[OFBiz] Users - implementing single sign on with OFBiz and another application

> -------- Original Message --------
> Subject: [OFBiz] Users - implementing single sign on with OFBiz and
> another application
> From: "John Donne" <[hidden email]>
> Date: Wed, August 17, 2005 4:32 pm
> To: [hidden email]
>
> Hello,
>
> We are trying to implement a variant of single-sign-on for OFBiz and another
> application. When a user logs in to the other application, the user should
> also have full access to all OFBiz features without having to login again.
> The primary approach we have been trying is to remove all security checks in
> OFBiz itself, and make it such that the only check OFBiz does is for the
> presence of a "flag" variable in the session. This flag variable would be
> set in the other application. However, this introduces a new problem -- how
> do we get the session to be shared between both applications? The other
> application runs on Tomcat v5.0, and the OFBiz runs an embedded version of
> Tomcat. It seems that most of the session replication techniques such as
> In-Memory Session Replication, using the Persistent Session Manager with
> either a RDBMs or shared filesystem, all require the modification of both
> Tomcats' server.xml files.
>
> Which leads to my question, does the embedded Tomcat that comes with OFBiz
> have a server.xml file or equivalent?  If an equivalent, how similar is it?
>
> If not, and session sharing is out of the question, do you have any
> suggestions for a single-sign-on implementation that would behave similarly
> to what I just described?
>
> Thank you for your time.
>
> _________________________________________________________________
> Don’t just search. Find. Check out the new MSN Search!
> http://search.msn.click-url.com/go/onm00200636ave/direct/01/
>
>  
> _______________________________________________
> Users mailing list
> [hidden email]
> http://lists.ofbiz.org/mailman/listinfo/users

> -------- Original Message --------
> Subject: RE: [OFBiz] Users - implementing single sign on with OFBiz and
> another application
> From: Nate Reed <[hidden email]>
> Date: Wed, August 17, 2005 4:58 pm
> To: OFBiz Users / Usage Discussion <[hidden email]>
>
> This may or may not be relevant to your requirements, but I think
> session or persistent cookies would be a good way to do this.
>
> I implemented a single-sign-on on Tomcat that provided authentication
> for a remote service (written in PHP) using cookies.  To authenticate
> the user, the remote app redirects to the single-sign-on service, which
> checks for the cookie, and if it is not set, presents a login page to
> the user.  From there, the user registers or logs in, the
> single-sign-on service sets a persistent cookie, and redirects the user
> to the remote application with a URL query string that identifies the
> user.   Next time the remote service needs authentication, the cookie
> has been set, so the SSO service just redirects to the remote service.
> Each application manages their own sessions.
>
> If your two apps are on the same network, you could use a similar
> approach and just have the two apps share the cookie.  The cookie would
> contain some random string or perhaps an encrypted password which is
> unique to the user.  
>
> Whether this works for you would depend on what kind of information you
> need to keep in the session (just a "flag"?), whether clients will
> allow cookies to be set, etc.  It's best to keep the information in a
> session variable or cookie to a minimum anyway, and access a data store
> for additional information about the user as needed.
>
> The approach of attempting to bypass the security checks in OfBiz does
> not seem sound or maintainable to me.
>
> My two cents,
> Nate
>
> > -------- Original Message --------
> > Subject: [OFBiz] Users - implementing single sign on with OFBiz and
> > another application
> > From: "John Donne" <[hidden email]>
> > Date: Wed, August 17, 2005 4:32 pm
> > To: [hidden email]
> >
> > Hello,
> >
> > We are trying to implement a variant of single-sign-on for OFBiz and another
> > application. When a user logs in to the other application, the user should
> > also have full access to all OFBiz features without having to login again.
> > The primary approach we have been trying is to remove all security checks in
> > OFBiz itself, and make it such that the only check OFBiz does is for the
> > presence of a "flag" variable in the session. This flag variable would be
> > set in the other application. However, this introduces a new problem -- how
> > do we get the session to be shared between both applications? The other
> > application runs on Tomcat v5.0, and the OFBiz runs an embedded version of
> > Tomcat. It seems that most of the session replication techniques such as
> > In-Memory Session Replication, using the Persistent Session Manager with
> > either a RDBMs or shared filesystem, all require the modification of both
> > Tomcats' server.xml files.
> >
> > Which leads to my question, does the embedded Tomcat that comes with OFBiz
> > have a server.xml file or equivalent?  If an equivalent, how similar is it?
> >
> > If not, and session sharing is out of the question, do you have any
> > suggestions for a single-sign-on implementation that would behave similarly
> > to what I just described?
> >
> > Thank you for your time.
> >
> > _________________________________________________________________
> > Don’t just search. Find. Check out the new MSN Search!
> > http://search.msn.click-url.com/go/onm00200636ave/direct/01/
> >
> >  
> > _______________________________________________
> > Users mailing list
> > [hidden email]
> > http://lists.ofbiz.org/mailman/listinfo/users
>
>  
> _______________________________________________
> Users mailing list
> [hidden email]
> http://lists.ofbiz.org/mailman/listinfo/users