A few questions regarding SSO

Greetings JForum gurus,

I am trying to understand how I can implement SSO with my existing webapp. I'm finding useful bits and pieces searching the documentation and the forums.

The scenario: I have an existing webapp deployed in Tomcat(5.5) which allows users to register their details and login to their profile using FORM authentication and Tomcat JAASRealm. When a user clicks the forum link and are directed to the forum, if they have already logged in I would like them to be logged in to the forum automatically and be able to post messages. If they are not logged in I would still like users to be able to view the forum, but no post to it. As I understand it SSO should allow me to achieve this.

Some of the questions I'm about to ask may have obvious answers and some may have been asked already � so apologies in advance. I just need to be sure I fully understand the SSO process and how to implement it.

1) I don't quite understand the process that occurs when associating a logged in user with a forum account. For example I have an existing database of users � when a user who hasn't used the forum before ( and therefore does not have a record in the jforum_user table ) logs into the site and attempts to access the forum, what happens exactly?

The documentation says that if the username returned from authenticateUser() does not have an associated userid, then one is created on the fly. Does this mean that the username is added to the jforum_users table, permanently?

Just to be clear, when a user registers with the main site their details are stored in the existing database. Do I have to also store the details in the jforum_users table, or is that handled automatically when a logged in user accesses the forum?

2) Since I am using Tomcat container-based authentication do I need to implement my own RemoteUserSSO class, or can I use the default class? Is the request.getRemoteUser() all I need to rely on, or do I also need to use cookies?

3) When SSO is enabled I understand that the Login and Register options are removed from the forum page � is there anyway to manually reinstate these options � and link them to the respective login and register pages of my main webapp?

I'm thinking that if a user goes to the forum directly (bypassing the main site) they might be confused that there's no register option.

3) Ideally I would like to deploy JForum as a separate webapp. How might I go about maintaining a session between the two?

Thanks for your time. I look forward to using JForum on the site I'm working on.

[originally posted on jforum.net by Silent Film]

Silent Film wrote:Greetings JForum gurus,
1) I don't quite understand the process that occurs when associating a logged in user with a forum account. For example I have an existing database of users � when a user who hasn't used the forum before ( and therefore does not have a record in the jforum_user table ) logs into the site and attempts to access the forum, what happens exactly?

The documentation says that if the username returned from authenticateUser() does not have an associated userid, then one is created on the fly. Does this mean that the username is added to the jforum_users table, permanently?

Just to be clear, when a user registers with the main site their details are stored in the existing database. Do I have to also store the details in the jforum_users table, or is that handled automatically when a logged in user accesses the forum?

SSO is basically a "are you an authorized user" mechanism. If the user is "authorized" (by your app/tomcat/etc.), then JForum checks to see if there is an entry in it's user DB. If one does not exist, a user entry is added (because it was authorized...). How the details of this entry is filled in depends on the SSO implimentation. (E.g., if it's LDAP, the SSO class can look up info in the directory and populate the JForum table.

If you want to go beyond the sample SSO implimentations, you will need to decide how you are going to manage both the information your application and JForum both need. There will be overlaps and differences.

IMHO, the best way to deal with this is to write a "hybrid" UserDAO implimentation that knows how to populate jForum User objects from both sources. e.g., e-mail, name from your app's data store, signature, location, etc from jForum's tables.

You will also need to decide how to manage user input/modification of this information. E.g., Change the jForum profile form to not allow stuff that your application manages.

Silent Film wrote:Greetings JForum gurus,
2) Since I am using Tomcat container-based authentication do I need to implement my own RemoteUserSSO class, or can I use the default class? Is the request.getRemoteUser() all I need to rely on, or do I also need to use cookies?

Depends on what you want. The simple and quick way, it to use Tomcat's SSO filter and then use the RemoteUserSSO class. With the TC SSO filter, all webapps can get the REMOTE user and the User Principal class set based on the first authentication. (And web.xml rules are applied).

Silent Film wrote:Greetings JForum gurus,
3) When SSO is enabled I understand that the Login and Register options are removed from the forum page � is there anyway to manually reinstate these options � and link them to the respective login and register pages of my main webapp?

These are just links defined in the templates. You can change them to whatever you want.
[originally posted on jforum.net by monroe]

Thanks for your input monroe.

I think I will go with your suggestion of using a hybrid UserDAO. For the moment I'm trying to get a basic default version working, and then build on that.

However I'm having a problem. I can log into the main webapp successfully, but when I cross over to the forum webapp I'm not logged in. I've installed JForum as a separate webapp with the only change made being SystemGlobals necessary for SSO specified in the documentation. Should the default SSO implementation pick up a logged in user?

Could it be an issue with the application context? I haven't made any changes to the the Tomcat server.xml configuration. For my main webapp I have crossContext enabled in the META-INF/context.xml file of the main website webapp. Similarly I have the JAASRealm specified in the same file with my custom JAAS LoginModule class is deployed in the webapp, not as a .jar in the shared Tomcat library.
[originally posted on jforum.net by Silent Film]

I'm still having trouble with a cross context session. If I call <ServletContext>.getContext("/jforum") in my main webapp I get null.

I've tried adding a context.xml to /jforum/META-INF/ with crossContext set to true, no joy.

Any ideas?
[originally posted on jforum.net by Silent Film]

I've managed to make some progress - I can now log into the main site and when forwarded to the forum the username is added to the database and a registered user us indicated as being online.

However, there are no options to view the user profile, or 'You are logged in as...' messages, so basically a username is extracted from the getRemoteUser function but it doesn't actually log the user in.

Is this the normal behaviour and I've missed a setting, or is something going wrong?
[originally posted on jforum.net by Silent Film]

Managed to get it working - it was a configuration issue with Tomcat.

A few quick questions, if I may:

What options are available to me to customize the theme of the forum. I read from a 2005 post that copying the templates/default folder, making the necessary changes to style.css and then pointing the SystemGlobal template.dir to the directory applies that style. Is this still the way to do it?

Also, in the forum list page I want options to register/login which point back to the main webapp. Is it a matter of altering the html of the page and hard-coding the links, or are there any configuration options?
[originally posted on jforum.net by Silent Film]

Yes for all

Rafael
[originally posted on jforum.net by Rafael Steil]