intranet to single sign on to zimbra mail client using soap method. (ZClient)

[hebron]

I have an intranet site built with java which I wish to have single sign on with zimbra web mail.

I use ZClient to connect to the Zimbra's soap service.
I extract the ZM_AUTH_TOKEN & SessionId.

I then create a cookie using the ZM_AUTH_TOKEN and I add the cookie to
the response object.

The soap connection works and I can get info back from the server.
The cookie is created sucessfully.

But even with the cookie, I still keep getting the zimbra web mail login screen.

Here is the source code that I am using, can you tell me what I am doing wrong. No, I do not want to use preauth. So please do not recommend this to me, thanks.


<code>
import java.io.*;
import java.net.*;

import javax.servlet.*;
import javax.servlet.http.*;
import java.io.IOException;
import com.zimbra.common.service.ServiceException;
import com.zimbra.cs.service.mail.MailService;
import com.zimbra.cs.service.account.AccountService;
import com.zimbra.cs.servlet.ZimbraServlet;
import com.zimbra.cs.util.Zimbra;
import com.zimbra.soap.Element;
import com.zimbra.soap.SoapFaultException;
import com.zimbra.soap.SoapHttpTransport;
import com.zimbra.soap.ZimbraSoapContext;

/**
*
* @author
*/
public class ZimbraLogin {

/** Creates a new instance of ZimbraLogin */
public ZimbraLogin(HttpServletRequest request, HttpServletResponse response) {
SoapHttpTransport trans = null;
Element zresponse = null;
Element zrequest = null;
String authToken = null;
String sessionId = null;
try {
trans = new SoapHttpTransport("https://my.zimbrahost.com" + ZimbraServlet.USER_SERVICE_URI);

zrequest = Element.XMLElement.mFactory.createElement(AccountS ervice.AUTH_REQUEST);

zrequest.addAttribute(AccountService.E_ACCOUNT, (String) request.getSession().getAttribute("id") + "@my.zimbrahost.com" , Element.DISP_CONTENT);
zrequest.addAttribute(AccountService.E_PASSWORD, (String) request.getSession().getAttribute("password"), Element.DISP_CONTENT);
zresponse = trans.invoke(zrequest);

authToken = zresponse.getAttribute(AccountService.E_AUTH_TOKEN );
sessionId = zresponse.getAttribute(ZimbraSoapContext.E_SESSION _ID, null);


trans.setAuthToken(authToken);
if (sessionId != null)
trans.setSessionId(sessionId);


}
catch (Exception e){
e.printStackTrace();
}


Cookie authCookie = new Cookie("ZM_AUTH_TOKEN", authToken);
authCookie.setPath("/");
response.addCookie(authCookie);
}

}
</code>

[JoshuaPrismon]

Quote:

Originally Posted by hebron

I have an intranet site built with java which I wish to have single sign on with zimbra web mail.

I use ZClient to connect to the Zimbra's soap service.
I extract the ZM_AUTH_TOKEN & SessionId.

I then create a cookie using the ZM_AUTH_TOKEN and I add the cookie to
the response object.

The soap connection works and I can get info back from the server.
The cookie is created sucessfully.

But even with the cookie, I still keep getting the zimbra web mail login screen.

Here is the source code that I am using, can you tell me what I am doing wrong. No, I do not want to use preauth. So please do not recommend this to me, thanks.


<code>
import java.io.*;
import java.net.*;

import javax.servlet.*;
import javax.servlet.http.*;
import java.io.IOException;
import com.zimbra.common.service.ServiceException;
import com.zimbra.cs.service.mail.MailService;
import com.zimbra.cs.service.account.AccountService;
import com.zimbra.cs.servlet.ZimbraServlet;
import com.zimbra.cs.util.Zimbra;
import com.zimbra.soap.Element;
import com.zimbra.soap.SoapFaultException;
import com.zimbra.soap.SoapHttpTransport;
import com.zimbra.soap.ZimbraSoapContext;

/**
*
* @author
*/
public class ZimbraLogin {

/** Creates a new instance of ZimbraLogin */
public ZimbraLogin(HttpServletRequest request, HttpServletResponse response) {
SoapHttpTransport trans = null;
Element zresponse = null;
Element zrequest = null;
String authToken = null;
String sessionId = null;
try {
trans = new SoapHttpTransport("https://my.zimbrahost.com" + ZimbraServlet.USER_SERVICE_URI);

zrequest = Element.XMLElement.mFactory.createElement(AccountS ervice.AUTH_REQUEST);

zrequest.addAttribute(AccountService.E_ACCOUNT, (String) request.getSession().getAttribute("id") + "@my.zimbrahost.com" , Element.DISP_CONTENT);
zrequest.addAttribute(AccountService.E_PASSWORD, (String) request.getSession().getAttribute("password"), Element.DISP_CONTENT);
zresponse = trans.invoke(zrequest);

authToken = zresponse.getAttribute(AccountService.E_AUTH_TOKEN );
sessionId = zresponse.getAttribute(ZimbraSoapContext.E_SESSION _ID, null);


trans.setAuthToken(authToken);
if (sessionId != null)
trans.setSessionId(sessionId);


}
catch (Exception e){
e.printStackTrace();
}


Cookie authCookie = new Cookie("ZM_AUTH_TOKEN", authToken);
authCookie.setPath("/");
response.addCookie(authCookie);
}

}
</code>

I think you might want to look at the Pre-Auth stuff rather then using Z-client (someone at Zimbra can validate this for me). IIRC, The authorization token is stored both in the cookie, but also in a a JavaScript session variable. That variable protects against the kind of Ajax injection attacks we saw earlier.

There is also a 5.0 interface for custom authentication.

[hebron]

I see the benefits of preauth. But it does not lend it self well to a multi-server
environment spread across multiple timezones.

[hebron]

Please tell me more about this JavaScript session variable.

[JoshuaPrismon]

Quote:

Originally Posted by hebron

Please tell me more about this JavaScript session variable.

It exists inside of the Zimbra instance itself. I am sure there is some way to force a relogin with cookies, but I don't know exactly how Zimbra manages that. I would look at the first JSP's that load to see how they look at the cookies.