[jira] Created: (OFBIZ-1906) Allow use of HttpServletRequest.getRemoteUs
Locked
[jira] Created: (OFBIZ-1906) Allow use of HttpServletRequest.getRemoteUs
 
|
Allow use of HttpServletRequest.getRemoteUser() for 3rd party authentication
---------------------------------------------------------------------------- Key: OFBIZ-1906 URL: https://issues.apache.org/jira/browse/OFBIZ-1906 Project: OFBiz Issue Type: Improvement Components: framework Affects Versions: SVN trunk Reporter: Guy Gershoni Priority: Minor Am using CAS (http://www.ja-sig.org/products/cas/) to do authentication which, with the standard CAS Java client, populates the HttpServletRequest.getRemoteUser() with the user it has authenticated (http://www.ja-sig.org/wiki/display/CASC/Configuring+the+JA-SIG+CAS+Client+for+Java+in+the+web.xml... bottom of page).. Have noticed in framework/security/config/security.properties on line 73 there is the following: # -- HTTP header based ID (for integrations; uncomment to enable) #security.login.http.header=REMOTE_USER which is then processed by framework/webapp/src/org/ofbiz/webapp/control/LoginWorker.java around line 611 on: So would like to add the following to security.properties: # -- HttpServletRequest getRemoteUser() based ID (for integrations; uncomment to enable) #security.login.http.servlet.getremoteuser.allow=true and in LoginWorker.java add some code to check property and suck in remote user from request if O.K. Am developing patch. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online. |
[jira] Updated: (OFBIZ-1906) Allow use of HttpServletRequest.getRemoteUs
|
|
[ https://issues.apache.org/jira/browse/OFBIZ-1906?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Guy Gershoni updated OFBIZ-1906: -------------------------------- Attachment: security-remoteuser_login.diff Patch to enable log in via getRemoteUser(). Need to have something like CAS client set up to populate remote user. > Allow use of HttpServletRequest.getRemoteUser() for 3rd party authentication > ---------------------------------------------------------------------------- > > Key: OFBIZ-1906 > URL: https://issues.apache.org/jira/browse/OFBIZ-1906 > Project: OFBiz > Issue Type: Improvement > Components: framework > Affects Versions: SVN trunk > Reporter: Guy Gershoni > Priority: Minor > Attachments: security-remoteuser_login.diff > > Original Estimate: 4h > Remaining Estimate: 4h > > Am using CAS (http://www.ja-sig.org/products/cas/) to do authentication which, with the standard CAS Java client, populates the HttpServletRequest.getRemoteUser() with the user it has authenticated (http://www.ja-sig.org/wiki/display/CASC/Configuring+the+JA-SIG+CAS+Client+for+Java+in+the+web.xml... bottom of page).. > Have noticed in framework/security/config/security.properties on line 73 there is the following: > # -- HTTP header based ID (for integrations; uncomment to enable) > #security.login.http.header=REMOTE_USER > which is then processed by framework/webapp/src/org/ofbiz/webapp/control/LoginWorker.java around line 611 on: > So would like to add the following to security.properties: > # -- HttpServletRequest getRemoteUser() based ID (for integrations; uncomment to enable) > #security.login.http.servlet.getremoteuser.allow=true > and in LoginWorker.java add some code to check property and suck in remote user from request if O.K. > Am developing patch. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online. |
[jira] Commented: (OFBIZ-1906) Allow use of HttpServletRequest.getRemoteUs
|
|
In reply to this post by Nicolas Malin (Jira)
[ https://issues.apache.org/jira/browse/OFBIZ-1906?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12658708#action_12658708 ] Luke Prentice commented on OFBIZ-1906: -------------------------------------- please can someone apply this patch and check it in to the trunk. that will allow us to proceed with smoother CAS integration with this method on the trunk. thanks. > Allow use of HttpServletRequest.getRemoteUser() for 3rd party authentication > ---------------------------------------------------------------------------- > > Key: OFBIZ-1906 > URL: https://issues.apache.org/jira/browse/OFBIZ-1906 > Project: OFBiz > Issue Type: Improvement > Components: framework > Affects Versions: SVN trunk > Reporter: Guy Gershoni > Priority: Minor > Attachments: security-remoteuser_login.diff > > Original Estimate: 4h > Remaining Estimate: 4h > > Am using CAS (http://www.ja-sig.org/products/cas/) to do authentication which, with the standard CAS Java client, populates the HttpServletRequest.getRemoteUser() with the user it has authenticated (http://www.ja-sig.org/wiki/display/CASC/Configuring+the+JA-SIG+CAS+Client+for+Java+in+the+web.xml... bottom of page).. > Have noticed in framework/security/config/security.properties on line 73 there is the following: > # -- HTTP header based ID (for integrations; uncomment to enable) > #security.login.http.header=REMOTE_USER > which is then processed by framework/webapp/src/org/ofbiz/webapp/control/LoginWorker.java around line 611 on: > So would like to add the following to security.properties: > # -- HttpServletRequest getRemoteUser() based ID (for integrations; uncomment to enable) > #security.login.http.servlet.getremoteuser.allow=true > and in LoginWorker.java add some code to check property and suck in remote user from request if O.K. > Am developing patch. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online. |
[jira] Assigned: (OFBIZ-1906) Allow use of HttpServletRequest.getRemoteUs
|
|
In reply to this post by Nicolas Malin (Jira)
[ https://issues.apache.org/jira/browse/OFBIZ-1906?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jacques Le Roux reassigned OFBIZ-1906: -------------------------------------- Assignee: Jacques Le Roux > Allow use of HttpServletRequest.getRemoteUser() for 3rd party authentication > ---------------------------------------------------------------------------- > > Key: OFBIZ-1906 > URL: https://issues.apache.org/jira/browse/OFBIZ-1906 > Project: OFBiz > Issue Type: Improvement > Components: framework > Affects Versions: SVN trunk > Reporter: Guy Gershoni > Assignee: Jacques Le Roux > Priority: Minor > Attachments: security-remoteuser_login.diff > > Original Estimate: 4h > Remaining Estimate: 4h > > Am using CAS (http://www.ja-sig.org/products/cas/) to do authentication which, with the standard CAS Java client, populates the HttpServletRequest.getRemoteUser() with the user it has authenticated (http://www.ja-sig.org/wiki/display/CASC/Configuring+the+JA-SIG+CAS+Client+for+Java+in+the+web.xml... bottom of page).. > Have noticed in framework/security/config/security.properties on line 73 there is the following: > # -- HTTP header based ID (for integrations; uncomment to enable) > #security.login.http.header=REMOTE_USER > which is then processed by framework/webapp/src/org/ofbiz/webapp/control/LoginWorker.java around line 611 on: > So would like to add the following to security.properties: > # -- HttpServletRequest getRemoteUser() based ID (for integrations; uncomment to enable) > #security.login.http.servlet.getremoteuser.allow=true > and in LoginWorker.java add some code to check property and suck in remote user from request if O.K. > Am developing patch. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online. |
[jira] Commented: (OFBIZ-1906) Allow use of HttpServletRequest.getRemoteUs
|
|
In reply to this post by Nicolas Malin (Jira)
[ https://issues.apache.org/jira/browse/OFBIZ-1906?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12658825#action_12658825 ] Jacques Le Roux commented on OFBIZ-1906: ---------------------------------------- I have reviewed but not tested this patch. I can't see anything harmful in it. So I will commit it in some days except if somebody see a security problem with it. Of course is someone is using CAS (I know some people are) please test this patch... Thanks > Allow use of HttpServletRequest.getRemoteUser() for 3rd party authentication > ---------------------------------------------------------------------------- > > Key: OFBIZ-1906 > URL: https://issues.apache.org/jira/browse/OFBIZ-1906 > Project: OFBiz > Issue Type: Improvement > Components: framework > Affects Versions: SVN trunk > Reporter: Guy Gershoni > Assignee: Jacques Le Roux > Priority: Minor > Attachments: security-remoteuser_login.diff > > Original Estimate: 4h > Remaining Estimate: 4h > > Am using CAS (http://www.ja-sig.org/products/cas/) to do authentication which, with the standard CAS Java client, populates the HttpServletRequest.getRemoteUser() with the user it has authenticated (http://www.ja-sig.org/wiki/display/CASC/Configuring+the+JA-SIG+CAS+Client+for+Java+in+the+web.xml... bottom of page).. > Have noticed in framework/security/config/security.properties on line 73 there is the following: > # -- HTTP header based ID (for integrations; uncomment to enable) > #security.login.http.header=REMOTE_USER > which is then processed by framework/webapp/src/org/ofbiz/webapp/control/LoginWorker.java around line 611 on: > So would like to add the following to security.properties: > # -- HttpServletRequest getRemoteUser() based ID (for integrations; uncomment to enable) > #security.login.http.servlet.getremoteuser.allow=true > and in LoginWorker.java add some code to check property and suck in remote user from request if O.K. > Am developing patch. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online. |
[jira] Issue Comment Edited: (OFBIZ-1906) Allow use of HttpServletRequest.getRemoteUs
|
|
In reply to this post by Nicolas Malin (Jira)
[ https://issues.apache.org/jira/browse/OFBIZ-1906?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12658825#action_12658825 ] jacques.le.roux edited comment on OFBIZ-1906 at 12/23/08 3:24 AM: ------------------------------------------------------------------ I have reviewed but not tested this patch. I can't see anything harmful in it. So I will commit it in some days except if somebody see a security problem with it. Of course if someone (not Guy or Luke of course) is using CAS (I know some people are) please test this patch... Thanks was (Author: jacques.le.roux): I have reviewed but not tested this patch. I can't see anything harmful in it. So I will commit it in some days except if somebody see a security problem with it. Of course is someone is using CAS (I know some people are) please test this patch... Thanks > Allow use of HttpServletRequest.getRemoteUser() for 3rd party authentication > ---------------------------------------------------------------------------- > > Key: OFBIZ-1906 > URL: https://issues.apache.org/jira/browse/OFBIZ-1906 > Project: OFBiz > Issue Type: Improvement > Components: framework > Affects Versions: SVN trunk > Reporter: Guy Gershoni > Assignee: Jacques Le Roux > Priority: Minor > Attachments: security-remoteuser_login.diff > > Original Estimate: 4h > Remaining Estimate: 4h > > Am using CAS (http://www.ja-sig.org/products/cas/) to do authentication which, with the standard CAS Java client, populates the HttpServletRequest.getRemoteUser() with the user it has authenticated (http://www.ja-sig.org/wiki/display/CASC/Configuring+the+JA-SIG+CAS+Client+for+Java+in+the+web.xml... bottom of page).. > Have noticed in framework/security/config/security.properties on line 73 there is the following: > # -- HTTP header based ID (for integrations; uncomment to enable) > #security.login.http.header=REMOTE_USER > which is then processed by framework/webapp/src/org/ofbiz/webapp/control/LoginWorker.java around line 611 on: > So would like to add the following to security.properties: > # -- HttpServletRequest getRemoteUser() based ID (for integrations; uncomment to enable) > #security.login.http.servlet.getremoteuser.allow=true > and in LoginWorker.java add some code to check property and suck in remote user from request if O.K. > Am developing patch. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online. |
[jira] Commented: (OFBIZ-1906) Allow use of HttpServletRequest.getRemoteUs
|
|
In reply to this post by Nicolas Malin (Jira)
[ https://issues.apache.org/jira/browse/OFBIZ-1906?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12658975#action_12658975 ] Guy Gershoni commented on OFBIZ-1906: ------------------------------------- Hi Jacques, Thanks heaps for picking up the issue. I have recently reviewed the patch and think it can be cleaned up (better if the getRemoteUser() and REMOTE_USER function reuse the same log in code rather than copy paste). Now that I know someone might check in the code soon I will put up a cleaner patch in the next day or so. Guy > Allow use of HttpServletRequest.getRemoteUser() for 3rd party authentication > ---------------------------------------------------------------------------- > > Key: OFBIZ-1906 > URL: https://issues.apache.org/jira/browse/OFBIZ-1906 > Project: OFBiz > Issue Type: Improvement > Components: framework > Affects Versions: SVN trunk > Reporter: Guy Gershoni > Assignee: Jacques Le Roux > Priority: Minor > Attachments: security-remoteuser_login.diff > > Original Estimate: 4h > Remaining Estimate: 4h > > Am using CAS (http://www.ja-sig.org/products/cas/) to do authentication which, with the standard CAS Java client, populates the HttpServletRequest.getRemoteUser() with the user it has authenticated (http://www.ja-sig.org/wiki/display/CASC/Configuring+the+JA-SIG+CAS+Client+for+Java+in+the+web.xml... bottom of page).. > Have noticed in framework/security/config/security.properties on line 73 there is the following: > # -- HTTP header based ID (for integrations; uncomment to enable) > #security.login.http.header=REMOTE_USER > which is then processed by framework/webapp/src/org/ofbiz/webapp/control/LoginWorker.java around line 611 on: > So would like to add the following to security.properties: > # -- HttpServletRequest getRemoteUser() based ID (for integrations; uncomment to enable) > #security.login.http.servlet.getremoteuser.allow=true > and in LoginWorker.java add some code to check property and suck in remote user from request if O.K. > Am developing patch. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online. |
[jira] Updated: (OFBIZ-1906) Allow use of HttpServletRequest.getRemoteUs
|
|
In reply to this post by Nicolas Malin (Jira)
[ https://issues.apache.org/jira/browse/OFBIZ-1906?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Luke Prentice updated OFBIZ-1906: --------------------------------- Attachment: ofbiz-and-CAS.pdf thanks for picking this up. to help with testing prior to committing, i have attached an internal wiki of ours which outlines how a development box could be setup to test this. we have used this to test the patch and it works fine. > Allow use of HttpServletRequest.getRemoteUser() for 3rd party authentication > ---------------------------------------------------------------------------- > > Key: OFBIZ-1906 > URL: https://issues.apache.org/jira/browse/OFBIZ-1906 > Project: OFBiz > Issue Type: Improvement > Components: framework > Affects Versions: SVN trunk > Reporter: Guy Gershoni > Assignee: Jacques Le Roux > Priority: Minor > Attachments: ofbiz-and-CAS.pdf, security-remoteuser_login.diff > > Original Estimate: 4h > Remaining Estimate: 4h > > Am using CAS (http://www.ja-sig.org/products/cas/) to do authentication which, with the standard CAS Java client, populates the HttpServletRequest.getRemoteUser() with the user it has authenticated (http://www.ja-sig.org/wiki/display/CASC/Configuring+the+JA-SIG+CAS+Client+for+Java+in+the+web.xml... bottom of page).. > Have noticed in framework/security/config/security.properties on line 73 there is the following: > # -- HTTP header based ID (for integrations; uncomment to enable) > #security.login.http.header=REMOTE_USER > which is then processed by framework/webapp/src/org/ofbiz/webapp/control/LoginWorker.java around line 611 on: > So would like to add the following to security.properties: > # -- HttpServletRequest getRemoteUser() based ID (for integrations; uncomment to enable) > #security.login.http.servlet.getremoteuser.allow=true > and in LoginWorker.java add some code to check property and suck in remote user from request if O.K. > Am developing patch. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online. |
[jira] Commented: (OFBIZ-1906) Allow use of HttpServletRequest.getRemoteUs
|
|
In reply to this post by Nicolas Malin (Jira)
[ https://issues.apache.org/jira/browse/OFBIZ-1906?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12659075#action_12659075 ] Jacques Le Roux commented on OFBIZ-1906: ---------------------------------------- Sorry Luke, But I'm unable to read the PDF file, sounds like it's not complete or something. > Allow use of HttpServletRequest.getRemoteUser() for 3rd party authentication > ---------------------------------------------------------------------------- > > Key: OFBIZ-1906 > URL: https://issues.apache.org/jira/browse/OFBIZ-1906 > Project: OFBiz > Issue Type: Improvement > Components: framework > Affects Versions: SVN trunk > Reporter: Guy Gershoni > Assignee: Jacques Le Roux > Priority: Minor > Attachments: ofbiz-and-CAS.pdf, security-remoteuser_login.diff > > Original Estimate: 4h > Remaining Estimate: 4h > > Am using CAS (http://www.ja-sig.org/products/cas/) to do authentication which, with the standard CAS Java client, populates the HttpServletRequest.getRemoteUser() with the user it has authenticated (http://www.ja-sig.org/wiki/display/CASC/Configuring+the+JA-SIG+CAS+Client+for+Java+in+the+web.xml... bottom of page).. > Have noticed in framework/security/config/security.properties on line 73 there is the following: > # -- HTTP header based ID (for integrations; uncomment to enable) > #security.login.http.header=REMOTE_USER > which is then processed by framework/webapp/src/org/ofbiz/webapp/control/LoginWorker.java around line 611 on: > So would like to add the following to security.properties: > # -- HttpServletRequest getRemoteUser() based ID (for integrations; uncomment to enable) > #security.login.http.servlet.getremoteuser.allow=true > and in LoginWorker.java add some code to check property and suck in remote user from request if O.K. > Am developing patch. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online. |
[jira] Commented: (OFBIZ-1906) Allow use of HttpServletRequest.getRemoteUs
|
|
In reply to this post by Nicolas Malin (Jira)
[ https://issues.apache.org/jira/browse/OFBIZ-1906?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12664465#action_12664465 ] Jacques Le Roux commented on OFBIZ-1906: ---------------------------------------- Any news Luke ? > Allow use of HttpServletRequest.getRemoteUser() for 3rd party authentication > ---------------------------------------------------------------------------- > > Key: OFBIZ-1906 > URL: https://issues.apache.org/jira/browse/OFBIZ-1906 > Project: OFBiz > Issue Type: Improvement > Components: framework > Affects Versions: SVN trunk > Reporter: Guy Gershoni > Assignee: Jacques Le Roux > Priority: Minor > Attachments: ofbiz-and-CAS.pdf, security-remoteuser_login.diff > > Original Estimate: 4h > Remaining Estimate: 4h > > Am using CAS (http://www.ja-sig.org/products/cas/) to do authentication which, with the standard CAS Java client, populates the HttpServletRequest.getRemoteUser() with the user it has authenticated (http://www.ja-sig.org/wiki/display/CASC/Configuring+the+JA-SIG+CAS+Client+for+Java+in+the+web.xml... bottom of page).. > Have noticed in framework/security/config/security.properties on line 73 there is the following: > # -- HTTP header based ID (for integrations; uncomment to enable) > #security.login.http.header=REMOTE_USER > which is then processed by framework/webapp/src/org/ofbiz/webapp/control/LoginWorker.java around line 611 on: > So would like to add the following to security.properties: > # -- HttpServletRequest getRemoteUser() based ID (for integrations; uncomment to enable) > #security.login.http.servlet.getremoteuser.allow=true > and in LoginWorker.java add some code to check property and suck in remote user from request if O.K. > Am developing patch. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online. |
[jira] Updated: (OFBIZ-1906) Allow use of HttpServletRequest.getRemoteUs
|
|
In reply to this post by Nicolas Malin (Jira)
[ https://issues.apache.org/jira/browse/OFBIZ-1906?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Luke Prentice updated OFBIZ-1906: --------------------------------- Attachment: ArlSettingUpCasOnOfbiz5.pdf sorry, here it is. the previous PDF but not currupted! > Allow use of HttpServletRequest.getRemoteUser() for 3rd party authentication > ---------------------------------------------------------------------------- > > Key: OFBIZ-1906 > URL: https://issues.apache.org/jira/browse/OFBIZ-1906 > Project: OFBiz > Issue Type: Improvement > Components: framework > Affects Versions: SVN trunk > Reporter: Guy Gershoni > Assignee: Jacques Le Roux > Priority: Minor > Attachments: ArlSettingUpCasOnOfbiz5.pdf, security-remoteuser_login.diff > > Original Estimate: 4h > Remaining Estimate: 4h > > Am using CAS (http://www.ja-sig.org/products/cas/) to do authentication which, with the standard CAS Java client, populates the HttpServletRequest.getRemoteUser() with the user it has authenticated (http://www.ja-sig.org/wiki/display/CASC/Configuring+the+JA-SIG+CAS+Client+for+Java+in+the+web.xml... bottom of page).. > Have noticed in framework/security/config/security.properties on line 73 there is the following: > # -- HTTP header based ID (for integrations; uncomment to enable) > #security.login.http.header=REMOTE_USER > which is then processed by framework/webapp/src/org/ofbiz/webapp/control/LoginWorker.java around line 611 on: > So would like to add the following to security.properties: > # -- HttpServletRequest getRemoteUser() based ID (for integrations; uncomment to enable) > #security.login.http.servlet.getremoteuser.allow=true > and in LoginWorker.java add some code to check property and suck in remote user from request if O.K. > Am developing patch. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online. |
[jira] Updated: (OFBIZ-1906) Allow use of HttpServletRequest.getRemoteUs
|
|
In reply to this post by Nicolas Malin (Jira)
[ https://issues.apache.org/jira/browse/OFBIZ-1906?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Luke Prentice updated OFBIZ-1906: --------------------------------- Attachment: (was: ofbiz-and-CAS.pdf) > Allow use of HttpServletRequest.getRemoteUser() for 3rd party authentication > ---------------------------------------------------------------------------- > > Key: OFBIZ-1906 > URL: https://issues.apache.org/jira/browse/OFBIZ-1906 > Project: OFBiz > Issue Type: Improvement > Components: framework > Affects Versions: SVN trunk > Reporter: Guy Gershoni > Assignee: Jacques Le Roux > Priority: Minor > Attachments: ArlSettingUpCasOnOfbiz5.pdf, security-remoteuser_login.diff > > Original Estimate: 4h > Remaining Estimate: 4h > > Am using CAS (http://www.ja-sig.org/products/cas/) to do authentication which, with the standard CAS Java client, populates the HttpServletRequest.getRemoteUser() with the user it has authenticated (http://www.ja-sig.org/wiki/display/CASC/Configuring+the+JA-SIG+CAS+Client+for+Java+in+the+web.xml... bottom of page).. > Have noticed in framework/security/config/security.properties on line 73 there is the following: > # -- HTTP header based ID (for integrations; uncomment to enable) > #security.login.http.header=REMOTE_USER > which is then processed by framework/webapp/src/org/ofbiz/webapp/control/LoginWorker.java around line 611 on: > So would like to add the following to security.properties: > # -- HttpServletRequest getRemoteUser() based ID (for integrations; uncomment to enable) > #security.login.http.servlet.getremoteuser.allow=true > and in LoginWorker.java add some code to check property and suck in remote user from request if O.K. > Am developing patch. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online. |
[jira] Updated: (OFBIZ-1906) Allow use of HttpServletRequest.getRemoteUs
|
|
In reply to this post by Nicolas Malin (Jira)
[ https://issues.apache.org/jira/browse/OFBIZ-1906?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Guy Gershoni updated OFBIZ-1906: -------------------------------- Attachment: security-remoteuser_login_v2.diff Similar to v1 of patch but framework/webapp/src/org/ofbiz/webapp/control/LoginWorker.java now has two new private methods: * isUserLoggedIn(HttpServletRequest request) - To check if a user is logged in * loginUserWithUserLoginId(HttpServletRequest request, HttpServletResponse response, String userLoginId) - To log in a user with only a userLoginId. I pulled the code for the methods our of checkRequestHeaderLogin(...) and have got both checkRequestHeaderLogin() and the new method checkServletRequestRemoteUserLogin(...) using the private methods listed above. > Allow use of HttpServletRequest.getRemoteUser() for 3rd party authentication > ---------------------------------------------------------------------------- > > Key: OFBIZ-1906 > URL: https://issues.apache.org/jira/browse/OFBIZ-1906 > Project: OFBiz > Issue Type: Improvement > Components: framework > Affects Versions: SVN trunk > Reporter: Guy Gershoni > Assignee: Jacques Le Roux > Priority: Minor > Attachments: ArlSettingUpCasOnOfbiz5.pdf, security-remoteuser_login.diff, security-remoteuser_login_v2.diff > > Original Estimate: 4h > Remaining Estimate: 4h > > Am using CAS (http://www.ja-sig.org/products/cas/) to do authentication which, with the standard CAS Java client, populates the HttpServletRequest.getRemoteUser() with the user it has authenticated (http://www.ja-sig.org/wiki/display/CASC/Configuring+the+JA-SIG+CAS+Client+for+Java+in+the+web.xml... bottom of page).. > Have noticed in framework/security/config/security.properties on line 73 there is the following: > # -- HTTP header based ID (for integrations; uncomment to enable) > #security.login.http.header=REMOTE_USER > which is then processed by framework/webapp/src/org/ofbiz/webapp/control/LoginWorker.java around line 611 on: > So would like to add the following to security.properties: > # -- HttpServletRequest getRemoteUser() based ID (for integrations; uncomment to enable) > #security.login.http.servlet.getremoteuser.allow=true > and in LoginWorker.java add some code to check property and suck in remote user from request if O.K. > Am developing patch. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online. |
[jira] Updated: (OFBIZ-1906) Allow use of HttpServletRequest.getRemoteUs
|
|
In reply to this post by Nicolas Malin (Jira)
[ https://issues.apache.org/jira/browse/OFBIZ-1906?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Guy Gershoni updated OFBIZ-1906: -------------------------------- Attachment: (was: security-remoteuser_login_v2.diff) > Allow use of HttpServletRequest.getRemoteUser() for 3rd party authentication > ---------------------------------------------------------------------------- > > Key: OFBIZ-1906 > URL: https://issues.apache.org/jira/browse/OFBIZ-1906 > Project: OFBiz > Issue Type: Improvement > Components: framework > Affects Versions: SVN trunk > Reporter: Guy Gershoni > Assignee: Jacques Le Roux > Priority: Minor > Attachments: ArlSettingUpCasOnOfbiz5.pdf, security-remoteuser_login.diff > > Original Estimate: 4h > Remaining Estimate: 4h > > Am using CAS (http://www.ja-sig.org/products/cas/) to do authentication which, with the standard CAS Java client, populates the HttpServletRequest.getRemoteUser() with the user it has authenticated (http://www.ja-sig.org/wiki/display/CASC/Configuring+the+JA-SIG+CAS+Client+for+Java+in+the+web.xml... bottom of page).. > Have noticed in framework/security/config/security.properties on line 73 there is the following: > # -- HTTP header based ID (for integrations; uncomment to enable) > #security.login.http.header=REMOTE_USER > which is then processed by framework/webapp/src/org/ofbiz/webapp/control/LoginWorker.java around line 611 on: > So would like to add the following to security.properties: > # -- HttpServletRequest getRemoteUser() based ID (for integrations; uncomment to enable) > #security.login.http.servlet.getremoteuser.allow=true > and in LoginWorker.java add some code to check property and suck in remote user from request if O.K. > Am developing patch. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online. |
[jira] Updated: (OFBIZ-1906) Allow use of HttpServletRequest.getRemoteUs
|
|
In reply to this post by Nicolas Malin (Jira)
[ https://issues.apache.org/jira/browse/OFBIZ-1906?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Guy Gershoni updated OFBIZ-1906: -------------------------------- Attachment: security-remoteuser_login_v2.diff Commented out security.properties setting so not turned on by default. > Allow use of HttpServletRequest.getRemoteUser() for 3rd party authentication > ---------------------------------------------------------------------------- > > Key: OFBIZ-1906 > URL: https://issues.apache.org/jira/browse/OFBIZ-1906 > Project: OFBiz > Issue Type: Improvement > Components: framework > Affects Versions: SVN trunk > Reporter: Guy Gershoni > Assignee: Jacques Le Roux > Priority: Minor > Attachments: ArlSettingUpCasOnOfbiz5.pdf, security-remoteuser_login.diff, security-remoteuser_login_v2.diff > > Original Estimate: 4h > Remaining Estimate: 4h > > Am using CAS (http://www.ja-sig.org/products/cas/) to do authentication which, with the standard CAS Java client, populates the HttpServletRequest.getRemoteUser() with the user it has authenticated (http://www.ja-sig.org/wiki/display/CASC/Configuring+the+JA-SIG+CAS+Client+for+Java+in+the+web.xml... bottom of page).. > Have noticed in framework/security/config/security.properties on line 73 there is the following: > # -- HTTP header based ID (for integrations; uncomment to enable) > #security.login.http.header=REMOTE_USER > which is then processed by framework/webapp/src/org/ofbiz/webapp/control/LoginWorker.java around line 611 on: > So would like to add the following to security.properties: > # -- HttpServletRequest getRemoteUser() based ID (for integrations; uncomment to enable) > #security.login.http.servlet.getremoteuser.allow=true > and in LoginWorker.java add some code to check property and suck in remote user from request if O.K. > Am developing patch. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online. |
[jira] Closed: (OFBIZ-1906) Allow use of HttpServletRequest.getRemoteUs
|
|
In reply to this post by Nicolas Malin (Jira)
[ https://issues.apache.org/jira/browse/OFBIZ-1906?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jacques Le Roux closed OFBIZ-1906. ---------------------------------- Resolution: Fixed Fix Version/s: SVN trunk Thanks Guy and Luke, Your patch is in trunk revision: 736660 . I will put the PDF in the Wiki soon... > Allow use of HttpServletRequest.getRemoteUser() for 3rd party authentication > ---------------------------------------------------------------------------- > > Key: OFBIZ-1906 > URL: https://issues.apache.org/jira/browse/OFBIZ-1906 > Project: OFBiz > Issue Type: Improvement > Components: framework > Affects Versions: SVN trunk > Reporter: Guy Gershoni > Assignee: Jacques Le Roux > Priority: Minor > Fix For: SVN trunk > > Attachments: ArlSettingUpCasOnOfbiz5.pdf, security-remoteuser_login.diff, security-remoteuser_login_v2.diff > > Original Estimate: 4h > Remaining Estimate: 4h > > Am using CAS (http://www.ja-sig.org/products/cas/) to do authentication which, with the standard CAS Java client, populates the HttpServletRequest.getRemoteUser() with the user it has authenticated (http://www.ja-sig.org/wiki/display/CASC/Configuring+the+JA-SIG+CAS+Client+for+Java+in+the+web.xml... bottom of page).. > Have noticed in framework/security/config/security.properties on line 73 there is the following: > # -- HTTP header based ID (for integrations; uncomment to enable) > #security.login.http.header=REMOTE_USER > which is then processed by framework/webapp/src/org/ofbiz/webapp/control/LoginWorker.java around line 611 on: > So would like to add the following to security.properties: > # -- HttpServletRequest getRemoteUser() based ID (for integrations; uncomment to enable) > #security.login.http.servlet.getremoteuser.allow=true > and in LoginWorker.java add some code to check property and suck in remote user from request if O.K. > Am developing patch. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online. |
«
Return to OFBiz - Dev
|
1 view|%1 views
| Free forum by Nabble | Edit this page |