Results 1 to 5 of 5

Thread: intranet to single sign on to zimbra mail client using soap method. (ZClient)

Hybrid View

  1. #1
    Join Date
    Aug 2007
    Posts
    3
    Rep Power
    8

    Default intranet to single sign on to zimbra mail client using soap method. (ZClient)

    I have an intranet site built with java which I wish to have single sign on with zimbra web mail.

    I use ZClient to connect to the Zimbra's soap service.
    I extract the ZM_AUTH_TOKEN & SessionId.

    I then create a cookie using the ZM_AUTH_TOKEN and I add the cookie to
    the response object.

    The soap connection works and I can get info back from the server.
    The cookie is created sucessfully.

    But even with the cookie, I still keep getting the zimbra web mail login screen.

    Here is the source code that I am using, can you tell me what I am doing wrong. No, I do not want to use preauth. So please do not recommend this to me, thanks.


    <code>
    import java.io.*;
    import java.net.*;

    import javax.servlet.*;
    import javax.servlet.http.*;
    import java.io.IOException;
    import com.zimbra.common.service.ServiceException;
    import com.zimbra.cs.service.mail.MailService;
    import com.zimbra.cs.service.account.AccountService;
    import com.zimbra.cs.servlet.ZimbraServlet;
    import com.zimbra.cs.util.Zimbra;
    import com.zimbra.soap.Element;
    import com.zimbra.soap.SoapFaultException;
    import com.zimbra.soap.SoapHttpTransport;
    import com.zimbra.soap.ZimbraSoapContext;

    /**
    *
    * @author
    */
    public class ZimbraLogin {

    /** Creates a new instance of ZimbraLogin */
    public ZimbraLogin(HttpServletRequest request, HttpServletResponse response) {
    SoapHttpTransport trans = null;
    Element zresponse = null;
    Element zrequest = null;
    String authToken = null;
    String sessionId = null;
    try {
    trans = new SoapHttpTransport("https://my.zimbrahost.com" + ZimbraServlet.USER_SERVICE_URI);

    zrequest = Element.XMLElement.mFactory.createElement(AccountS ervice.AUTH_REQUEST);

    zrequest.addAttribute(AccountService.E_ACCOUNT, (String) request.getSession().getAttribute("id") + "@my.zimbrahost.com" , Element.DISP_CONTENT);
    zrequest.addAttribute(AccountService.E_PASSWORD, (String) request.getSession().getAttribute("password"), Element.DISP_CONTENT);
    zresponse = trans.invoke(zrequest);

    authToken = zresponse.getAttribute(AccountService.E_AUTH_TOKEN );
    sessionId = zresponse.getAttribute(ZimbraSoapContext.E_SESSION _ID, null);


    trans.setAuthToken(authToken);
    if (sessionId != null)
    trans.setSessionId(sessionId);


    }
    catch (Exception e){
    e.printStackTrace();
    }


    Cookie authCookie = new Cookie("ZM_AUTH_TOKEN", authToken);
    authCookie.setPath("/");
    response.addCookie(authCookie);
    }

    }
    </code>

  2. #2
    Join Date
    Nov 2005
    Posts
    477
    Rep Power
    10

    Default

    Quote Originally Posted by hebron View Post
    I have an intranet site built with java which I wish to have single sign on with zimbra web mail.

    I use ZClient to connect to the Zimbra's soap service.
    I extract the ZM_AUTH_TOKEN & SessionId.

    I then create a cookie using the ZM_AUTH_TOKEN and I add the cookie to
    the response object.

    The soap connection works and I can get info back from the server.
    The cookie is created sucessfully.

    But even with the cookie, I still keep getting the zimbra web mail login screen.

    Here is the source code that I am using, can you tell me what I am doing wrong. No, I do not want to use preauth. So please do not recommend this to me, thanks.


    <code>
    import java.io.*;
    import java.net.*;

    import javax.servlet.*;
    import javax.servlet.http.*;
    import java.io.IOException;
    import com.zimbra.common.service.ServiceException;
    import com.zimbra.cs.service.mail.MailService;
    import com.zimbra.cs.service.account.AccountService;
    import com.zimbra.cs.servlet.ZimbraServlet;
    import com.zimbra.cs.util.Zimbra;
    import com.zimbra.soap.Element;
    import com.zimbra.soap.SoapFaultException;
    import com.zimbra.soap.SoapHttpTransport;
    import com.zimbra.soap.ZimbraSoapContext;

    /**
    *
    * @author
    */
    public class ZimbraLogin {

    /** Creates a new instance of ZimbraLogin */
    public ZimbraLogin(HttpServletRequest request, HttpServletResponse response) {
    SoapHttpTransport trans = null;
    Element zresponse = null;
    Element zrequest = null;
    String authToken = null;
    String sessionId = null;
    try {
    trans = new SoapHttpTransport("https://my.zimbrahost.com" + ZimbraServlet.USER_SERVICE_URI);

    zrequest = Element.XMLElement.mFactory.createElement(AccountS ervice.AUTH_REQUEST);

    zrequest.addAttribute(AccountService.E_ACCOUNT, (String) request.getSession().getAttribute("id") + "@my.zimbrahost.com" , Element.DISP_CONTENT);
    zrequest.addAttribute(AccountService.E_PASSWORD, (String) request.getSession().getAttribute("password"), Element.DISP_CONTENT);
    zresponse = trans.invoke(zrequest);

    authToken = zresponse.getAttribute(AccountService.E_AUTH_TOKEN );
    sessionId = zresponse.getAttribute(ZimbraSoapContext.E_SESSION _ID, null);


    trans.setAuthToken(authToken);
    if (sessionId != null)
    trans.setSessionId(sessionId);


    }
    catch (Exception e){
    e.printStackTrace();
    }


    Cookie authCookie = new Cookie("ZM_AUTH_TOKEN", authToken);
    authCookie.setPath("/");
    response.addCookie(authCookie);
    }

    }
    </code>
    I think you might want to look at the Pre-Auth stuff rather then using Z-client (someone at Zimbra can validate this for me). IIRC, The authorization token is stored both in the cookie, but also in a a JavaScript session variable. That variable protects against the kind of Ajax injection attacks we saw earlier.

    There is also a 5.0 interface for custom authentication.

  3. #3
    Join Date
    Aug 2007
    Posts
    3
    Rep Power
    8

    Arrow preauth

    I see the benefits of preauth. But it does not lend it self well to a multi-server
    environment spread across multiple timezones.

  4. #4
    Join Date
    Aug 2007
    Posts
    3
    Rep Power
    8

    Arrow JavaScript session variable

    Please tell me more about this JavaScript session variable.

  5. #5
    Join Date
    Nov 2005
    Posts
    477
    Rep Power
    10

    Default

    Quote Originally Posted by hebron View Post
    Please tell me more about this JavaScript session variable.
    It exists inside of the Zimbra instance itself. I am sure there is some way to force a relogin with cookies, but I don't know exactly how Zimbra manages that. I would look at the first JSP's that load to see how they look at the cookies.

Similar Threads

  1. [SOLVED] Clamav problem ? What's happening ?
    By aNt1X in forum Installation
    Replies: 23
    Last Post: 02-14-2008, 05:43 AM
  2. 4.5 Upgrade failure
    By brained in forum Installation
    Replies: 9
    Last Post: 03-03-2007, 03:30 PM
  3. Fedora Core 3, Clean Install - Not working!
    By pcjackson in forum Installation
    Replies: 17
    Last Post: 03-05-2006, 07:38 PM
  4. Monitoring : Data not yet avalaible
    By s3nz3x in forum Installation
    Replies: 7
    Last Post: 11-30-2005, 07:18 PM
  5. FC3 Install and no zimbra ?
    By aws in forum Installation
    Replies: 10
    Last Post: 10-09-2005, 05:19 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •