Results 1 to 5 of 5

Thread: intranet to single sign on to zimbra mail client using soap method. (ZClient)

  1. #1
    hebron is offline New Member
    Join Date
    Aug 2007
    Posts
    3
    Rep Power
    8

    Default intranet to single sign on to zimbra mail client using soap method. (ZClient)

    I have an intranet site built with java which I wish to have single sign on with zimbra web mail.

    I use ZClient to connect to the Zimbra's soap service.
    I extract the ZM_AUTH_TOKEN & SessionId.

    I then create a cookie using the ZM_AUTH_TOKEN and I add the cookie to
    the response object.

    The soap connection works and I can get info back from the server.
    The cookie is created sucessfully.

    But even with the cookie, I still keep getting the zimbra web mail login screen.

    Here is the source code that I am using, can you tell me what I am doing wrong. No, I do not want to use preauth. So please do not recommend this to me, thanks.


    <code>
    import java.io.*;
    import java.net.*;

    import javax.servlet.*;
    import javax.servlet.http.*;
    import java.io.IOException;
    import com.zimbra.common.service.ServiceException;
    import com.zimbra.cs.service.mail.MailService;
    import com.zimbra.cs.service.account.AccountService;
    import com.zimbra.cs.servlet.ZimbraServlet;
    import com.zimbra.cs.util.Zimbra;
    import com.zimbra.soap.Element;
    import com.zimbra.soap.SoapFaultException;
    import com.zimbra.soap.SoapHttpTransport;
    import com.zimbra.soap.ZimbraSoapContext;

    /**
    *
    * @author
    */
    public class ZimbraLogin {

    /** Creates a new instance of ZimbraLogin */
    public ZimbraLogin(HttpServletRequest request, HttpServletResponse response) {
    SoapHttpTransport trans = null;
    Element zresponse = null;
    Element zrequest = null;
    String authToken = null;
    String sessionId = null;
    try {
    trans = new SoapHttpTransport("https://my.zimbrahost.com" + ZimbraServlet.USER_SERVICE_URI);

    zrequest = Element.XMLElement.mFactory.createElement(AccountS ervice.AUTH_REQUEST);

    zrequest.addAttribute(AccountService.E_ACCOUNT, (String) request.getSession().getAttribute("id") + "@my.zimbrahost.com" , Element.DISP_CONTENT);
    zrequest.addAttribute(AccountService.E_PASSWORD, (String) request.getSession().getAttribute("password"), Element.DISP_CONTENT);
    zresponse = trans.invoke(zrequest);

    authToken = zresponse.getAttribute(AccountService.E_AUTH_TOKEN );
    sessionId = zresponse.getAttribute(ZimbraSoapContext.E_SESSION _ID, null);


    trans.setAuthToken(authToken);
    if (sessionId != null)
    trans.setSessionId(sessionId);


    }
    catch (Exception e){
    e.printStackTrace();
    }


    Cookie authCookie = new Cookie("ZM_AUTH_TOKEN", authToken);
    authCookie.setPath("/");
    response.addCookie(authCookie);
    }

    }
    </code>

  2. #2
    JoshuaPrismon is offline Zimlet Guru & Moderator
    Join Date
    Nov 2005
    Posts
    477
    Rep Power
    9

    Default

    Quote Originally Posted by hebron View Post
    I have an intranet site built with java which I wish to have single sign on with zimbra web mail.

    I use ZClient to connect to the Zimbra's soap service.
    I extract the ZM_AUTH_TOKEN & SessionId.

    I then create a cookie using the ZM_AUTH_TOKEN and I add the cookie to
    the response object.

    The soap connection works and I can get info back from the server.
    The cookie is created sucessfully.

    But even with the cookie, I still keep getting the zimbra web mail login screen.

    Here is the source code that I am using, can you tell me what I am doing wrong. No, I do not want to use preauth. So please do not recommend this to me, thanks.


    <code>
    import java.io.*;
    import java.net.*;

    import javax.servlet.*;
    import javax.servlet.http.*;
    import java.io.IOException;
    import com.zimbra.common.service.ServiceException;
    import com.zimbra.cs.service.mail.MailService;
    import com.zimbra.cs.service.account.AccountService;
    import com.zimbra.cs.servlet.ZimbraServlet;
    import com.zimbra.cs.util.Zimbra;
    import com.zimbra.soap.Element;
    import com.zimbra.soap.SoapFaultException;
    import com.zimbra.soap.SoapHttpTransport;
    import com.zimbra.soap.ZimbraSoapContext;

    /**
    *
    * @author
    */
    public class ZimbraLogin {

    /** Creates a new instance of ZimbraLogin */
    public ZimbraLogin(HttpServletRequest request, HttpServletResponse response) {
    SoapHttpTransport trans = null;
    Element zresponse = null;
    Element zrequest = null;
    String authToken = null;
    String sessionId = null;
    try {
    trans = new SoapHttpTransport("https://my.zimbrahost.com" + ZimbraServlet.USER_SERVICE_URI);

    zrequest = Element.XMLElement.mFactory.createElement(AccountS ervice.AUTH_REQUEST);

    zrequest.addAttribute(AccountService.E_ACCOUNT, (String) request.getSession().getAttribute("id") + "@my.zimbrahost.com" , Element.DISP_CONTENT);
    zrequest.addAttribute(AccountService.E_PASSWORD, (String) request.getSession().getAttribute("password"), Element.DISP_CONTENT);
    zresponse = trans.invoke(zrequest);

    authToken = zresponse.getAttribute(AccountService.E_AUTH_TOKEN );
    sessionId = zresponse.getAttribute(ZimbraSoapContext.E_SESSION _ID, null);


    trans.setAuthToken(authToken);
    if (sessionId != null)
    trans.setSessionId(sessionId);


    }
    catch (Exception e){
    e.printStackTrace();
    }


    Cookie authCookie = new Cookie("ZM_AUTH_TOKEN", authToken);
    authCookie.setPath("/");
    response.addCookie(authCookie);
    }

    }
    </code>
    I think you might want to look at the Pre-Auth stuff rather then using Z-client (someone at Zimbra can validate this for me). IIRC, The authorization token is stored both in the cookie, but also in a a JavaScript session variable. That variable protects against the kind of Ajax injection attacks we saw earlier.

    There is also a 5.0 interface for custom authentication.

  3. #3
    hebron is offline New Member
    Join Date
    Aug 2007
    Posts
    3
    Rep Power
    8

    Arrow preauth

    I see the benefits of preauth. But it does not lend it self well to a multi-server
    environment spread across multiple timezones.

  4. #4
    hebron is offline New Member
    Join Date
    Aug 2007
    Posts
    3
    Rep Power
    8

    Arrow JavaScript session variable

    Please tell me more about this JavaScript session variable.

  5. #5
    JoshuaPrismon is offline Zimlet Guru & Moderator
    Join Date
    Nov 2005
    Posts
    477
    Rep Power
    9

    Default

    Quote Originally Posted by hebron View Post
    Please tell me more about this JavaScript session variable.
    It exists inside of the Zimbra instance itself. I am sure there is some way to force a relogin with cookies, but I don't know exactly how Zimbra manages that. I would look at the first JSP's that load to see how they look at the cookies.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. [SOLVED] Clamav problem ? What's happening ?
    By aNt1X in forum Installation
    Replies: 23
    Last Post: 02-14-2008, 05:43 AM
  2. 4.5 Upgrade failure
    By brained in forum Installation
    Replies: 9
    Last Post: 03-03-2007, 03:30 PM
  3. Fedora Core 3, Clean Install - Not working!
    By pcjackson in forum Installation
    Replies: 17
    Last Post: 03-05-2006, 07:38 PM
  4. Monitoring : Data not yet avalaible
    By s3nz3x in forum Installation
    Replies: 7
    Last Post: 11-30-2005, 07:18 PM
  5. FC3 Install and no zimbra ?
    By aws in forum Installation
    Replies: 10
    Last Post: 10-09-2005, 04:19 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •