Re: Single Signon With Different Web Servers -- WEB400

It's quite simple to route a request to another server by adding just a few Apache directives that cause it to act as a reverse proxy for certain urls instead of processing them itself.
A potential drawback is that it always authenticates every request to the other server using the a single set of credentials for a nominated user which must be base64 encoded into one of the reverse proxy directives (which is not difficult)
However if you considering using a custom page on the other server instead of one of the existing pages then you can embed the username as clear text in the url which the custom page could use derive information from the database for that user.

Cheers, Peter

-----Original Message-----
From: web400-bounces@xxxxxxxxxxxx [mailto:web400-bounces@xxxxxxxxxxxx] On Behalf Of Kevin Turner
Sent: Friday, 20 April 2012 7:37 p.m.
To: Web Enabling the AS400 / iSeries
Cc: Web Enabling the AS400 / iSeries
Subject: Re: [WEB400] Single Signon With Different Web Servers

That is exactly what we do for single sign-on. It seems to satisfy even the most security conscious/paranoid of clients we have. Usually sent as post data rather than on the URL as a get though.

On 20 Apr 2012, at 01:59, "Nathan Andelin" <nandelin@xxxxxxxxx> wrote:

Paul,

How about embedding the the user ID and password in the URL, but encrypting it? Many encrypting algorithms return binary data which would not be suitable. I handle that by converting binary to base 64. It's still strong encryption. Your application on the other end would obviously need to know how to decode it.

----- Original Message -----
From: "Holm, Paul" <pholm@xxxxxxxxxxxxxxxxx>
To: web400@xxxxxxxxxxxx
Cc:
Sent: Thursday, April 19, 2012 11:41 AM
Subject: [WEB400] Single Signon With Different Web Servers

We have a customer with an existing customer portal solution.
Customer signs in with account number and password to a JBOSS server. This allows
customer to see their account data and other customer information. We
plan to deploy on a new application to a different Tomcat server
within the same network. Customer requires a single signon amongst
the 2 applications. IE... After signing on the 1st JBOSS
application, they want to present a link to the new application but
don't want to make customer enter account number and password again.
The new application needs access to the account number and password in
order to lookup customer equipment and account information. We
obviously need to make sure it is secure and don't want to pass
account numbers and passwords on a URL. We do plan to use SSL.

We are looking for ideas on how to best enable this requirement.

Thanks Paul Holm

www.planetjavainc.com
--
This is the Web Enabling the AS400 / iSeries (WEB400) mailing list To
post a message email: WEB400@xxxxxxxxxxxx To subscribe, unsubscribe,
or change list options,
visit: http://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives at
http://archive.midrange.com/web400.
--
This is the Web Enabling the AS400 / iSeries (WEB400) mailing list To
post a message email: WEB400@xxxxxxxxxxxx To subscribe, unsubscribe,
or change list options,
visit: http://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives at
http://archive.midrange.com/web400.

NOTICE: The information in this electronic mail transmission is intended by CoralTree Systems Ltd for the use of the named individuals or entity to which it is directed and may contain information that is privileged or otherwise confidential. If you have received this electronic mail transmission in error, please delete it from your system without copying or forwarding it, and notify the sender of the error by reply email or by telephone, so that the sender's address records can be corrected.

--------------------------------------------------------------------------------

CoralTree Systems Limited
25 Barnes Wallis Road
Segensworth East, Fareham
PO15 5TT

Company Registration Number 5021022.
Registered Office:
12-14 Carlton Place
Southampton, UK
SO15 2EA
VAT Registration Number 834 1020 74.
--
This is the Web Enabling the AS400 / iSeries (WEB400) mailing list To post a message email: WEB400@xxxxxxxxxxxx To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives at http://archive.midrange.com/web400.

#####################################################################################

This correspondence is for the named person's use only. It may contain confidential
or legally privileged information, or both. No confidentiality or privilege is waived
or lost by any mistransmission. If you receive this correspondence in error, please
immediately delete it from your system and notify the sender. You must not disclose,
copy or rely on any part of this correspondence if you are not the intended recipient.
Any views expressed in this message are those of the individual sender, except where
the sender expressly, and with authority, states them to be the views of Veda.
If you need assistance, please contact Veda on either :-
Australia 1300-762-207 or New Zealand +64 9 367 6200