You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@turbine.apache.org by "Jeffrey D. Brekke" <jb...@wi.rr.com> on 2006/12/13 06:57:31 UTC
Single Sign On and Turbine
Has anyone integrated a single sign on solution for multiple turbine web
applications?
We are considering using a single turbine applications, authenticating
against active directory. When the user is logged in, throw the session
id and username into a table. Then the other applications, using a
customer session revalidation, check if the user is logged in as usual,
if not, check if the id exists in the table and if so, create an
authenticated user for use in that turbine app.
But, how do we get the same cookie from one app into another? Are there
any other ways to do sso with turbine in use?
--
=====================================================================
Jeffrey D. Brekke jbrekke@wi.rr.com
Wisconsin, USA brekke@apache.org
ekkerbj@yahoo.com
http://www.bloglines.com/blog/jbrekke ekkerbj@gmail.com
---------------------------------------------------------------------
To unsubscribe, e-mail: turbine-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: turbine-user-help@jakarta.apache.org
RE: Single Sign On and Turbine
Posted by Tony Oslund <to...@lifeinnovations.com>.
Do Tomcat SSO valves work across Turbine apps installed on separate servers, or does "virtual" only apply to the same server instance.
They also appear to require cookies.
-----Original Message-----
From: Jürgen Hoffmann [mailto:jh@byteaction.de]
Sent: Wednesday, December 13, 2006 9:04 AM
To: 'Turbine Users List'
Subject: AW: Single Sign On and Turbine
Hi,
maybe this could be done using valves within Tomcat?
Just my 2 cents.
Juergen
-----Ursprüngliche Nachricht-----
Von: Tony Oslund [mailto:tonyo@lifeinnovations.com]
Gesendet: Mittwoch, 13. Dezember 2006 15:56
An: Turbine Users List
Betreff: RE: Single Sign On and Turbine
Hello Jeff,
I was able to accomplish this by using a virtual session (my
terminology). By virtual I mean a session in concept only that exists
outside of the Turbine realm.
What I did was allow the originating app to setup/initialize the data
for a virtual session. The system can recognize (by looking at the URL)
when it is jumping to a different app. Whenever it jumps to the other
app it includes the virtual session id within the url. The other app
then sets up its own Turbine session and links back to this virtual
session. (The virtual session information is stored within a table).
Part of the trick is to have the second app automatically re-load any
authentication into its own session. I stored the name of the
authentication object within one of the virtual session tables and then
re-instantiated within the second session to duplicate the
authentication.
To be honest this was not a trivial problem to solve. I spent a number
of weeks on it before I got it all working correctly. The biggest
problem I ran into was not jumping to the second app, but jumping back
to the first app without having it create yet another session.
One interesting thing that I seemed to run into is that the jsessionid
was case sensitive. I used JSESSIONID within the cookies, and
jsessionid within the url.
Our motivation for doing this was to be able to cobble together various
sites from sets of re-useable Turbine apps. We also needed it to work
with or without cookies.
Perhaps it was a mistake on my part, but I did NOT make use of the built
in Turbine security model. I basically wrote my own.
It would be rather cool if there was a pre-made solution out there for
Turbine single signon across apps or servers. I wasn't aware of one so
I built it myself.
...
The previous company that I worked for was using an Apache session (php
app) to perform the initial login, storing the information, and then
including the apache sessionid within the url so that the turbine apps
could load their session information as necessary. This is similar in
concept and seemed to work well also.
Tony Oslund
-----Original Message-----
From: Jeffrey D. Brekke [mailto:jbrekke@wi.rr.com]
Sent: Tuesday, December 12, 2006 11:58 PM
To: Turbine Users List
Subject: Single Sign On and Turbine
Has anyone integrated a single sign on solution for multiple turbine web
applications?
We are considering using a single turbine applications, authenticating
against active directory. When the user is logged in, throw the session
id and username into a table. Then the other applications, using a
customer session revalidation, check if the user is logged in as usual,
if not, check if the id exists in the table and if so, create an
authenticated user for use in that turbine app.
But, how do we get the same cookie from one app into another? Are there
any other ways to do sso with turbine in use?
--
=====================================================================
Jeffrey D. Brekke jbrekke@wi.rr.com
Wisconsin, USA brekke@apache.org
ekkerbj@yahoo.com
http://www.bloglines.com/blog/jbrekke ekkerbj@gmail.com
---------------------------------------------------------------------
To unsubscribe, e-mail: turbine-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: turbine-user-help@jakarta.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: turbine-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: turbine-user-help@jakarta.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: turbine-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: turbine-user-help@jakarta.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: turbine-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: turbine-user-help@jakarta.apache.org
AW: Single Sign On and Turbine
Posted by Jürgen Hoffmann <jh...@byteaction.de>.
Hi,
maybe this could be done using valves within Tomcat?
Just my 2 cents.
Juergen
-----Ursprüngliche Nachricht-----
Von: Tony Oslund [mailto:tonyo@lifeinnovations.com]
Gesendet: Mittwoch, 13. Dezember 2006 15:56
An: Turbine Users List
Betreff: RE: Single Sign On and Turbine
Hello Jeff,
I was able to accomplish this by using a virtual session (my
terminology). By virtual I mean a session in concept only that exists
outside of the Turbine realm.
What I did was allow the originating app to setup/initialize the data
for a virtual session. The system can recognize (by looking at the URL)
when it is jumping to a different app. Whenever it jumps to the other
app it includes the virtual session id within the url. The other app
then sets up its own Turbine session and links back to this virtual
session. (The virtual session information is stored within a table).
Part of the trick is to have the second app automatically re-load any
authentication into its own session. I stored the name of the
authentication object within one of the virtual session tables and then
re-instantiated within the second session to duplicate the
authentication.
To be honest this was not a trivial problem to solve. I spent a number
of weeks on it before I got it all working correctly. The biggest
problem I ran into was not jumping to the second app, but jumping back
to the first app without having it create yet another session.
One interesting thing that I seemed to run into is that the jsessionid
was case sensitive. I used JSESSIONID within the cookies, and
jsessionid within the url.
Our motivation for doing this was to be able to cobble together various
sites from sets of re-useable Turbine apps. We also needed it to work
with or without cookies.
Perhaps it was a mistake on my part, but I did NOT make use of the built
in Turbine security model. I basically wrote my own.
It would be rather cool if there was a pre-made solution out there for
Turbine single signon across apps or servers. I wasn't aware of one so
I built it myself.
...
The previous company that I worked for was using an Apache session (php
app) to perform the initial login, storing the information, and then
including the apache sessionid within the url so that the turbine apps
could load their session information as necessary. This is similar in
concept and seemed to work well also.
Tony Oslund
-----Original Message-----
From: Jeffrey D. Brekke [mailto:jbrekke@wi.rr.com]
Sent: Tuesday, December 12, 2006 11:58 PM
To: Turbine Users List
Subject: Single Sign On and Turbine
Has anyone integrated a single sign on solution for multiple turbine web
applications?
We are considering using a single turbine applications, authenticating
against active directory. When the user is logged in, throw the session
id and username into a table. Then the other applications, using a
customer session revalidation, check if the user is logged in as usual,
if not, check if the id exists in the table and if so, create an
authenticated user for use in that turbine app.
But, how do we get the same cookie from one app into another? Are there
any other ways to do sso with turbine in use?
--
=====================================================================
Jeffrey D. Brekke jbrekke@wi.rr.com
Wisconsin, USA brekke@apache.org
ekkerbj@yahoo.com
http://www.bloglines.com/blog/jbrekke ekkerbj@gmail.com
---------------------------------------------------------------------
To unsubscribe, e-mail: turbine-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: turbine-user-help@jakarta.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: turbine-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: turbine-user-help@jakarta.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: turbine-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: turbine-user-help@jakarta.apache.org
RE: Single Sign On and Turbine
Posted by Tony Oslund <to...@lifeinnovations.com>.
Hello Jeff,
I was able to accomplish this by using a virtual session (my
terminology). By virtual I mean a session in concept only that exists
outside of the Turbine realm.
What I did was allow the originating app to setup/initialize the data
for a virtual session. The system can recognize (by looking at the URL)
when it is jumping to a different app. Whenever it jumps to the other
app it includes the virtual session id within the url. The other app
then sets up its own Turbine session and links back to this virtual
session. (The virtual session information is stored within a table).
Part of the trick is to have the second app automatically re-load any
authentication into its own session. I stored the name of the
authentication object within one of the virtual session tables and then
re-instantiated within the second session to duplicate the
authentication.
To be honest this was not a trivial problem to solve. I spent a number
of weeks on it before I got it all working correctly. The biggest
problem I ran into was not jumping to the second app, but jumping back
to the first app without having it create yet another session.
One interesting thing that I seemed to run into is that the jsessionid
was case sensitive. I used JSESSIONID within the cookies, and
jsessionid within the url.
Our motivation for doing this was to be able to cobble together various
sites from sets of re-useable Turbine apps. We also needed it to work
with or without cookies.
Perhaps it was a mistake on my part, but I did NOT make use of the built
in Turbine security model. I basically wrote my own.
It would be rather cool if there was a pre-made solution out there for
Turbine single signon across apps or servers. I wasn't aware of one so
I built it myself.
...
The previous company that I worked for was using an Apache session (php
app) to perform the initial login, storing the information, and then
including the apache sessionid within the url so that the turbine apps
could load their session information as necessary. This is similar in
concept and seemed to work well also.
Tony Oslund
-----Original Message-----
From: Jeffrey D. Brekke [mailto:jbrekke@wi.rr.com]
Sent: Tuesday, December 12, 2006 11:58 PM
To: Turbine Users List
Subject: Single Sign On and Turbine
Has anyone integrated a single sign on solution for multiple turbine web
applications?
We are considering using a single turbine applications, authenticating
against active directory. When the user is logged in, throw the session
id and username into a table. Then the other applications, using a
customer session revalidation, check if the user is logged in as usual,
if not, check if the id exists in the table and if so, create an
authenticated user for use in that turbine app.
But, how do we get the same cookie from one app into another? Are there
any other ways to do sso with turbine in use?
--
=====================================================================
Jeffrey D. Brekke jbrekke@wi.rr.com
Wisconsin, USA brekke@apache.org
ekkerbj@yahoo.com
http://www.bloglines.com/blog/jbrekke ekkerbj@gmail.com
---------------------------------------------------------------------
To unsubscribe, e-mail: turbine-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: turbine-user-help@jakarta.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: turbine-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: turbine-user-help@jakarta.apache.org