Zimbra auth Token in my own service

[chrissi86]

Hello everybody,

I was wondering if I can use the token to authenticate a user in my own application.

Basicly I have a Zimlet which should connect to a REST-Webservices which is protected (with Spring Security). To access this webservice the user needs the same credentials as for the zimbra server. So I thought perhaps I can use the Zimbra-auth-token to authenticate the user in the webapp. Unfortunately I couldn't find any information about this topic. I hope someone has a suggestion

Thanks
Christian

Ps I'm not sure if this is the right sub-forum

[yutaka]

Hi

I think there are several ways to do that.

One is that your own web app send SOAP/HTTP AuthRequest with the zimbra auth token to Zimbra Server and make them check if that is valid or not.

Or

You can implement AuthToken validation logic in your own web app.
protected ZimbraAuthToken(String encoded) method in com.zimbra.cs.account.ZimbraAuthToken.java
looks the validation logic.
So maybe you can copy that or use that function.

[chrissi86]

Thank you for your response

Unfortunately I had many other things to do in the last weeks. So I can try your ideas only now. Probably I will look in the source code to see how the developers have implemented the AuthToken validation and then decide which alternative I take.

Many greetings
Christian

[chrissi86]

Now I have downloaded the source code of the relevant classes and I understand the main part.
Accidentally I find the blog posting from Vishal Mahajan about zimbra server extensions here. It was very interesting because it was exactly what I was looking for. The advantage would be that I do not have to use a proxy for the ajax of my zimlet. Now I was wandering if it would be possible to activate an authentication for my httpListener with less effort.

Thank you very much
Christian

Should I open a new topic in another forum?

[yutaka]

Oh, then your own app can be on Zimbra's web application server(Jetty).
I assumed that your own app is on your own farm, which is built on your own web application server.

Now you have source code, so you can see LoginTag class in com.zimbra.cs.taglib.tag.

ZMailbox mbox = ZMailbox.getMailbox(options);

This line is doing some things including authentication.
So you can copy that or you can look into ZMailbox picking up some of them.

[chrissi86]

I first thaught that I have to host it on an external Server but I did not know what is all possible with zimbra (I did not exactly know server extensions) and so it is easier to connect the zimlet with my http-service.
I have looked at the LoginTag but I found a solution which is a little bit more elegant. With the ExtensionDispatcherServlet (which you need for register the service) you can get the authToken of the actual request. And with this token you can see if the user has authorization (or not).

Code:

 AuthToken token =ExtensionDispatcherServlet.getAuthTokenFromHttpReq(req, false);

I think this is enough for me at first. The Taglib is perhaps a little bit too complicated for this purpose.

Thank you very much yutaka. A good community around a project is so helpful
Christian

Ps. How can I mark this thread as "[SOLVED]"?

[yutaka]

I also looked into your solution.

I have never tried before. But looks like it works for you.
And you are absolutely right that it is more elegant than mine!!

It is great to have a discussion here with you.

BTW, I do not know how to make this "[solved]".

Thank you