SSO authentification

Bonjour !

I'm tryin to implement SSO identification for my app with jforum.
I tried with cookieUserSSO, and after some modifications it works fine.. but (there is always a but) it sucks a bit regarding security.
That's why i'm trying with the other solution : remoteuserSSO. But after reading again and again the several posts about this, I begin to have real strong genocide pulsions against my computer so.. before doing something irreversible i'm begging for your help.

Can you tell me where the getRemoteUser() is implemented ?
How can jforum can be aware about myapp users without cookies ?

Thank you for your help

(Sorry for my poor english)
[originally posted on jforum.net by tontongawel]

Hi,
you write about CookieUserSSO and indeed I see this class mentioned in the documentation.
But I can't find it in the source tree (and not even in the packaged WAR)!
Could someone please clarify?
Greg
[originally posted on jforum.net by Gregorio]

For CookieSSO you have to create your own one.
The code I used :

package net.jforum.sso; import javax.servlet.http.Cookie; import net.jforum.ControllerUtils; import net.jforum.context.RequestContext; import net.jforum.entities.UserSession; import net.jforum.util.preferences.ConfigKeys; import net.jforum.util.preferences.SystemGlobals; public class CookieUserSSO implements SSO { // you must implement met.jforum.sso.SSO public String authenticateUser(RequestContext request) { Cookie myCookie = ControllerUtils.getCookie("jforumSSO"); // my app login cookie String username = null; if (myCookie != null) { username = myCookie.getValue(); } else { System.out.println("No cookie found"); return null; // no cookie found } return username; // jforum username } public boolean isSessionValid(UserSession userSession, RequestContext request) { String remoteUser = null; Cookie myCookie = ControllerUtils.getCookie("JforumSSO"); if (myCookie != null) { remoteUser = myCookie.getValue(); // jforum username } System.out.println("remoteUser: " + remoteUser); // user has since logged out if(remoteUser == null && userSession.getUserId() != SystemGlobals.getIntValue(ConfigKeys.ANONYMOUS_USER_ID)) { return false; // user has since logged in } else if(remoteUser != null && userSession.getUserId() == SystemGlobals.getIntValue(ConfigKeys.ANONYMOUS_USER_ID)) { return false; // user has changed user } else if(remoteUser != null && !remoteUser.equals(userSession.getUsername())) { return false; } System.out.println("Returning true"); return true; // myapp user and forum user the same } }
[originally posted on jforum.net by tontongawel]