From notifications-return-17315-archive-asf-public=cust-asf.ponee.io@ofbiz.apache.org Fri Mar 23 09:32:07 2018 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by mx-eu-01.ponee.io (Postfix) with SMTP id 3AC7918067E for ; Fri, 23 Mar 2018 09:32:07 +0100 (CET) Received: (qmail 46843 invoked by uid 500); 23 Mar 2018 08:32:06 -0000 Mailing-List: contact notifications-help@ofbiz.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@ofbiz.apache.org Delivered-To: mailing list notifications@ofbiz.apache.org Received: (qmail 46824 invoked by uid 99); 23 Mar 2018 08:32:06 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd2-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 23 Mar 2018 08:32:06 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org) with ESMTP id B391F1A0969 for ; Fri, 23 Mar 2018 08:32:05 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -101.51 X-Spam-Level: X-Spam-Status: No, score=-101.51 tagged_above=-999 required=6.31 tests=[KAM_ASCII_DIVIDERS=0.8, KAM_SHORT=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_WHITELIST=-100] autolearn=disabled Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new, port 10024) with ESMTP id Qyj1_jFzadgk for ; Fri, 23 Mar 2018 08:32:02 +0000 (UTC) Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTP id 36D165F36A for ; Fri, 23 Mar 2018 08:32:01 +0000 (UTC) Received: from jira-lw-us.apache.org (unknown [207.244.88.139]) by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id 5E165E010F for ; Fri, 23 Mar 2018 08:32:00 +0000 (UTC) Received: from jira-lw-us.apache.org (localhost [127.0.0.1]) by jira-lw-us.apache.org (ASF Mail Server at jira-lw-us.apache.org) with ESMTP id 2064B214DC for ; Fri, 23 Mar 2018 08:32:00 +0000 (UTC) Date: Fri, 23 Mar 2018 08:32:00 +0000 (UTC) From: "Jacques Le Roux (JIRA)" To: notifications@ofbiz.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (OFBIZ-10307) Navigate from a domain to another with automated signed in authentication MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/OFBIZ-10307?page=3Dcom.atlassia= n.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=3D164= 11005#comment-16411005 ]=20 Jacques Le Roux commented on OFBIZ-10307: ----------------------------------------- The=C2=A0[^OFBIZ-10307-test.patch] can be used to test the feature with tru= nk demo. > Navigate from a domain to another with automated signed in authentication > ------------------------------------------------------------------------- > > Key: OFBIZ-10307 > URL: https://issues.apache.org/jira/browse/OFBIZ-10307 > Project: OFBiz > Issue Type: New Feature > Components: framework > Affects Versions: Trunk > Reporter: Jacques Le Roux > Priority: Major > Fix For: Upcoming Branch > > Attachments: OFBIZ-10307-test.patch, OFBIZ-10307.patch > > > This will use a JWT Token authentication to get from one domain, where yo= u are signed in, to another domain where you get signed in automatically. S= omething like ExternalLoginKey or Tomcat SSO, but not on the same domain. > This will build upon the initial work done at OFBIZ-9833 which has been p= artially reverted in trunk with r1827439 (see OFBIZ-10304) and r1827441. I = explained why and what I did at https://s.apache.org/a5Km > I turned to Ajax for the "Authorization" header sending. I initially thou= ght I'd just pass an "Authorization" header and use it in the externalServe= rLoginCheck preprocessor, et voil=EF=BF=BD. > But I stumbled upon something I did not know well : CORS! And in particul= ar the upstream control (Pre-verified requests): > https://en.wikipedia.org/wiki/Cross-origin_resource_sharing#Preflight_exa= mple > https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS > https://www.w3.org/TR/cors/ > To be able to pass an "Authorization" header, the server must respond pos= itively in the Preflight HTTP response (OPTIONS). To do this, either you us= e a Tomcat filter (or your own filter, there are examples on the Net) or us= e HTTPD (or Nginx) configuration on the target server. > I tried Tomcat first, without success. With HTTPD it's easier just 3 line= s. For my tests, future tests by OFBiz users and as an example, I asked inf= ra to put them in our HTTPD trunk demo config: > Header set Access-Control-Allow-Origin "https://localhost:8443" > Header set Access-Control-Allow-Headers "Authorization" > Header set Access-Control-Allow-Credentials "true" > No code change (either in all web.xml files for Tomcat or Java for own fi= lter), and more safety. It does not give more right to outsiders than what = we give with the admin credential. > In Header set Access-Control-Allow-Origin you can put more domains. I jus= t used https://localhost:8443 for the tests. > It works in Chrome, Firefox and Opera and partially in IE11 (not tested i= n Edge). I did not test Safari, but I guess like other modern browsers it s= hould work. > For those (very few I guess) interested by IE11 (for Edge test yourself a= nd report please), here is the solution > https://stackoverflow.com/questions/12643960/internet-explorer-10-is-igno= ring-xmlhttprequest-xhr-withcredentials-true > https://web.archive.org/web/20130308142134/http://msdn.microsoft.com/en-u= s/library/ms537343%28v=3Dvs.85%29.aspx > https://blogs.msdn.microsoft.com/ieinternals/2013/09/17/a-quick-look-at-p= 3p/ > TODO (maybe) in the future, use the new Fetch API (not available yet): ht= tps://developer.mozilla.org/en-US/docs/Web/API/Fetch_API -- This message was sent by Atlassian JIRA (v7.6.3#76005)