Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: Getting user authentication data in zimlet JSP

  1. #1
    bogdan.mocanu is offline Junior Member
    Join Date
    Aug 2008
    Posts
    7
    Rep Power
    6

    Default Getting user authentication data in zimlet JSP

    Hello,

    I am using Zimbra 5.0.8 and I want to integrate it with an existing system that requires authentication before allowing access to the services that it provides. Therefore when I make a request in a zimlet's JSP file, I need the username and the password of the currently authenticated user.

    I have configured the external system to have the same authentication data as Zimbra, and therefore all the accounts configured in Zimbra also exist and can be used in the external system.

    Now the problem is that when I make the request from the Zimlet JSP I need the current user's authentication data (username+password). How can I get this data?

    I mention that I read the zimlet whitedraft and the zimlet developer wiki pages. I also investigated the session that is available in the JSP, but to no avail.

    Thank you in advance for any answer that I will receive.
    Bogdan

  2. #2
    sam_gennux is offline Intermediate Member
    Join Date
    Jun 2008
    Posts
    15
    Rep Power
    6

    Default you will never get it

    the password is not stored within zimbra, so you will never be able to retrieve password in clear text....

    you will likely have to create a secret session first, associate that session with individual zimbra mailbox, and from your external app you can check the session for authentication purpose.

  3. #3
    bogdan.mocanu is offline Junior Member
    Join Date
    Aug 2008
    Posts
    7
    Rep Power
    6

    Default

    Thank you very much for your response.

    I don't think I got your solution completely. My intention is to get the username and the password in any form (clear text or digest) because then I can configure the external system to correctly authenticate requests.

    So I still think that there must be a way in the zimlet's JSP to get the currently authenticated user (after all the JSP is invoked in the current user's session, so it is naturally to think that I should be able to get that).

  4. #4
    bogdan.mocanu is offline Junior Member
    Join Date
    Aug 2008
    Posts
    7
    Rep Power
    6

    Default

    Ok, here I got more information by looking in Zimbra's sources:

    The login is performed in Zimbra in com.zimbra.cs.taglib.tag.LoginTag (the ZimbraTagLib project). The WebRoot/public/login.jsp page is where the actual login tag is used (this page is for both displaying the login page and processing the user's username+password).

    However it doesn't seem that this page is placing this data anywhere accessible (like in session or smt).

    Nevertheless, I fixed half part of the problem: got the username, using the following JavaScript code:

    Code:
    appCtxt.get(ZmSetting.USERNAME)
    This will provide the username. Now I only need to find the password of the user.

  5. #5
    DarthJader is offline Intermediate Member
    Join Date
    May 2008
    Posts
    17
    Rep Power
    6

    Default Password is not available...nor should it be

    I am getting the user's account name with the following method:
    var userId = appCtxt.getActiveAccount().getEmail();

    As sam_gennux explains above, the password is not available. You do not want the password exposed in the client javascript code.

    We are dealing with the same issue. Somehow, we need to authenticate with another system to perform a single sign-on operation. It does not look like this is something that we will be able to accomplish safely from the zimlet itself, without creating a security hole. If you have not figured out a solution within a week or two, feel free to e-mail me, and I will let you know if we were able to get our solution working.

    jadams at q90 dot com.

  6. #6
    pgonzalez is offline New Member
    Join Date
    Oct 2008
    Posts
    4
    Rep Power
    6

    Default

    Hello everybody,

    I'm developing a zimlet to implement a certain funcionality with asterisk over zimbra. In order to complete the zimlet, we need to recover some information (added by us) from the Zimbra LDAP. It would be good to have some kind of JSP tag to do so, but it's farily easy to recover that information using standar java calls with the naming library. The problem comes from the need of knowing which user is making the request within the JSP of my zimlet, so that it can perform a search in zimbra's LDAP. I want to stress that I don't need the password, only the username.

    As I've seen previously in this post, you can recover the username from javascript code, but I'm not completely satisfied, as I think this kind of information is somehow sensible, and shouldn't be left to be recovered in the client side. Due to the lack of information, I've tried to find by miself information regarding the user inside the session and request params and attributes, with no luck at all (nothing that I found).

    Does this mean that I have to leave to the client side (js) the functionality to identify the username making the request?.

    Thanks in advance, and greetings.

  7. #7
    jfavero is offline Project Contributor
    Join Date
    Jan 2007
    Posts
    31
    Rep Power
    8

    Default Single Signon

    I too am building a Zimlet that requires authentication. Right now I use the User Properties to store the User name and Password. However the information is stored in LDAP in clear text. I would like to have a single signon solution with Zimbra. My Application and Zimbra use the same LDAP store for authentication. I am hoping someone has come up with a single signon solution we can use with Zimbra. Has anyone done this??

    Thanx Joe

  8. #8
    hillman's Avatar
    hillman is offline Moderator
    Join Date
    May 2007
    Location
    Vancouver, Canada
    Posts
    75
    Rep Power
    7

    Default

    We've got single signon using CAS, but it's non-trivial to implement a CAS infrastructure. We already had it though, and we were able to add Zimbra into it. Our other Web apps are CASified, making it transparent to jump back and forth.
    Steve Hillman
    IT Architect
    Simon Fraser University

  9. #9
    jfavero is offline Project Contributor
    Join Date
    Jan 2007
    Posts
    31
    Rep Power
    8

    Default CAS Implementation

    Would it be possible to see your CAS implementation in a Zimlet?? This would be an option for me

  10. #10
    ab5602 is offline Project Contributor
    Join Date
    Nov 2007
    Location
    Detroit, MI
    Posts
    67
    Rep Power
    7

    Default

    There are safe ways to get and assume the users identity in JSP via a SOAP call in a Zimlet. I wouldn't rely on the appCtxt.get(ZmSetting.USERNAME) call in Javascript as this could potentially be spoofed.

    Instead, I use a combination of methods that rely on a few things:

    1) That Zimbra will not serve a .JSP page without a valid ZM_AUTH_TOKEN.
    2) That you can get the users name with a valid ZM_AUTH_TOKEN
    3) That you can limit access to external pages by IP address

    For instance, to validate a specific user, we:

    1) Check for a a ZM_AUTH_TOKEN in a Zimlet .JSP
    2) If the cookie exists, do a "GetInfoRequest" call to the Zimbra SOAP interface using that user's credentials.
    3) Lock down the external code to only accept requests from the Zimbra server.

    Here is the code we use to do the GetInfoRequest, to validate the user:

    Code:
    // Get the user attached to this authcookie         
    SoapHttpTransport trans = null;
    trans = new SoapHttpTransport(soapurl);
    trans.setAuthToken(authcookie);
    Element trequest = Element.XMLElement.mFactory.createElement("GetInfoRequest").addAttribute("xmlns", "urn:zimbraAccount");                
    Element tresponse = trans.invoke(trequest);
    String user = tresponse.getElement("name").toString();
    Although this method doesn't pass the users credentials directly to the external page, it ensures that the request if from a valid user and that it is being called from the Zimbra server itself.

    -Rob

Page 1 of 2 12 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Replies: 21
    Last Post: 02-04-2010, 10:06 AM
  2. [SOLVED] Zimbra logwatch.
    By nishith in forum Administrators
    Replies: 5
    Last Post: 06-10-2009, 04:42 PM
  3. [SOLVED] Install Problem in Ubuntu 6.06 Server
    By xtimox in forum Installation
    Replies: 16
    Last Post: 03-27-2008, 09:36 AM
  4. Replies: 2
    Last Post: 02-12-2008, 11:55 AM
  5. Post instsallation problems
    By Assaf in forum Installation
    Replies: 14
    Last Post: 01-29-2007, 11:38 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •