开发者

How do I implement a single sign-on for different ColdFusion applications running on the same server?

开发者 https://www.devze.com 2023-04-05 00:29 出处:网络
I have multiple CF applications running on the same server under the same domain name. One of them, let\'s call it Portal, is intended to be the single sign-on for the other applications, which let\'s

I have multiple CF applications running on the same server under the same domain name. One of them, let's call it Portal, is intended to be the single sign-on for the other applications, which let's call Atlas and P-Body. Normally you would set some variables in the session scope to handle login info:

function Login()
{
    session.auth = structNew();
    session.auth.isLoggedIn = true;
    session.auth.id = GetCurrentUserId();
}

But the session scope is only shared within one application, not the entire server. This means that any user who logs into Portal will stay logged in, but if they try to navigate to Atlas or P-B开发者_运维百科ody, they will have to sign in again.

In this case, how would I 'share' the session scope so that all the applications on a server can get access to it? The only way I've been able to come up with is to use client variables and set a data store so that it's shared between applications. Then the code becomes:

function Login()
{
    client.auth = structNew();
    client.auth.isLoggedIn = true;
    client.auth.id = GetCurrentUserId();
}

function Logout()
{
    structDelete(client, "auth");
}

The thing to watch out for here is that, because the client variable is not cleared on session end, we have to manually clear it in the OnSessionEnd handler.

Is this the best way of handling single sign-on in ColdFusion? If so, are there any drawbacks to using the client variable, or pitfalls to watch out for?

Update: I just tested the client variable method and it looks like only the hitcount, timecreated, lastvisit, and urltoken are shared between applications, so I'm back to square 1.


Posting this as the answer given new information.

Caveat


Ensure that all of the applications have either a) unique application scope names for persistent variables, or b) all application scope variables for the same purpose are named the same.


Alright, with that out of the way, if all of your applications are on a single domain in subfolders, then change this.name or the name attribute of cfapplication the same, and all of the applications will share the same session and application scope variables. This will ensure that if you use session.loggedin in one app, that same session.loggedin variable will be available to all applications with the same name under that domain.

You just have to test carefully to make sure that you don't end up using Application.LoginService in Portal for your LoginService.cfc, and Application.LoginService in Atlas for either a different LoginService.cfc, or a completely different purpose altogether.


Single Sign On (SSO) is not an easy thing to do and there are several very expensive products out there that help to prove that.

Fortunately, there are some free OSS projects out there are well.

There are also many other considerations with SSO that make its implementation difficult, like how do you handle it when a user clicks "Log off" on one of the sites? Do you log them out of all of them? If so, how?

If you want to do SSO right, you need to look at using an SSO solution, like Shibboleth (FOSS), or Atlassian Crowd (Reasonably priced commercial solution).

If you do not have the resources to use an SSO product like those above, then you will end up hacking around the current security restrictions that make SSO so difficult.


You're very close with the client variable solution.

Set up a remote database that all applications can speak to, either through the DSN, or through another single point of entry (ie. a WebService)

Decide on a common way to identify users across all your applications (ie. come up with your own unique sessionid, perhaps based off of CFID/CFTOKEN, CreateUUID(), or anything else you can guarantee is unique).

Build your authentication process so that when someone authenticates somewhere in your application farm...anywhere...that unique sessionid is stored to the remote database.

Pass that unique sessionid from app to app. Perhaps append it to your hyperlinks, or store it in client variables (cookies) that you mentioned earlier.

Finally, in your application logic that checks to see if someone is authenticated, before forcing them to login again...use their client variables (or the passed unique sessionid) to check back with the remote datasource, and auth them if you have found/verified it.

This is an oversimplification, but is the foundation for SSO, and should get you thinking in the right direction.

PS: Keep all your applications on the same domain, if possible (xx.mysite.com, yy.mysite.com) so that your client vars (cookies) can be set to be domain-specific, allowing them to traverse the application farm as you need them to.


Use the server scope. It is shared across applications.

http://help.adobe.com/en_US/ColdFusion/9.0/Developing/WSc3ff6d0ea77859461172e0811cbec0c35c-7fdb.html

0

精彩评论

暂无评论...
验证码 换一张
取 消