andune76 wrote:The code should read something like
HttpSession session = request.getSession();
Hope it helps,
andune76 wrote:Yes, you need to enable cross-context sessions or SSO in Tomcat. There is a SSOValve configuration in server.xml
andune76 wrote:It worked for me, I did not even have to modify my web.xml.
I assume you have configured sso in SystemGlobals.properties, if you have not, then that is what is troubling you.
Sid wrote:I thikn the SSO valve of tomcat allows a user to login against the tomcat security mechanism, and then it holds a user object at any request - which would pretty much work alogn with the sample RemoteSSO example that ships with jforum.
If you have your own sso implementation this is probably not sufficient - you rather have to enable the cross context entry. Another approach would be to use URL authentication for instance. This is independent from sessions or context sharing. But without url encryption it'd be high risk!
monroe wrote:I'm not sure exactly what you're trying to do here. The Tomcat SSO implimentation is designed to work with Tomcat's Realm definition and the Java Servlet spec's security mechanisms.
So, besides just turning this on, you need to have a Realm implimentation defined as well, e.g. a DataSourceReam or the like. Then for each web app you are protecting, you will need to define the security constraints and other security descriptors in the WebApp's web.xml file. (See the spec for details).
Once you've done this, you should only get challenged for an id/password on the first secured webapp (in the same Realm) you hit. All this is based on the Spec level security.
At the application level, all you get from this is that you can use the request.getUserPrincipal() method to get limited info about the logged in user (basically the user name). Or you can use the request.isUserInRole(Role) method to check if the logged in user is in the specified role (as defined by the Tomcat Realm implimentation).
It also follows the HTTP spec in setting the REMOTE_USER environmental variable to the same name as the principal.
The SSO implimentation does not pass any objects back and forth beween webapps. It just uses some special cookies to identify the user principal object which is stored at the container level and shared among webapps.
In this case, JForum's RemoteUserSSO says, if the request returns a valid principal or REMOTE_USER user id, I will trust that the webserver or container has already validated that user id.
If the user id does not exist in the Jforum user tables, it will create one using the defaults in the config file for e-mail, etc. For the profile and other information to be correct for the user, the user will need to manually edit that.
E.g., you go to secured1 and login in. then you go to secured2.
monroe wrote:I think you are misunderstanding the way the Specs define how a Servlet Container should act. Cross Context does not mean that there is some "shared session" object available across all webapps. This means that one web app context is able to make Requests via the dispatcher calls to another. Even there, the sessions objects are different.
If you're looking for a shared object available across multiple webapps, you'll need to do that at the container level. E.g. write your own variation of the Tomcat SSO valve. But then your app will be tied tightly to the Tomcat platform and not as portable.
You might be able to do something with a cross context call to set up a remote session prior to making a direct URL reference to it. The only thing I'm not sure of is if the session created by the cross context call will be "connected" to the end user's browser. I.e., is there a Session cookie returned to the browser so Tomcat can match the browser to the session?
Nino Martinez wrote:
Usually the webcontainer does one of two things:
*Sets a session cookie
*Urlrewrite (appends jsessionid)
Nino Martinez wrote:
So I guess the final thing to ask are:
Is there a way to signin a user from another java(using cookies, special urls etc) application by using the default implementations provided by Jforum?
If no, then how hard is it todo this?
I guess I would need to create my own implementation of the remote sso class and recompile jforum? Can the implementation request that a user has to be created or does that happen on default?
... code example ...
NingDynasty wrote:Did anyone get Monroe's example to work out of the box? I've been working on it for two days and all the code seems right but every time I go to the forum I'm not logged in.