Guillaume wrote: > Raphaël Luta <[EMAIL PROTECTED]> a écrit : >> >> What you want is a SSO (single sign on) solution. This can be implemented at >> several level: >> - Jetspeed itself has some SSO components although they are designed to allow >> SSO from Jetspeed (ie ytou athenticate into J2 and then you don't need to >> reauthenticate to access remote resources) rather than your use case >> - through a third party SSO provider (Netegrity SiteMinder for commercial, >> mod_sso/CAS for OSS for example) >> - through some simple cookie based system using mod_usertrack of Apache HTTPD >> >> In all instance, I *strongly* encourage you to use not to use your >> current solution in production as it is very insecure. Putting clear-text >> login/password in URLs is bad : any sniffer will see them, they will >> appear in the log of any proxy between your client and server, they will >> appear in the logs of your server. > > If the Servlet and the Jetspeed server are on the same Tomcat, there is no problem with sniffing... only the log of Tomcat... > I'm intersted with SSO, but i don't understant how it could be installed (with SSO documentation, sorry) > > Guillaume >
The redirect response you're generating in your servlet is sent back to the client browser, which is then expected to follow the URL you sent. So your insecure URL is actually travelling from servlet -> client -> jetspeed There are plenty of opportunity for sniffing/proxying in this configuration. The SSO functions of J2 can't be used out of the box for your use case and any SSO deployment you want to make will require something done both on the intranet and the extranet servers, you can probably reuse some of the core components for your need though. For out of the box solutions, check out ESUP Portail CAS solution for some French Java-based SSO solution (http://perso.univ-rennes1.fr/pascal.aubry/presentations/cas-eunis2004/) or JOSSO (http://www.josso.org/). -- Raphaël Luta - [EMAIL PROTECTED] Apache Portals - Enterprise Portal in Java http://portals.apache.org/ --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
