[Opensource] Single sign on

Thu Dec 4 11:45:34 PST 2003

Bonjour,

Je ne vois pas le progrès comme ça par rapport à un cookie classique, tu
peux m'éclairer un peu plus ...

Merci
----- Original Message -----
From: <pierre.damas at damas.be>
To: <opensource at jcorporate.com>
Sent: Thursday, December 04, 2003 5:25 PM
Subject: Re: [Opensource] Single sign on

> Have a look at the CAS (Central Authentication Service) of Yale
University.
>
> http://www.yale.edu/tp/auth/
>
> Basically, it is a web application with a logon page to which your
> application redirects (on HTTPS) the user browser if he has no session and
> no token.
> This Authentication service authentifies the user (with a PasswordHandler
> that you can develop yourself to suit your needs), then redirects (on
> authentication success) to the initial application url, providing as
> parameter a one-time token containing no user identity information.  Your
> application, if the user has no session and a token, connects via HTTPS to
> the CAS server, and asks whose token it is.  The application server
provides
> the userid, and invalidates the token so that it cannot be reused.  So the
> window of possibility of replaying the authentication is very short (<5
sec)
> (After that time, the CAS invalidates the token anyway).
>
> The Authentication Service also creates an SSO cookie, which is a secure
> (only sent on HTTPS), session (dies when user closes his browser) server
> (only sent to the CAS server) cookie.  If this cookie is present when the
> application redirects the browser to the CAS, the CAS bypasses the login
> page presentation and directly redirects to the application with the
token -
> so automatic single sign-on for the user.
>
> The CAS comes with several CAS "clients", the most interesting for you
being
> a filter to put in your web.xml with some configuration URLs.  Works
nicely.
>
> The hardest configuration part is to get or create a certificate for SSL
on
> the CAS server, and to ensure that the calling application trusts that
> certificate (make sure that its Certification Authority is in the keystore
> of your application, or import the certificate itself to trust it).
>
> And of course, it is Open Source.
>
> Pierre A.
>
> P.S. Amongst the other clients, there is an ISAPI filter (that I have not
> checked yet), and an Apache module, allowing to use your single sign-on on
> other server technologies or with static restricted sites.  There is also
> examples for other web technologies (asp, perl, python) so that you can
have
> a real single sign-on at your customer's site (at least for all web
> applications, not only Java webapps)
>
> ----- Original Message -----
> From: "larry hamel" <expresso at codeguild.com>
> To: <opensource at jcorporate.com>
> Sent: Monday, December 01, 2003 6:19 AM
> Subject: Re: [Opensource] Single sign on
>
>
> >
> > can you say a bit more?
> >
> > do you have an LDAP directory or a DB that can be accessed by all
systems
> which need sign on?
> >
> > larry
> >
> > At 10:48 AM 11/30/2003, you wrote:
> > >Hi Everybody,
> > >
> > >   I am looking for somebody that has implemented single sign
> > >preferrably with Expresso. I am thinking about taking that route in
some
> > >Expresso code that I am about to undertake, and I have some questions
> > >about the design and what are the gotchas that I have to watch out for.
> > >Thanks in advance.
> > >
> > >-Tino
> > >
> > >_______________________________________________
> > >Opensource mailing list
> > >Opensource at jcorporate.com
> > >http://mail.jcorporate.com/mailman/listinfo/opensource
> > >Archives: http://mail.jcorporate.com/pipermail/opensource/
> >
> > _______________________________________________
> > Opensource mailing list
> > Opensource at jcorporate.com
> > http://mail.jcorporate.com/mailman/listinfo/opensource
> > Archives: http://mail.jcorporate.com/pipermail/opensource/
>
> _______________________________________________
> Opensource mailing list
> Opensource at jcorporate.com
> http://mail.jcorporate.com/mailman/listinfo/opensource
> Archives: http://mail.jcorporate.com/pipermail/opensource/
>