Getting user authentication data in zimlet JSP

[bogdan.mocanu]

Hello,

I am using Zimbra 5.0.8 and I want to integrate it with an existing system that requires authentication before allowing access to the services that it provides. Therefore when I make a request in a zimlet's JSP file, I need the username and the password of the currently authenticated user.

I have configured the external system to have the same authentication data as Zimbra, and therefore all the accounts configured in Zimbra also exist and can be used in the external system.

Now the problem is that when I make the request from the Zimlet JSP I need the current user's authentication data (username+password). How can I get this data?

I mention that I read the zimlet whitedraft and the zimlet developer wiki pages. I also investigated the session that is available in the JSP, but to no avail.

Thank you in advance for any answer that I will receive.
Bogdan

[sam_gennux]

the password is not stored within zimbra, so you will never be able to retrieve password in clear text....

you will likely have to create a secret session first, associate that session with individual zimbra mailbox, and from your external app you can check the session for authentication purpose.

[bogdan.mocanu]

Thank you very much for your response.

I don't think I got your solution completely. My intention is to get the username and the password in any form (clear text or digest) because then I can configure the external system to correctly authenticate requests.

So I still think that there must be a way in the zimlet's JSP to get the currently authenticated user (after all the JSP is invoked in the current user's session, so it is naturally to think that I should be able to get that).

[bogdan.mocanu]

Ok, here I got more information by looking in Zimbra's sources:

The login is performed in Zimbra in com.zimbra.cs.taglib.tag.LoginTag (the ZimbraTagLib project). The WebRoot/public/login.jsp page is where the actual login tag is used (this page is for both displaying the login page and processing the user's username+password).

However it doesn't seem that this page is placing this data anywhere accessible (like in session or smt).

Nevertheless, I fixed half part of the problem: got the username, using the following JavaScript code:

Code:

appCtxt.get(ZmSetting.USERNAME)

This will provide the username. Now I only need to find the password of the user.

[DarthJader]

I am getting the user's account name with the following method:
var userId = appCtxt.getActiveAccount().getEmail();

As sam_gennux explains above, the password is not available. You do not want the password exposed in the client javascript code.

We are dealing with the same issue. Somehow, we need to authenticate with another system to perform a single sign-on operation. It does not look like this is something that we will be able to accomplish safely from the zimlet itself, without creating a security hole. If you have not figured out a solution within a week or two, feel free to e-mail me, and I will let you know if we were able to get our solution working.

jadams at q90 dot com.

[pgonzalez]

Hello everybody,

I'm developing a zimlet to implement a certain funcionality with asterisk over zimbra. In order to complete the zimlet, we need to recover some information (added by us) from the Zimbra LDAP. It would be good to have some kind of JSP tag to do so, but it's farily easy to recover that information using standar java calls with the naming library. The problem comes from the need of knowing which user is making the request within the JSP of my zimlet, so that it can perform a search in zimbra's LDAP. I want to stress that I don't need the password, only the username.

As I've seen previously in this post, you can recover the username from javascript code, but I'm not completely satisfied, as I think this kind of information is somehow sensible, and shouldn't be left to be recovered in the client side. Due to the lack of information, I've tried to find by miself information regarding the user inside the session and request params and attributes, with no luck at all (nothing that I found).

Does this mean that I have to leave to the client side (js) the functionality to identify the username making the request?.

Thanks in advance, and greetings.

[jfavero]

I too am building a Zimlet that requires authentication. Right now I use the User Properties to store the User name and Password. However the information is stored in LDAP in clear text. I would like to have a single signon solution with Zimbra. My Application and Zimbra use the same LDAP store for authentication. I am hoping someone has come up with a single signon solution we can use with Zimbra. Has anyone done this??

Thanx Joe

[hillman]

We've got single signon using CAS, but it's non-trivial to implement a CAS infrastructure. We already had it though, and we were able to add Zimbra into it. Our other Web apps are CASified, making it transparent to jump back and forth.

[jfavero]

Would it be possible to see your CAS implementation in a Zimlet?? This would be an option for me

[ab5602]

There are safe ways to get and assume the users identity in JSP via a SOAP call in a Zimlet. I wouldn't rely on the appCtxt.get(ZmSetting.USERNAME) call in Javascript as this could potentially be spoofed.

Instead, I use a combination of methods that rely on a few things:

1) That Zimbra will not serve a .JSP page without a valid ZM_AUTH_TOKEN.
2) That you can get the users name with a valid ZM_AUTH_TOKEN
3) That you can limit access to external pages by IP address

For instance, to validate a specific user, we:

1) Check for a a ZM_AUTH_TOKEN in a Zimlet .JSP
2) If the cookie exists, do a "GetInfoRequest" call to the Zimbra SOAP interface using that user's credentials.
3) Lock down the external code to only accept requests from the Zimbra server.

Here is the code we use to do the GetInfoRequest, to validate the user:

Code:

// Get the user attached to this authcookie         
SoapHttpTransport trans = null;
trans = new SoapHttpTransport(soapurl);
trans.setAuthToken(authcookie);
Element trequest = Element.XMLElement.mFactory.createElement("GetInfoRequest").addAttribute("xmlns", "urn:zimbraAccount");                
Element tresponse = trans.invoke(trequest);
String user = tresponse.getElement("name").toString();

Although this method doesn't pass the users credentials directly to the external page, it ensures that the request if from a valid user and that it is being called from the Zimbra server itself.

-Rob