[jira] [Commented] (OFBIZ-10047) Tomcat SSO

    [ https://issues.apache.org/jira/browse/OFBIZ-10047?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16294055#comment-16294055 ]

Michael Brohl commented on OFBIZ-10047:
---------------------------------------

Hi James, Jacques,

thanks you for your efforts on this!

I did a brief review and found the following points to change and/or discuss:

1. The retrieval functionality for the configuration parameter "security.login.tomcat.sso" is using a default of "true" when it is not found. I'd propose to set this to false because it is a new feature and the old behaviour should be the default until the new mechanism is field tested enough.
   
2. there is a possible NullPointerException in OFBizRealm#getPassword when no userLogin is found

3. OFBizRealm#getName() overrides a deprecated method.

4. service userLogin has a new mandatory parameter request. I'm not sure if it is a good idea to have a dependency on a request in a service? It will at least break the possibility to use it in another context where you do not have a request.
It is also not needed for other calls in ICalWorker.java and XmlRpcEventHandler.java so it should at least be optional.

5. Question: Is there any possible drawback when using this feature in a load balanced/clustered environment. Is it tested in this case?

6. Question: does this interfere with other SSO solutions we currently have in plugins/ldap?
   Maybe we should also check these and see if these solutions can be harmonized?

7. Someone should check this solution from an architectural view.

I appreciate the efforts but I am also in doubt if we should put this feature into the new release. It's very fresh, deals with a very central functionality and should be field tested more.

What do you think?



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)