portals-jetspeed-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Roger Ruttimann <roger.ruttim...@earthlink.net>
Subject Re: Silent authentication
Date Sun, 01 Jan 2006 22:25:37 GMT
The SSO component in Jetspeed can't be used for login but for getting 
authenticated for links and content accessed within Jetspeed. SSO 
credential are assigned to Jetspeed users/groups which allow transparent 
authentication of content/external URL's depending on the user.


Raphaƫl Luta wrote:

>Guillaume wrote:
>>all the facilities are here. 
>>  If the password is false, J2 increments counter for disable his... 
>>  This is a solution for not seeing another connection to do. 
>>  In my case : 
>>  The user log into an intranet... 
>>  The intranet log inton an extranet (J2) with a authentication between intra and
inter following a web sevice which decrypt a String with login/password. 
>>  The client (intranet) doesn't want to have to sign on second time to the extranet
>>  Guillaume
>What you want is a SSO (single sign on) solution. This can be implemented at
>several level:
>- Jetspeed itself has some SSO components although they are designed to allow
>SSO from Jetspeed (ie ytou athenticate into J2 and then you don't need to
>reauthenticate to access remote resources) rather than your use case
>- through a third party SSO provider (Netegrity SiteMinder for commercial,
>mod_sso/CAS for OSS for example)
>- through some simple cookie based system using mod_usertrack of Apache HTTPD
>In all instance, I *strongly* encourage you to use not to use your
>current solution in production as it is very insecure. Putting clear-text
>login/password in URLs is bad : any sniffer will see them, they will
>appear in the log of any proxy between your client and server, they will
>appear in the logs of your server.

To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-user-help@portals.apache.org

View raw message