I've been asked to create a web page from which users can access several other applications created using oracle forms and jsf, this will include also sso. I cant think of an easy way to do it, what I was thinking about was that the user should register and enter all his usernames/passwords for each application, after which he will deal only with the username/password he created for this page.
What I wanted to ask was if this is a good idea or is there a better way to deal with this?
-
Here's one suggested workflow: stackoverflow.com/q/6455388/209139.TRiG– TRiG06/11/2012 17:12:33Commented Jun 11, 2012 at 17:12
3 Answers 3
Don't do your idea!
See Is an 'if password == XXXXXXX' enough for minimum security? for some basic password advice for applications. In virtually all cases, a password should be hashed so that the value cannot be retrieved.
Important: If you do continue with your idea, you've just stored retrievable passwords for several applications in a single place, which is much, much worse than violating the retrievability principle for one application. So, even if those applications had implemented good security practices, this interception step breaks all of them.
Single sign-on is usually implemented through some method of either sharing an authentication token (could be used where each application is produced by the same vendor, sharing similar database fields and being able to authenticate the validity of that token), or a single authentication server (OpenId) or one of the other means listed in that article.
It's always very complicated and requires very advanced understanding of this topic and security in general.
So, your first impression was correct - if SSO is involved, there is no "easy" way to do it. The SSO requirement makes this project sound like it's beyond your current means, especially if you were asked to "create a web page" that provides SSO.
- A single web page with links to different applications is obviously trivial, and I suggest you complete that as a first step.
- Next, I'd suggest you research SSO, understand how it relates to your applications, and take this back to your manager.
- If your manager would like to continue, I would look at existing SSO products. Building a secure in-house solution is probably more than you want to take on. If you do decide to build it in-house, get learning.
-
You deleted your duplicate answer and that's as permanent as it's going to get. That's the same "delete" as we have. :)02/23/2011 17:34:19Commented Feb 23, 2011 at 17:34
Sounds to me like you are being asked to re-create some of the functionality in Oracle Access Manager which is an off-the-shelf WSSO solution that may or may not be applicable here.
I highly recommend looking at off the shelf SSO solutions such as Atlassian Crowd (10ドル for up to 50 users) or Oracle Access Manager. Perhaps make the applications use OpenID so that you are not in charge of the authentication, but you know who the user is. In any case, SSO is a non-trivial problem. I've only ever written the client side integration piece for an existing SSO solution, and recommend that for most people.