3rd party application integratin for front end user authentication???

[styson]

Greetings,

I'm evaluating various CMS packages for a website project.  One of my biggest requirements is content needs to be secured (pages, files,  etc) based upon usernames and passwords that reside in another system.    Pretty much what the frontend user module offers but there are no local user accounts.  Can CMSMS support this (I'm assuming yes since frontend users exists) and how much of an undertaking would this be to create either from scratch or using front end users as a base?

Thanks for any help. 

Scott

[Pierre M.]

Hello,

what is the "existing system" ? LDAP, SQL, flat files, other ?

[styson]

Hello,

what is the "existing system" ? LDAP, SQL, flat files, other ?

Other.  No direct access to the data, which includes creating some sort of LDAP or SQL based bridge beteeen the two.  The remote system is vbery "closed" at this point.    Access is done  via secured form posts.  Login occurs on another server and is then re--directed back to the requesting system with various user information and the results of the login attempt.   

I'd really like to leverage as much existing functionality as I can so I'm thinking that modifying the frontend user module would be the best place to go, replacing only the code I need to.  Using generic users would surfice for CMSMS access.  Once I obtain authoriziation for a remote user, I can log them into CMSMS using the generic front end user.  I'm over simplifying what this entails but I'm just thinking out loud.

[Dee]

I'm not familiar with Frontend Users, but looking at the code it seems the login is done in action.do_login.php, which calls the Login method from the FrontEndUsersManipulator class (FrontEndUsers.api.php). This in turn calls a CheckPassword method:

Code: Select all

 // userid api function
  function CheckPassword($username,$password,$groups = '') 
  {
    $db =& $this->GetDb();
    $q="SELECT u.* FROM ".cms_db_prefix()."module_feusers_users u";
	if ($groups != '')
	{
		$q .= ' INNER JOIN '.cms_db_prefix().'module_feusers_belongs b ON u.id = b.userid INNER JOIN '.cms_db_prefix().'module_feusers_groups g ON g.id = b.groupid ';
	}
	$q .= ' WHERE u.username=? AND u.password=?';
    $p=array($username,md5($password));
	if ($groups != '')
	{			
		//split the string on the commas
		$groups = split(',\ ?', $groups);
		
		//make a bit for the query
		$q .= ' AND (' . implode(' OR ', array_fill(0, count($groups), 'g.groupname = ?')) . ')';
		foreach ($groups as $group)
		{
			$p[] = $group;
		}
	}
    $result=$db->Execute($q,$p);
    if ($result && $result->RecordCount()) return true;
    return false;
  }

This seems to be the code you'll have to replace.

Regards,
D

[Pierre M.]

Thank you for simplifying, but I'm afraid the situation is too specific and too complex. I fear security holes with "other systems" with cross posts and redirections. I'd rather set up a central id management, may be via the SQL bridge you are suggesting.
Pierre M.

[styson]

Dee - Thanlks for the pointer, I'll start looking at that code!! 

Pierre M. - I agree but there is right, wrong, and what will work given restictions beyond one's control.  My job is to integrate, make it work and make it as robust as possible given the parameters I have to work in. If I can change the parameters I will but that is unlikely.
At this point all access to the remote forms is secured via SSL and filterd on incoming IP address so there is a lower chance of a hack.

[Pierre M.]

OK, I understand better the complex situation. I think Dee is right : the SQL bridge at the data level may not be the smartest solution but patching the CheckPassword code to make the SSL POST could do it.
Pierre M.