Tomcat SSO

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

Tomcat SSO

James Yong-2
Hi all,

I would like to propose using the Single Sign On mechanism in Tomcat.
Once implemented, there is no necessity for the externalLoginKey,
or to indicate "intra-app" to target-type attribute.

Any issue before i start working on a POC?

Regards,
James Yong
Reply | Threaded
Open this post in threaded view
|

Re: Tomcat SSO

Jacques Le Roux
Administrator
Hi James,

I was not aware of this feature. I just read https://tomcat.apache.org/tomcat-8.0-doc/config/host.html#Single_Sign_On

I see no reasons why a POC would be refused.

Jacques


Le 05/05/2017 à 11:12, James Yong a écrit :

> Hi all,
>
> I would like to propose using the Single Sign On mechanism in Tomcat.
> Once implemented, there is no necessity for the externalLoginKey,
> or to indicate "intra-app" to target-type attribute.
>
> Any issue before i start working on a POC?
>
> Regards,
> James Yong
>

Reply | Threaded
Open this post in threaded view
|

Re: Tomcat SSO

taher
In reply to this post by James Yong-2
I've been contemplating this for a while, but it is not an easy task.
Essentially, we need to fully refactor the Catalina Container and do a lot
of cleanup to reverse the way OFBiz is deployed to be a single web
application, not multiple web applications mapped to a single servlet
container as is the architecture at the moment.

For this to happen, we need to do many things:
1- Complete the refactoring of all containers to get the new signature of
OfbizCommand argument list
2- Redesign the container so that everything is loaded once as a single
webapp through one master servlet. This would have the advantage of being
able to deploy OFBiz as a single WAR archive to be deployed in any servlet
container
3- Redesign all components (if needed) to comply with this new architecture

This is one of the things I've been dabbling with lately, but it's bigger
than I expected. The code in the catalina container is very spaghetti like
at the moment.

So, I would say it's a good idea, but needs lots of cleanup / refactoring
work first if you want to have a good chance of succeeding in
implementation. Without a proper cleanup you might get a bit overwhelmed in
trying to navigate the code maze :) So good luck.

On Fri, May 5, 2017 at 12:12 PM, James Yong <[hidden email]> wrote:

> Hi all,
>
> I would like to propose using the Single Sign On mechanism in Tomcat.
> Once implemented, there is no necessity for the externalLoginKey,
> or to indicate "intra-app" to target-type attribute.
>
> Any issue before i start working on a POC?
>
> Regards,
> James Yong
>
Reply | Threaded
Open this post in threaded view
|

Re: Tomcat SSO

James Yong-2
Hi all,

I would like to revisit this issue. Specifically on whether implementing Tomcat SSO to avoid using externalLoginKey is a sound approach. Thanks.

Regards,
James Yong

On 2017-05-05 18:02, Taher Alkhateeb <[hidden email]> wrote:

> I've been contemplating this for a while, but it is not an easy task.
> Essentially, we need to fully refactor the Catalina Container and do a lot
> of cleanup to reverse the way OFBiz is deployed to be a single web
> application, not multiple web applications mapped to a single servlet
> container as is the architecture at the moment.
>
> For this to happen, we need to do many things:
> 1- Complete the refactoring of all containers to get the new signature of
> OfbizCommand argument list
> 2- Redesign the container so that everything is loaded once as a single
> webapp through one master servlet. This would have the advantage of being
> able to deploy OFBiz as a single WAR archive to be deployed in any servlet
> container
> 3- Redesign all components (if needed) to comply with this new architecture
>
> This is one of the things I've been dabbling with lately, but it's bigger
> than I expected. The code in the catalina container is very spaghetti like
> at the moment.
>
> So, I would say it's a good idea, but needs lots of cleanup / refactoring
> work first if you want to have a good chance of succeeding in
> implementation. Without a proper cleanup you might get a bit overwhelmed in
> trying to navigate the code maze :) So good luck.
>
> On Fri, May 5, 2017 at 12:12 PM, James Yong <[hidden email]> wrote:
>
> > Hi all,
> >
> > I would like to propose using the Single Sign On mechanism in Tomcat.
> > Once implemented, there is no necessity for the externalLoginKey,
> > or to indicate "intra-app" to target-type attribute.
> >
> > Any issue before i start working on a POC?
> >
> > Regards,
> > James Yong
> >
>
Reply | Threaded
Open this post in threaded view
|

Re: Tomcat SSO

taher
Perhaps sharing exactly how you'd like to implement this would help.

On Sun, Nov 5, 2017 at 7:12 PM, James Yong <[hidden email]> wrote:

> Hi all,
>
> I would like to revisit this issue. Specifically on whether implementing Tomcat SSO to avoid using externalLoginKey is a sound approach. Thanks.
>
> Regards,
> James Yong
>
> On 2017-05-05 18:02, Taher Alkhateeb <[hidden email]> wrote:
>> I've been contemplating this for a while, but it is not an easy task.
>> Essentially, we need to fully refactor the Catalina Container and do a lot
>> of cleanup to reverse the way OFBiz is deployed to be a single web
>> application, not multiple web applications mapped to a single servlet
>> container as is the architecture at the moment.
>>
>> For this to happen, we need to do many things:
>> 1- Complete the refactoring of all containers to get the new signature of
>> OfbizCommand argument list
>> 2- Redesign the container so that everything is loaded once as a single
>> webapp through one master servlet. This would have the advantage of being
>> able to deploy OFBiz as a single WAR archive to be deployed in any servlet
>> container
>> 3- Redesign all components (if needed) to comply with this new architecture
>>
>> This is one of the things I've been dabbling with lately, but it's bigger
>> than I expected. The code in the catalina container is very spaghetti like
>> at the moment.
>>
>> So, I would say it's a good idea, but needs lots of cleanup / refactoring
>> work first if you want to have a good chance of succeeding in
>> implementation. Without a proper cleanup you might get a bit overwhelmed in
>> trying to navigate the code maze :) So good luck.
>>
>> On Fri, May 5, 2017 at 12:12 PM, James Yong <[hidden email]> wrote:
>>
>> > Hi all,
>> >
>> > I would like to propose using the Single Sign On mechanism in Tomcat.
>> > Once implemented, there is no necessity for the externalLoginKey,
>> > or to indicate "intra-app" to target-type attribute.
>> >
>> > Any issue before i start working on a POC?
>> >
>> > Regards,
>> > James Yong
>> >
>>
Reply | Threaded
Open this post in threaded view
|

Re: Tomcat SSO

James Yong-2
Hi Taher, all,

Sorry for the late reply.
I have created a JIRA issue for further discussion and also uploaded a proof-of-concept.
Please see https://issues.apache.org/jira/projects/OFBIZ/issues/OFBIZ-10047

Regards,
James Yong

On 2017-11-07 03:42, Taher Alkhateeb <[hidden email]> wrote:

> Perhaps sharing exactly how you'd like to implement this would help.
>
> On Sun, Nov 5, 2017 at 7:12 PM, James Yong <[hidden email]> wrote:
> > Hi all,
> >
> > I would like to revisit this issue. Specifically on whether implementing Tomcat SSO to avoid using externalLoginKey is a sound approach. Thanks.
> >
> > Regards,
> > James Yong
> >
> > On 2017-05-05 18:02, Taher Alkhateeb <[hidden email]> wrote:
> >> I've been contemplating this for a while, but it is not an easy task.
> >> Essentially, we need to fully refactor the Catalina Container and do a lot
> >> of cleanup to reverse the way OFBiz is deployed to be a single web
> >> application, not multiple web applications mapped to a single servlet
> >> container as is the architecture at the moment.
> >>
> >> For this to happen, we need to do many things:
> >> 1- Complete the refactoring of all containers to get the new signature of
> >> OfbizCommand argument list
> >> 2- Redesign the container so that everything is loaded once as a single
> >> webapp through one master servlet. This would have the advantage of being
> >> able to deploy OFBiz as a single WAR archive to be deployed in any servlet
> >> container
> >> 3- Redesign all components (if needed) to comply with this new architecture
> >>
> >> This is one of the things I've been dabbling with lately, but it's bigger
> >> than I expected. The code in the catalina container is very spaghetti like
> >> at the moment.
> >>
> >> So, I would say it's a good idea, but needs lots of cleanup / refactoring
> >> work first if you want to have a good chance of succeeding in
> >> implementation. Without a proper cleanup you might get a bit overwhelmed in
> >> trying to navigate the code maze :) So good luck.
> >>
> >> On Fri, May 5, 2017 at 12:12 PM, James Yong <[hidden email]> wrote:
> >>
> >> > Hi all,
> >> >
> >> > I would like to propose using the Single Sign On mechanism in Tomcat.
> >> > Once implemented, there is no necessity for the externalLoginKey,
> >> > or to indicate "intra-app" to target-type attribute.
> >> >
> >> > Any issue before i start working on a POC?
> >> >
> >> > Regards,
> >> > James Yong
> >> >
> >>
>
Reply | Threaded
Open this post in threaded view
|

Re: Tomcat SSO

Kwadwo Boahen
In reply to this post by James Yong-2
James,

I am new to OfBiz but I see the direction is to break big OfBiz into
micro-services.
It will make sense to make your authentication and authorization services
independent.
I have some experience with Keycloak and will recommend you take a look at
it.
I think it will be a good choice to handle SSO and more; and free OfBiz
from a dependency on Tomcat.

Regards



On Sun, Nov 5, 2017 at 11:12 AM, James Yong <[hidden email]> wrote:

> Hi all,
>
> I would like to revisit this issue. Specifically on whether implementing
> Tomcat SSO to avoid using externalLoginKey is a sound approach. Thanks.
>
> Regards,
> James Yong
>
> On 2017-05-05 18:02, Taher Alkhateeb <[hidden email]> wrote:
> > I've been contemplating this for a while, but it is not an easy task.
> > Essentially, we need to fully refactor the Catalina Container and do a
> lot
> > of cleanup to reverse the way OFBiz is deployed to be a single web
> > application, not multiple web applications mapped to a single servlet
> > container as is the architecture at the moment.
> >
> > For this to happen, we need to do many things:
> > 1- Complete the refactoring of all containers to get the new signature of
> > OfbizCommand argument list
> > 2- Redesign the container so that everything is loaded once as a single
> > webapp through one master servlet. This would have the advantage of being
> > able to deploy OFBiz as a single WAR archive to be deployed in any
> servlet
> > container
> > 3- Redesign all components (if needed) to comply with this new
> architecture
> >
> > This is one of the things I've been dabbling with lately, but it's bigger
> > than I expected. The code in the catalina container is very spaghetti
> like
> > at the moment.
> >
> > So, I would say it's a good idea, but needs lots of cleanup / refactoring
> > work first if you want to have a good chance of succeeding in
> > implementation. Without a proper cleanup you might get a bit overwhelmed
> in
> > trying to navigate the code maze :) So good luck.
> >
> > On Fri, May 5, 2017 at 12:12 PM, James Yong <[hidden email]>
> wrote:
> >
> > > Hi all,
> > >
> > > I would like to propose using the Single Sign On mechanism in Tomcat.
> > > Once implemented, there is no necessity for the externalLoginKey,
> > > or to indicate "intra-app" to target-type attribute.
> > >
> > > Any issue before i start working on a POC?
> > >
> > > Regards,
> > > James Yong
> > >
> >
>
Reply | Threaded
Open this post in threaded view
|

Re: Tomcat SSO

James Yong-2
Hi Kwadwo,

OFBiz supports a few external single sign-on mechanism like CAS SSO, LinkedIn sign-on etc.
If you uses KeyCloak, you are welcome to contribute code or article on KeyCloak support for OFBiz.

Regards,
James Yong

On 2017-12-11 05:38, Kwadwo Boahen <[hidden email]> wrote:

> James,
>
> I am new to OfBiz but I see the direction is to break big OfBiz into
> micro-services.
> It will make sense to make your authentication and authorization services
> independent.
> I have some experience with Keycloak and will recommend you take a look at
> it.
> I think it will be a good choice to handle SSO and more; and free OfBiz
> from a dependency on Tomcat.
>
> Regards
>
>
>
> On Sun, Nov 5, 2017 at 11:12 AM, James Yong <[hidden email]> wrote:
>
> > Hi all,
> >
> > I would like to revisit this issue. Specifically on whether implementing
> > Tomcat SSO to avoid using externalLoginKey is a sound approach. Thanks.
> >
> > Regards,
> > James Yong
> >
> > On 2017-05-05 18:02, Taher Alkhateeb <[hidden email]> wrote:
> > > I've been contemplating this for a while, but it is not an easy task.
> > > Essentially, we need to fully refactor the Catalina Container and do a
> > lot
> > > of cleanup to reverse the way OFBiz is deployed to be a single web
> > > application, not multiple web applications mapped to a single servlet
> > > container as is the architecture at the moment.
> > >
> > > For this to happen, we need to do many things:
> > > 1- Complete the refactoring of all containers to get the new signature of
> > > OfbizCommand argument list
> > > 2- Redesign the container so that everything is loaded once as a single
> > > webapp through one master servlet. This would have the advantage of being
> > > able to deploy OFBiz as a single WAR archive to be deployed in any
> > servlet
> > > container
> > > 3- Redesign all components (if needed) to comply with this new
> > architecture
> > >
> > > This is one of the things I've been dabbling with lately, but it's bigger
> > > than I expected. The code in the catalina container is very spaghetti
> > like
> > > at the moment.
> > >
> > > So, I would say it's a good idea, but needs lots of cleanup / refactoring
> > > work first if you want to have a good chance of succeeding in
> > > implementation. Without a proper cleanup you might get a bit overwhelmed
> > in
> > > trying to navigate the code maze :) So good luck.
> > >
> > > On Fri, May 5, 2017 at 12:12 PM, James Yong <[hidden email]>
> > wrote:
> > >
> > > > Hi all,
> > > >
> > > > I would like to propose using the Single Sign On mechanism in Tomcat.
> > > > Once implemented, there is no necessity for the externalLoginKey,
> > > > or to indicate "intra-app" to target-type attribute.
> > > >
> > > > Any issue before i start working on a POC?
> > > >
> > > > Regards,
> > > > James Yong
> > > >
> > >
> >
>
Reply | Threaded
Open this post in threaded view
|

Re: Tomcat SSO

James Yong-2
In reply to this post by James Yong-2
Hi all,

I have uploaded a patch to support SSO when OFBiz is clustered.
Please see https://issues.apache.org/jira/browse/OFBIZ-10123 for patch and further discussion.

Regards,
James Yong

On 2017/12/10 15:42:32, "James Yong"<[hidden email]> wrote:

> Hi Taher, all,
>
> Sorry for the late reply.
> I have created a JIRA issue for further discussion and also uploaded a proof-of-concept.
> Please see https://issues.apache.org/jira/projects/OFBIZ/issues/OFBIZ-10047
>
> Regards,
> James Yong
>
> On 2017-11-07 03:42, Taher Alkhateeb <[hidden email]> wrote:
> > Perhaps sharing exactly how you'd like to implement this would help.
> >
> > On Sun, Nov 5, 2017 at 7:12 PM, James Yong <[hidden email]> wrote:
> > > Hi all,
> > >
> > > I would like to revisit this issue. Specifically on whether implementing Tomcat SSO to avoid using externalLoginKey is a sound approach. Thanks.
> > >
> > > Regards,
> > > James Yong
> > >
> > > On 2017-05-05 18:02, Taher Alkhateeb <[hidden email]> wrote:
> > >> I've been contemplating this for a while, but it is not an easy task.
> > >> Essentially, we need to fully refactor the Catalina Container and do a lot
> > >> of cleanup to reverse the way OFBiz is deployed to be a single web
> > >> application, not multiple web applications mapped to a single servlet
> > >> container as is the architecture at the moment.
> > >>
> > >> For this to happen, we need to do many things:
> > >> 1- Complete the refactoring of all containers to get the new signature of
> > >> OfbizCommand argument list
> > >> 2- Redesign the container so that everything is loaded once as a single
> > >> webapp through one master servlet. This would have the advantage of being
> > >> able to deploy OFBiz as a single WAR archive to be deployed in any servlet
> > >> container
> > >> 3- Redesign all components (if needed) to comply with this new architecture
> > >>
> > >> This is one of the things I've been dabbling with lately, but it's bigger
> > >> than I expected. The code in the catalina container is very spaghetti like
> > >> at the moment.
> > >>
> > >> So, I would say it's a good idea, but needs lots of cleanup / refactoring
> > >> work first if you want to have a good chance of succeeding in
> > >> implementation. Without a proper cleanup you might get a bit overwhelmed in
> > >> trying to navigate the code maze :) So good luck.
> > >>
> > >> On Fri, May 5, 2017 at 12:12 PM, James Yong <[hidden email]> wrote:
> > >>
> > >> > Hi all,
> > >> >
> > >> > I would like to propose using the Single Sign On mechanism in Tomcat.
> > >> > Once implemented, there is no necessity for the externalLoginKey,
> > >> > or to indicate "intra-app" to target-type attribute.
> > >> >
> > >> > Any issue before i start working on a POC?
> > >> >
> > >> > Regards,
> > >> > James Yong
> > >> >
> > >>
> >
>