I've been hacking through Turbine and Jetspeed trying to add a getClearPassword and setClearPassword functionality in the two but it is still a hack at best which I'm not sure would ever get incorporated into the main branches. Retrieving the encrypted/hashed password isn't an option since most web apps using LDAP don't perform a comparison but actually rebind to the directory as a user. This provides a great deal more security and allows for much finer controls over what parts of the directory a user has rights to. In order to bind as a user though each webapp would need their username (or cn) and password.
As soon as the IframePortlet is done I'll submit a nice version of it (documented). Are there any other parameters people would like to see passed automatically besides:
username (runData.getUser().getUserName())
password (runData.getUser().getPassword())
cleartext password (runData.getUser().getClearPassword()) - if I ever get it working
email (runData.getUser().getEmail())
first name (runData.getUser().getFirstName())
last name (runData.getUser().getLastName())
name (runData.getUser().getName()) ?
Thanks again,
Dan ElderMark Orciuch wrote:
Dan,
The parameter passing part is useful - feel free to patch the orginal IFramePortlet with this enhancement. As for the authentication part, password encryption algorithm used in Jetspeed is a one-way encryption technique so you cannot decrypt it. Take a look at BasicAuthenticationIFramePortlet (in CVS head).
Best regards,
Mark Orciuch - [EMAIL PROTECTED] Jakarta Jetspeed - Enterprise Portal in Java http://jakarta.apache.org/jetspeed/
-----Original Message----- From: Dan Elder [mailto:[EMAIL PROTECTED] Sent: Thursday, June 19, 2003 12:58 PM To: [EMAIL PROTECTED] Subject: Iframe Portlet with Parameter Passing
Hello, I've created an Iframe Portlet which is a copy of the existing Iframe Portlet but adds the ability to pass parameters to the source address (i.e. https://mydomain/index.php¶meter=true&other=nothing). This is useful for me because with it I can now tie in other web apps to Jetspeed and have transparent single signon by passing the current username and password (and other values that can be retrieved from runData.getUser()) in a url like https://mydomain/index.php?username=dan&password=rootme. The only problem I'm having right now is that the crypted version of the password is returned instead of the initial password the user logs in with. I know I can disable password encryption in the JetspeedSecurity.properties but storing passwords in the clear in our LDAP directory isn't an option. Is there a way that I'm missing to retrieve the password a user logs in with in the clear even if the backing store is encrypted? If anyone is interested in the portlet I can post all the code as well (it's still got a few bugs). Thank you, Dan Elder
-- ---------------------------------------------- Dan Elder, Software Developer, Novacoast, Inc. Voice: (805) 884-4152 Mobile: (805) 453-6563 E-mail: [EMAIL PROTECTED] ----------------------------------------------
pgp00000.pgp
Description: PGP signature
