Cookie-based SSO and v2.1.7

I understand there are some issues with SSO as documented on this site, especially for JForum v2.1.7. Can someone please point me in the right direction for the next step?

Here's where I am.

I've got Eclipse v3.2.2
I'm using j2sdk1.4.2_12
I've gotten the source from the downloadable zip.
I've gotten the missing 5 .jar files from the CVS.

I've gotten to the point where the existing stuff will rebuild without errors - just 90 warnings.

I've created a MyUserSSO.java using the code in this thread:

https://coderanch.com/t/576580


I show an import that cannot be resolved:

import net.jforum.ActionServletRequest;

I find this file in the CVS only by viewing dead files.

Again, please, does ANYONE have a working version of simple cookie-based SSO for JForum v2.1.7?

Please?

I'll trade you for some Oracle consulting time. Really!

Thanks,
Jennifer

p.s. I posted the bulk of this message earlier, in the Questions category, and got no response at all. Is there any option for paid support of this product? Is anyone out there well enough versed in JForum to take on a paid support role?
[originally posted on jforum.net by jenamon]

Jennifer,

exactly what is it what you are trying to achieve? Should a user logon in a different part of your website and thus also be logged in at the forum ? Or is a user authenticated first again an ldap server or something like that ?


[originally posted on jforum.net by jax]

Actually, I've gotten past that step. Once I get it working, if I ever get it working, I'll post the working code back to the list. For those still trying, the clue is in the fact that your MyUserSSO must implement SSO. So, make the request parameter match what's in the SSO code. They've broken out the JForum and Web request context stuff, and changed/replaced it - hence the deprecated code. So, I've gotten past that error. If I don't stumble again over something, I should have a working version soon.

So, I guess they were right. If they ignore the pleas for help, the users will either go away or (eventually) figure it out themselves.

Jennifer
[originally posted on jforum.net by jenamon]

I've got it working, believe it or not. Here's the working code for MyUserSSO.java:

package net.jforum.sso; import javax.servlet.http.Cookie; import net.jforum.context.RequestContext; import net.jforum.JForumExecutionContext; import net.jforum.ControllerUtils; import net.jforum.entities.UserSession; import net.jforum.util.preferences.ConfigKeys; import net.jforum.util.preferences.SystemGlobals; import org.apache.log4j.Logger; public class MyUserSSO implements SSO { static final Logger logger = Logger.getLogger(MyUserSSO.class.getName()); public String authenticateUser(RequestContext request) { // sso pool apps login cookie, contain logged username Cookie myCookie = ControllerUtils.getCookie("JFORUMSCREENNAME"); String username=null; if (myCookie ==null){ JForumExecutionContext.setRedirect(SystemGlobals.getValue(ConfigKeys.SSO_REDIRECT)); return null; // no cookie found }else{ username=(String)myCookie.getValue(); if (username.equals("")) JForumExecutionContext.setRedirect(SystemGlobals.getValue(ConfigKeys.SSO_REDIRECT)); } return username; // jforum username } public boolean isSessionValid(UserSession userSession, RequestContext request) { String remoteUser = null; Cookie SSOCookie = ControllerUtils.getCookie("JFORUMSCREENNAME"); // my app login cookie if (SSOCookie != null) remoteUser = SSOCookie.getValue(); // jforum username if (remoteUser == null) { JForumExecutionContext.setRedirect(SystemGlobals.getValue(ConfigKeys.SSO_REDIRECT)); return false; } else if (remoteUser.equals("")) { JForumExecutionContext.setRedirect(SystemGlobals.getValue(ConfigKeys.SSO_REDIRECT)); return false; // user has since logged in } else if (remoteUser != null && userSession.getUserId() == SystemGlobals.getIntValue(ConfigKeys.ANONYMOUS_USER_ID)) { return false; // user has changed user } else if (remoteUser != null && !remoteUser.equals(userSession.getUsername())) { return false; } return true; // sso pool apps user and forum user the same } }

The cookie name can be whatever you want it to be. It's used only here.

The user DOES show up as a registered user, i.e. Judy vs. anonymous, but the email gets set to sso@user, and the user cannot change it in the "My Profile" page. I tried setting the email address directly into the database from my front-end web app, and that works.

The password gets set to "sso" instead of an encrypted value, and the user cannot change that in the "My Profile" page.

I will likely try to change the My Profile page so that the user doesn't even see the options to change the email address or the password if they are logged in via SSO.

More work to do, but at least FINALLY getting close.


[originally posted on jforum.net by jenamon]