Hi,
Just elaborating on the issue.
I am trying to integrate Jforum with an application. Only registered users can access the forum.
I am using SSO with the help of cookies. I am facing problem while retrieving the cookie.
Following is the code:
SystemGlobals.properties :
authentication.type=sso
login.authenticator = net.jforum.sso.DefaultLoginAuthenticator
auto.login.enabled = true
sso.implementation=net.jforum.sso.MyUserSSO
sso.password.attribute = password
sso.email.attribute = email
sso.default.email = sso@user
sso.default.password = sso
sso.redirect=http://localhost/JStre/Login
sso.cookie.path=/
ldap.security.protocol =
ldap.authentication =
ldap.factory = com.sun.jndi.ldap.LdapCtxFactory
ldap.login.prefix = uid=
ldap.login.suffix = ou=Users,dc=department,dc=company,dc=com
ldap.server.url =
ldap://localhost
ldap.field.email = mail
ldap.lookup.prefix =
ldap.lookup.suffix =
anonymous.userId = 1
defaultUserGroup = 1
template.dir = default
servlet.extension = .page
cookie.name.data = myCookie
cookie.name.user = jforumUserInfo
cookie.name.autologin = jforumAutoLogin
cookie.name.userHash = jforumUserHash
My application's login action has following entry :
Cookie cookie = new Cookie("myCookie", cookieInfo);
cookie.setMaxAge(-1); // session cookie, or set to positive number.
response.addCookie(cookie);
MyUserSSO.java:
package net.jforum.sso;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.util.StringTokenizer;
import javax.servlet.http.Cookie;
import net.jforum.ControllerUtils;
import net.jforum.JForumExecutionContext;
import net.jforum.context.RequestContext;
import net.jforum.context.SessionContext;
import net.jforum.dao.DataAccessDriver;
import net.jforum.dao.UserDAO;
import net.jforum.entities.User;
import net.jforum.entities.UserSession;
import net.jforum.repository.SecurityRepository;
import net.jforum.util.preferences.ConfigKeys;
import net.jforum.util.preferences.SystemGlobals;
import org.apache.log4j.Logger;
public class MyUserSSO implements SSO { // you must implement met.jforum.sso.SSO
static final Logger logger = Logger.getLogger(MyUserSSO.class.getName()); // init logging
static final
String md5Salt = "someWeirdStringSharedByTheApps";
static final int JFORUM_NORMAL_GROUP_ID = 1;
static final int JFORUM_ADMIN_GROUP_ID = 2;
static final int JFORUM_MODERATOR_GROUP_ID = 3;
/**
*
*
* Where:
* userId = Remote apps's authenticated app.
* e-mail = E-mail address of remote user's app
* group_info = Group info.
*
*/
public String authenticateUser(RequestContext request) { // required method
Cookie myCookie = ControllerUtils.getCookie("myCookie"); // my app login cookie
if (myCookie == null) { // No Cookie, so just return a null.
return null;
}
String userId = null;
String email = null;
String group_info = "general";
try {
userId = myCookie.getValue();
/* email = st.nextToken();
group_info = st.nextToken();
md5String = st.nextToken();*/
} catch ( Exception e ) {
logger.warn("Found SSO Cookie, but could not parse it! "+
"userId='"+userId+"' md5='"+"md5String"+"'",e);
return null;
}
/* //Validate the cookie's MD5 Hash
try {
if (! makeMD5Token(userId, email, group_info).equals(md5String)) {
logger.warn("Found SSO cookie with invalid MD5 security hash!");
return null;
}
} catch ( Exception e ) {
logger.warn("Error validating md5String for cookie: '" +
myCookie.getValue());
return null;
}*/
SessionContext session = request.getSessionContext();
String lastSSOUser = (String) session.getAttribute("MY_SSO_USER");
// If lastSSOUser is set and matches, then it's valid so just
// return the name and save looking up the user, etc.
if ( lastSSOUser != null && lastSSOUser.equals(userId)) {
return lastSSOUser;
}
// Create the jForum user entry if needed.
SSOUtils utils = new SSOUtils();
String password = null; // Could set a password here if desired.
if (!utils.userExists(userId)) {
if (email == null || email.equals("")) {
email = SystemGlobals.getValue(ConfigKeys.SSO_DEFAULT_EMAIL);
}
if (password == null) {
password = SystemGlobals.getValue(ConfigKeys.SSO_DEFAULT_PASSWORD);
}
utils.register(password, email);
}
User user = utils.getUser();
session.setAttribute("MY_SSO_USER", userId);
// Make sure user group info is current with each "login".
UserDAO um = DataAccessDriver.getInstance().newUserDAO();
int[] disallowedGroups = null;
int[] allowedGroups = null;
if ( group_info.equals("admin")) {
allowedGroups = new int[3];
allowedGroups[0] = JFORUM_NORMAL_GROUP_ID;
allowedGroups[1] = JFORUM_MODERATOR_GROUP_ID;
allowedGroups[2] = JFORUM_ADMIN_GROUP_ID;
} else if ( group_info.equals("moderator" )){
disallowedGroups = new int[1];
disallowedGroups[0] = JFORUM_ADMIN_GROUP_ID;
allowedGroups = new int[2];
allowedGroups[0] = JFORUM_NORMAL_GROUP_ID;
allowedGroups[1] = JFORUM_MODERATOR_GROUP_ID;
} else {
disallowedGroups = new int[2];
disallowedGroups[0] = JFORUM_ADMIN_GROUP_ID;
disallowedGroups[1] = JFORUM_MODERATOR_GROUP_ID;
allowedGroups = new int[1];
allowedGroups[0] = JFORUM_NORMAL_GROUP_ID;
}
if ( disallowedGroups != null ) {
um.removeFromGroup(user.getId(), disallowedGroups);
}
um.addToGroup(user.getId(), allowedGroups);
SecurityRepository.remove(user.getId());
// User by isSessionValid.
Cookie cookie = new Cookie("JforumSSO", userId);
cookie.setMaxAge(myCookie.getMaxAge());
cookie.setPath("/");
JForumExecutionContext.getResponse().addCookie(cookie);
return userId;
}
public boolean isSessionValid(UserSession userSession, RequestContext request) {
String remoteUser = null;
Cookie SSOCookie = ControllerUtils.getCookie("JforumSSO");
if (SSOCookie != null) remoteUser = SSOCookie.getValue(); // jforum username
// user has since logged out
if(remoteUser == null &&
userSession.getUserId() != SystemGlobals.getIntValue(ConfigKeys.ANONYMOUS_USER_ID)) {
return false;
// user has since logged in
} else if(remoteUser != null &&
userSession.getUserId() == SystemGlobals.getIntValue(ConfigKeys.ANONYMOUS_USER_ID)) {
return false;
// user has changed user
} else if(remoteUser != null && !remoteUser.equals(userSession.getUsername())) {
return false;
}
return true; // myapp user and forum user the same
}
/**
* Makes the MD5 token used for authentication in cookies.
*
* @param userName The user id used for encryption.
* @param email The user's email (or "" if none).
* @return The hex string representation of the MD5 digested string.
* @exception NoSuchAlgorithException If for some reason, MD5 is not available?
*/
private String makeMD5Token (String userName, String email,
String groupInfo )
throws NoSuchAlgorithmException {
MessageDigest md;
byte[] sig;
String plainText;
StringBuffer encryptedText = new StringBuffer();
plainText = md5Salt + "/" + userName + "/"+ email + "/"+groupInfo;
md = MessageDigest.getInstance("MD5");
sig = md.digest(plainText.getBytes());
for ( int i = 0; i < sig.length; i++ ) {
encryptedText.append(Integer.toString(( sig[i] & 0xff ) + 0x100, 16 ).substring(1));
}
return encryptedText.toString();
}
}
[originally posted on jforum.net by jforumUser]