[opencms-dev] OpenCms SSO Integration
Yves Glodt
yg at mind.lu
Wed Mar 17 12:22:09 CET 2010
Hi Fabian,
from OpenCms I am also using an SSO principle to enable access to
private resources.
Principle:
- The SSO-login-server (independent webapp in our case, but could be
just a .jsp in OpenCms) sets a cookie with an UUID if the login was
successful, and creates a corresponding record in a DB.
- I created a filter which checks the resource you want to access, in
case they are private it checks the value of the cookie and looks (per
sql) if there is an existing SSO-session.
if yes it let's you through, it not it redirects.
We used this approach because the users/password are in the DB of an
ERP-system, and not linked to OpenCms at all.
hope this can help you :)
yves
On 17 March 2010 12:01, Fabian Panthen <fpa at unitb-consulting.de> wrote:
>
> Hello List,
>
> we are currently working on integrating OpenCms into an SSO Architecture.
> This seems to be unnecessarily difficult.
> Here's the picture:
>
> In a regular SSO architecture, an SSO server handles Authentication and
> provides some form of mechanism to show other applications that a user
> has been authenticated.
> Applications check for that, for instance a token, and authenticate the
> user automatically, trusting the SSO's decision that the user is to be
> trusted.
> We have been seraching the API for days now and so far have not sen a
> way to authenticate an OpenCms user without knowing his password.
> This is said to be a security feature. But really a security feature is
> that an application should not ever need to know a users password at all!
> If I am programming exntensions to a system with its API I obviously
> have access with administrative rights.
> Hence I should be able to
>
> a) create an admin enabled CmsObject without having to store the admin
> pasword somewhere
> b) create user CmsObjects without having to know their password
>
> The way the API seems to us currently, OpenCms can only be integrated
> into SSO if it handles the login itsself but not as a client to another
> login server.
>
> So, dear list, what are your thoughts?
> Have we simply overseen something, and actually we are able to do just
> that but were just to stupid to see so?
> Or is this something that should be adressed in future versions of the API?
> Anyone found a solution to this problem allready?
>
> Kind regards,
>
> Fabian Panthen
>
> --
>
> ____________________________________________
>
> u n i t b c o n s u l t i n g
>
>
>
> Brunnenstr. 156
>
> 10115 Berlin
>
>
>
> Tel: +49 [0]30 44 31 92 00
>
> Fax: +49 [0]30 44 31 92 29
>
> Mail: office at unitb-consulting.de
>
> Web: http://www.unitb-consulting.de
>
>
>
> Geschäftsführer: Nico Adam, Thomas Timm
>
> Registergericht: AG Berlin-Charlottenburg - HRB 113607
>
> Steuernummer: 37/249/21073
>
> Ust-IdNr.: DE814984825
>
>
>
> Diese E-Mail könnte vertrauliche und/oder rechtlich geschützte Informationen
>
> enthalten. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail
>
> irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und
>
> vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte
>
> Weitergabe dieser Mail sind nicht gestattet.
>
>
>
> This e-mail may contain confidential and/or privileged information. If you
>
> are not the intended recipient (or have received this e-mail in error)
>
> please notify the sender immediately and destroy this e-mail. Any
>
> unauthorised copying, disclosure or distribution of the material in this
>
> e-mail is strictly forbidden.
>
>
>
>
>
> _______________________________________________
> This mail is sent to you from the opencms-dev mailing list
> To change your list options, or to unsubscribe from the list, please visit
> http://lists.opencms.org/mailman/listinfo/opencms-dev
>
More information about the opencms-dev
mailing list