It's all about the answers!

Ask a question

RTC3 Login hook


Benjamin Chodroff (8985131) | asked Dec 02 '10, 5:38 p.m.
I'm very new to RTC development and I'd appreciate any help in getting started. I'm going to follow the instructions in the RTCSDK20 Wiki for Client/Server.

I am trying to make a server plugin that hooks into the login call. If a login authentication is unsuccessful, I want to pass the username to a function that will:
    1. Securely bind to the configured LDAP
    2. Query the LDAP if that user exists (password doesn't matter)
    3. Create the new user in RTC as a JazzUser and assign a floating dev license
    4. Retry authentication


Can someone make a suggestion where this "login" call is? Is there a better way of doing this?

I'm sure someone will say "You should use the nightly LDAP synchronizer" -- but this particular customer has 100,000+ LDAP users all contained in one group and the synchronizer takes days to run. I'm pursuing this plugin as an alternate solution to reduce the delay for new users. Help, suggestions, and alternative ideas appreciated!

8 answers



permanent link
Christophe Elek (2.9k12921) | answered Dec 03 '10, 1:45 p.m.
JAZZ DEVELOPER
. If a login authentication is unsuccessful, I want to pass the username


Ben,
You mean the authorization right ?
Authentication is done by the app, once this is done the userid is passed to the server . if you user does not exist , the connection is refused.

There are 2 things we need to do,
1) we need to trace the ldapSynch and check where the time si spent (enable the ldap trace, send the results)
2) you could create a script that will export the users in a CSV format (the 150 000) users and then you can use repotools -importusers to create them (or did you try and it takes too long too ?)

Chris

permanent link
Benjamin Chodroff (8985131) | answered Dec 03 '10, 2:29 p.m.
Yes, sorry I meant authorization. The reason authorization fails is because the user Id is not present in the Jazz Database. I want to create the user Id on the fly if an authorization fails because the user is not present in the database but does exist in the ldap.

Improving the ldap synchronizer speed would be great but would not accomplish what this customer wants. That is because they would prefer not to have every user in RTC but only users that try to access the system. This in some (very little) way improves security.

Even if we improve the sync 33% it won't be fast enough to be on the fly. We could do an import from a csv but this doesn't solve new users and it also is against their security policy to have such a list. As well, they don't want to manually add users because this requires JazzAdmin privs and the people asking for new users would be JazzProjectAdmin.

Can we do it and have any suggestions where to start?

permanent link
Christophe Elek (2.9k12921) | answered Dec 03 '10, 2:35 p.m.
JAZZ DEVELOPER
Ok, so we want a user to be added to the database once they log in ?
Why not have a process where a user needs to register on a web site, and this will add the user to the database ?
In IBM, you register yourself with ITIM, and this adds you to some DB.

So you could create an App where one needs to register itself before having access to the DB.
You could have the 401 auth refused redirect to the app.
to register a user you could use repotools or a pojo and a service using a non-human registered userid/password.

thoughts ?
Chris

permanent link
Benjamin Chodroff (8985131) | answered Dec 03 '10, 4:26 p.m.
Excellent idea!

Where is the 401 page stored? Ill put a meta refresh to a registration page which accepts SSO

Is it in the theme?

permanent link
Christophe Elek (2.9k12921) | answered Dec 03 '10, 5:07 p.m.
JAZZ DEVELOPER
You could create your own form login?

permanent link
Benjamin Chodroff (8985131) | answered Dec 03 '10, 5:35 p.m.
You could create your own form login?

Not clear what you mean. Yes, I know the OSLC to create a new user in a JSP form. But what I still need is for it to be seamless to the end user. I should not ever see a not authorized page if the user exists in the LDAP. Anything other than that is a failure in the customers mind.

Do you know if the 401 page can be customized in any way? It would be great if this page was a variable in the advanced configuration. Maybe WebSphere could catch the 401 and redirect... Will look into this!

Really appreciate the help - your idea is much more elegant than my original!

permanent link
Benjamin Chodroff (8985131) | answered Dec 03 '10, 10:33 p.m.
I tried changing the RTC theme to include some javascript but that unfortunately only allows you to change the header and footer banners -- which don't show up during login!

I'm still not able to find a way to capture the "401 auth refused" and redirect to the app. I tried playing with the Tomcat web.xml files and seeing if I could alter the <form> directive, but every attempt seemed to result in breaking the application. I couldn't even get it to load an alternate "login.html" page even when I stripped out all the security-constraints.

Any tips?

permanent link
Christophe Elek (2.9k12921) | answered Dec 03 '10, 11:32 p.m.
JAZZ DEVELOPER
if I remember well, the 401 is sent back to the form logging
You would have to rewrite your own or create a front end that would redirect to a basic auth to the app server... much like jazz.net

Your answer


Register or to post your answer.