would depend on what kind of information you
need to keep in the session (just a "flag"?), whether clients will
allow cookies to be set, etc.  It's best to keep the information in a
session variable or cookie to a minimum anyway, and access a data store
for additional information about the user as needed.

The approach of attempting to bypass the security checks in OfBiz does
not seem sound or maintainable to me.

My two cents,
Nate

> -------- Original Message --------
> Subject: [OFBiz] Users - implementing single sign on with OFBiz and
> another application
> From: "John Donne" <[hidden email]>
> Date: Wed, August 17, 2005 4:32 pm
> To: [hidden email]
>
> Hello,
>
> We are trying to implement a variant of single-sign-on for OFBiz and another
> application. When a user logs in to the other application, the user should
> also have full access to all OFBiz features without having to login again.
> The primary approach we have been trying is to remove all security checks in
> OFBiz itself, and make it such that the only check OFBiz does is for the
> presence of a "flag" variable in the session. This flag variable would be
> set in the other application. However, this introduces a new problem -- how
> do we get the session to be shared between both applications? The other
> application runs on Tomcat v5.0, and the OFBiz runs an embedded version of
> Tomcat. It seems that most of the session replication techniques such as
> In-Memory Session Replication, using the Persistent Session Manager with
> either a RDBMs or shared filesystem, all require the modification of both
> Tomcats' server.xml files.
>
> Which leads to my question, does the embedded Tomcat that comes with OFBiz
> have a server.xml file or equivalent?  If an equivalent, how similar is it?
>
> If not, and session sharing is out of the question, do you have any
> suggestions for a single-sign-on implementation that would behave similarly
> to what I just described?
>
> Thank you for your time.
>
> _________________________________________________________________
> Don’t just search. Find. Check out the new MSN Search!
> http://search.msn.click-url.com/go/onm00200636ave/direct/01/
>
>  
> _______________________________________________
> Users mailing list
> [hidden email]
> http://lists.ofbiz.org/mailman/listinfo/users

 
_______________________________________________
Users mailing list
[hidden email]
http://lists.ofbiz.org/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

RE: [OFBiz] Users - implementing single sign on with OFBiz and another application

Nate Reed-2
In reply to this post by John Donne
After thinking about this a little more, session replication is
preferred since it does not require cookies to be enabled, but it is
more complicated.  You have to not only store the session in a common
place but rewrite all the URL's as well.  You should be able to do
this, though; hopefully someone else can answer your question about
server.xml.

> -------- Original Message --------
> Subject: RE: [OFBiz] Users - implementing single sign on with OFBiz and
> another application
> From: Nate Reed <[hidden email]>
> Date: Wed, August 17, 2005 4:58 pm
> To: OFBiz Users / Usage Discussion <[hidden email]>
>
> This may or may not be relevant to your requirements, but I think
> session or persistent cookies would be a good way to do this.
>
> I implemented a single-sign-on on Tomcat that provided authentication
> for a remote service (written in PHP) using cookies.  To authenticate
> the user, the remote app redirects to the single-sign-on service, which
> checks for the cookie, and if it is not set, presents a login page to
> the user.  From there, the user registers or logs in, the
> single-sign-on service sets a persistent cookie, and redirects the user
> to the remote application with a URL query string that identifies the
> user.   Next time the remote service needs authentication, the cookie
> has been set, so the SSO service just redirects to the remote service.
> Each application manages their own sessions.
>
> If your two apps are on the same network, you could use a similar
> approach and just have the two apps share the cookie.  The cookie would
> contain some random string or perhaps an encrypted password which is
> unique to the user.  
>
> Whether this works for you would depend on what kind of information you
> need to keep in the session (just a "flag"?), whether clients will
> allow cookies to be set, etc.  It's best to keep the information in a
> session variable or cookie to a minimum anyway, and access a data store
> for additional information about the user as needed.
>
> The approach of attempting to bypass the security checks in OfBiz does
> not seem sound or maintainable to me.
>
> My two cents,
> Nate
>
> > -------- Original Message --------
> > Subject: [OFBiz] Users - implementing single sign on with OFBiz and
> > another application
> > From: "John Donne" <[hidden email]>
> > Date: Wed, August 17, 2005 4:32 pm
> > To: [hidden email]
> >
> > Hello,
> >
> > We are trying to implement a variant of single-sign-on for OFBiz and another
> > application. When a user logs in to the other application, the user should
> > also have full access to all OFBiz features without having to login again.
> > The primary approach we have been trying is to remove all security checks in
> > OFBiz itself, and make it such that the only check OFBiz does is for the
> > presence of a "flag" variable in the session. This flag variable would be
> > set in the other application. However, this introduces a new problem -- how
> > do we get the session to be shared between both applications? The other
> > application runs on Tomcat v5.0, and the OFBiz runs an embedded version of
> > Tomcat. It seems that most of the session replication techniques such as
> > In-Memory Session Replication, using the Persistent Session Manager with
> > either a RDBMs or shared filesystem, all require the modification of both
> > Tomcats' server.xml files.
> >
> > Which leads to my question, does the embedded Tomcat that comes with OFBiz
> > have a server.xml file or equivalent?  If an equivalent, how similar is it?
> >
> > If not, and session sharing is out of the question, do you have any
> > suggestions for a single-sign-on implementation that would behave similarly
> > to what I just described?
> >
> > Thank you for your time.
> >
> > _________________________________________________________________
> > Don’t just search. Find. Check out the new MSN Search!
> > http://search.msn.click-url.com/go/onm00200636ave/direct/01/
> >
> >  
> > _______________________________________________
> > Users mailing list
> > [hidden email]
> > http://lists.ofbiz.org/mailman/listinfo/users
>
>  
> _______________________________________________
> Users mailing list
> [hidden email]
> http://lists.ofbiz.org/mailman/listinfo/users

 
_______________________________________________
Users mailing list
[hidden email]
http://lists.ofbiz.org/mailman/listinfo/users