Announcement

Collapse
No announcement yet.
X
  • Filter
  • Time
Clear All
new posts

    relogin when loginRequiredMarker is not an option

    First thanks to Blama and others who helped me get shibboleth authorizations working with my application.

    I'm now working on the problem of relogins and I'm faced with the fact that there is zero chance of changing the standard login page used by our 40,000+ student university. The fact that users always see the same login page for all of the hundreds of pages and applications protected by our shibboleth sso system is an important security feature. They are taught to type their credentials into that page and no other. So the challenge becomes how to detect that standard page and trigger the relogin process.

    I saw a post on the SmartGWT forum where a user seemed to solve a similar problem, but I struggle to adapt that to SmartClient.

    Thanks
    RP


    #2
    Reread the relogin materials - you don't need to alter the appearance or behavior of the page. You just need to put the loginRequired token into it. It is invisible to end users and has no functional impact.

    Since the code for detecting the loginRequired marker and acting on it is literally identically between SmartClient and SmartGWT, anything you see for SmartGWT should be adaptable to SmartClient, but we obviously can't comment further unless you actually link to the thread you're talking about.

    Comment


      #3
      This is the thread I was referring to:

      https://forums.smartclient.com/forum...requiredmarker

      Comment


        #4
        So we'd again recommend putting the relogin marker into the page if that is at all possible. It has no visual or functional impact and does not require adding any JavaScript libraries, so it should be non-controversial. Also, any other way of identifying the page - say, based on the URL or based on some content that it happens to contain now - could be broken in the future if there are changes to how the login system works, and they are not aware that you need a marker in the page.

        However the approach in that other thread should work if you just take the parts of the code that are JSNI:

        Code:
         isc.RPCManager.addClassProperties({    
            responseRequiresLogin : function (xmlHttpRequest, transactionNum) {        
               // do whatever you want with the native xmlHttpRequest object here        
               // to decide whether you've hit the login page, and return true if so    
            })      
          });

        Comment

        Working...
        X