[opencms-dev] OpenCms SSO Integration

Wed Mar 17 12:27:06 CET 2010

Hello Fabian,

you need to add an ActionClass to your module. Add a static
getInstance()-Method to retrieve the reference to this class (or any
other means).
You then can use the following code within the ActionClass to acquire a
CmsObject which enables you to basically do everything you want.

    public CmsObject getUserCmsObject(CmsUUID userID)
    {
        CmsUser user = null;
        try
        {
            user = cms.readUser(userID);
        }
        catch (Exception ex)
        {
            LOG.warn("could not read User", ex);
            return null;
        }

        CmsObject userCms = null;
        CmsContextInfo contextInfo = new CmsContextInfo(user.getName());

        try
        {
            //instantiate an OpenCmsObject to act for the user       
            userCms = OpenCms.initCmsObject(cms, contextInfo);
        }
        catch (CmsException ex)
        {
            LOG.debug("couldn't initialize UserCmsObject", ex);       
        }
        finally
        {
            return userCms;       
        }       
    }

Best regards,

\Fabian

Fabian Panthen wrote:
> Hello List,
>
> we are currently working on integrating OpenCms into an SSO Architecture.
> This seems to be unnecessarily difficult.
> Here's the picture:
>
> In a regular SSO architecture, an SSO server handles Authentication and 
> provides some form of mechanism to show other applications that a user 
> has been authenticated.
> Applications check for that, for instance a token, and authenticate the 
> user automatically, trusting the SSO's decision that the user is to be 
> trusted.
> We have been seraching the API for days now and so far have not sen a 
> way to authenticate an OpenCms user without knowing his password.
> This is said to be a security feature. But really a security feature is 
> that an application should not ever need to know a users password at all!
> If I am programming exntensions to a system with its API I obviously 
> have access with administrative rights.
> Hence I should be able to
>
> a) create an admin enabled CmsObject without having to store the admin 
> pasword somewhere
> b) create user CmsObjects without having to know their password
>
> The way the API seems to us currently, OpenCms can only be integrated 
> into SSO if it handles the login itsself but not as a client to another 
> login server.
>
> So, dear list, what are your thoughts?
> Have we simply overseen something, and actually we are able to do just 
> that but were just to stupid to see so?
> Or is this something that should be adressed in future versions of the API?
> Anyone found a solution to this problem allready?
>
> Kind regards,
>
> Fabian Panthen
>
>   