[jira] [Commented] (OFBIZ-10047) Tomcat SSO

Sun, 17 Dec 2017 01:27:42 -0800 

    [ 
https://issues.apache.org/jira/browse/OFBIZ-10047?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16294055#comment-16294055
 ] 

Michael Brohl commented on OFBIZ-10047:
---------------------------------------

Hi James, Jacques,

thanks you for your efforts on this!

I did a brief review and found the following points to change and/or discuss:

1. The retrieval functionality for the configuration parameter 
"security.login.tomcat.sso" is using a default of "true" when it is not found. 
I'd propose to set this to false because it is a new feature and the old 
behaviour should be the default until the new mechanism is field tested enough.
   
2. there is a possible NullPointerException in OFBizRealm#getPassword when no 
userLogin is found

3. OFBizRealm#getName() overrides a deprecated method.

4. service userLogin has a new mandatory parameter request. I'm not sure if it 
is a good idea to have a dependency on a request in a service? It will at least 
break the possibility to use it in another context where you do not have a 
request.
It is also not needed for other calls in ICalWorker.java and 
XmlRpcEventHandler.java so it should at least be optional.

5. Question: Is there any possible drawback when using this feature in a load 
balanced/clustered environment. Is it tested in this case?

6. Question: does this interfere with other SSO solutions we currently have in 
plugins/ldap? 
   Maybe we should also check these and see if these solutions can be 
harmonized?

7. Someone should check this solution from an architectural view.

I appreciate the efforts but I am also in doubt if we should put this feature 
into the new release. It's very fresh, deals with a very central functionality 
and should be field tested more.

What do you think?

> Tomcat SSO
> ----------
>
>                 Key: OFBIZ-10047
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-10047
>             Project: OFBiz
>          Issue Type: Improvement
>          Components: framework
>    Affects Versions: Trunk
>            Reporter: James Yong
>            Assignee: James Yong
>            Priority: Minor
>         Attachments: OFBIZ-10047.patch, OFBIZ-10047.patch, OFBIZ-10047.patch, 
> OFBIZ-10047.patch
>
>
> Proposing Tomcat SSO to be used in OFBiz to improve on Single-Sign-On.
> This aim to fix the issues mentioned in OFBIZ-6963, OFBIZ-6994.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Reply via email to