lemonldap-ng/doc/pages/documentation/current/servertoserver.html

<!DOCTYPE html>
<html lang="en" dir="ltr">
<head>
  <meta charset="utf-8" />
  <title>documentation:2.0:servertoserver</title>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="index,follow"/>
<meta name="keywords" content="documentation,2.0,servertoserver"/>
<link rel="search" type="application/opensearchdescription+xml" href="lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="servertoserver.html"/>
<link rel="contents" href="servertoserver.html" title="Sitemap"/>
<link rel="stylesheet" type="text/css" href="lib/exe/css.php.t.bootstrap3.css"/>
<!-- //if:usedebianlibs
  <link rel="stylesheet" type="text/css" href="/javascript/bootstrap/css/bootstrap.min.css" />
//elsif:useexternallibs
  <link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css"></script>
//elsif:cssminified
  <link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.min.css" />
//else -->
  <link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.css" />
<!-- //endif -->
<script type="text/javascript">/*<![CDATA[*/var NS='documentation:2.0';var JSINFO = {"id":"documentation:2.0:servertoserver","namespace":"documentation:2.0"};
/*!]]>*/</script>
<script type="text/javascript" charset="utf-8" src="lib/exe/js.php.t.bootstrap3.js"></script>
<!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery/jquery.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/jquery-2.2.0.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.min.js"></script>
//else -->
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.js"></script>
<!-- //endif -->
<!-- //if:usedebianlibs
  <script type="text/javascript" src="/javascript/jquery-ui/jquery-ui.min.js"></script>
//elsif:useexternallibs
  <script type="text/javascript" src="http://code.jquery.com/ui/1.10.4/jquery-ui.min.js"></script>
//elsif:jsminified
  <script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.min.js"></script>
//else -->
  <script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.js"></script>
<!-- //endif -->
</head>
<body>
<div class="dokuwiki export container">

<h1 class="sectionedit1" id="handling_server_webservice_calls">Handling server webservice calls</h1>
<div class="level1">

<p>
In modern applications, web application may need to request some other web applications on behalf of the authenticated users. There are three ways to do this:
</p>
<ul>
<li class="level1"><div class="li"> the Ugly : provide to all applications <abbr title="Single Sign On">SSO</abbr> cookie. Not secured because <abbr title="Single Sign On">SSO</abbr> cookie can be caught and used everywhere, every time by everyone!!! <strong>NOT RECOMMENDED</strong>.  </div>
</li>
<li class="level1"><div class="li"> the Bad (<a href="securetoken.html" class="wikilink1" title="documentation:2.0:securetoken">Secure Token Handler</a>) : <strong>Deprecated</strong>. Can be used in specific cases  </div>
</li>
<li class="level1"><div class="li"> the Good (Service Token Handler): See below ! (Thanks Sergio...)</div>
</li>
</ul>

<p>
The &quot;Bad&quot; method consists to give the token (cookie value) to WebApp1 which uses it as cookie header in its request. Since 2.0 version, <abbr title="LemonLDAP::NG">LL::NG</abbr> gives a better way (the Good !) to do this by using limited scope tokens.
</p>

<p>
Tokens are time limited (30 seconds by default) and <abbr title="Uniform Resource Locator">URL</abbr> restricted.
</p>

<p>
<a href="documentation/server_to_server.png_documentation_2.0_servertoserver.html" class="media" title="documentation:server_to_server.png"><img src="documentation/server_to_server.png" class="media" title="Kinematic" alt="Kinematic" /></a>
</p>

</div>
<!-- EDIT1 SECTION "Handling server webservice calls" [1-893] -->
<h2 class="sectionedit2" id="webapp1_handler_configuration">Webapp1 handler configuration</h2>
<div class="level2">

<p>
Select <strong>Main</strong> handler type to protect WebApp1 and
insert a header named <strong>X-Llng-Token</strong> filled with this value:
</p>
<pre class="code file perl">token<span class="br0">&#40;</span> <span class="re0">$_session_id</span><span class="sy0">,</span> <span class="st_h">'webapp2.example.com'</span><span class="sy0">,</span> <span class="st_h">'webapp3.example.com'</span><span class="sy0">,</span> <span class="st_h">'serviceHeader1=webapp1.example.com'</span><span class="sy0">,</span> <span class="st0">&quot;testHeader=$uid&quot;</span> <span class="br0">&#41;</span></pre>

<p>
WebApp1 can read this header and use it in its requests by setting the <code>X-Llng-Token</code> header. The token is built by using the session ID and authorized virtualhosts list. By default, the Service Token is only available during 30 seconds and for specified virtualhosts. The token can be use to send service headers to webapp2 like origin host by example.
</p>

<p>
You can set ServiceToken TTL in the virtualHost options in Manager for each required virtualHost.
</p>

<p>
You can also set ServiceToken default timeout (30 seconds) by editing <code>lemonldap-ng.ini</code> in section [handler]:
</p>
<pre class="code file ini"><span class="re0"><span class="br0">&#91;</span>handler<span class="br0">&#93;</span></span>
<span class="re1">handlerServiceTokenTTL</span> <span class="sy0">=</span><span class="re2"> 30</span></pre>
<div class="noteclassic">Service token timeout can be set for each virtual hosts.
</div>
</div>
<!-- EDIT2 SECTION "Webapp1 handler configuration" [894-1894] -->
<h2 class="sectionedit3" id="webapp2_handler_configuration">Webapp2 handler configuration</h2>
<div class="level2">

<p>
Change handler type to <strong>ServiceToken</strong>. So it is able to manage both user and server connections. And that&#039;s all !
</p>

</div>
<!-- EDIT3 SECTION "Webapp2 handler configuration" [1895-] --></div>
</body>
</html>