Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 527
  • Last Modified:

Best Way to Authenticate and Login External User Via Webservice / Single Signon

Hi Experts,

I need to allow some users into my application from a partner application (and they will do the same). The partner will pass to my webservice a userid, organization id and a secret organization key which will have been predetermined and already set up on the partner side database. I need to get the passed user through my login authentication (which normally would require a password but will not in this case) and then provide a link back to my partner's side with a session id for the user to click and get into my application. I'm not sure of the best way to do this and have little experience in webservices. (I know I know!)  

I'm not sure if I should just rebuild my fairly complicated login process in the webservice cfc (the login process checks for expired or inactive userids, records an access attempt, assigns session variables and so on) or is there a way to just include the existing login.cfm inside the cfc and then pass back the resulting sessionid? And then how exactly do I code the session id into the link returned to my partner so that my user can get right in?

Both environments are https.

This is probably not written correctly but hopefully you get the gist.



thanks.

0
logic_lover
Asked:
logic_lover
  • 3
  • 2
1 Solution
 
Brijesh ChauhanStaff IT EngineerCommented:
From Docs..


http://livedocs.adobe.com/coldfusion/8/htmldocs/help.html?content=webservices_22.html


you can handle the user name/password string in your Application.cfc or Application.cfm file as part of your own security mechanism. In this case, you use the cflogin tag to retrieve the user name/password information from the authorization header, decode the binary string, and extract the user name and password, as the following excerpt from an Application.cfc onRequestStart method shows:

<cflogin>
    <cfset isAuthorized = false>

    <cfif isDefined("cflogin")
        <!--- Verify user name from cflogin.name and password from 
    cflogin.password using your authentication mechanism. --->
        >
        <cfset isAuthorized = true> 
    </cfif>
</cflogin>

<cfif not isAuthorized>
    <!--- If the user does not pass a user name/password, return a 401 error. 
        The browser then prompts the user for a user name/password. --->
    <cfheader statuscode="401">
    <cfheader name="WWW-Authenticate" value="Basic realm=""Test""">
    <cfabort>
</cfif>

Open in new window

0
 
logic_loverAuthor Commented:
Well, I'm not using cflogin and I wonder how hard it would be to convert? This is something I should put on my list.

I finally ended up figuring out a solution that I think is not very elegant and awkward but it works. The other application makes a call to my webservice with user auth info and I find the user and create a uuid for them and write it to the user table. then I pass that uuid back to the caller in a url that that authenticates again with the uuid and if the user is not inactivated etc. it just lets him/her into the application without the login. I don't like it much because the uuid will always be in the table until the caller application generates another one - it seems like I should expire it somehow. Can you see other holes in this?
0
 
logic_loverAuthor Commented:
I decided to delete the uuid from the table as soon as the user is validated.
0
 
Brijesh ChauhanStaff IT EngineerCommented:
It is not very difficult to use CFLOGIN / CFLOGOUT combination, you can read about it in the docs here

http://livedocs.adobe.com/coldfusion/8/htmldocs/help.html?content=Tags_j-l_07.html

http://coldfusion-example.blogspot.com/2009/06/how-to-create-authentication-system.html

http://tutorial67.easycfm.com/

Yes, you should have the UUID expire after a certain time, probably have a Schedule task to check for the UUID time which they were created and then clean the ones which were created certain time back....

I don't see anything else apart from this which should be an issue.
0
 
logic_loverAuthor Commented:
Brijeshchauhan, thanks. I've been meaning to rewrite my whole user auth process anyway. This looks like the way to go.

0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now