portals-jetspeed-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Woonsan Ko <woon_...@yahoo.com>
Subject Re: SSO IFrame form authentication
Date Fri, 20 Aug 2010 19:13:37 GMT
I guess the first page which tried to redirect to the second page with wrong url by using javascript.
If it redirects to other page from the server-side with http status code and header, then
the reverse proxy service can detect and rewrite to a proxied url from the reverse proxy configurations
if found.

Anyway, if the first page has javascript to redirect, e.g., 'location.href = /otrs/customer.pl?CSID=1047f4e2a54420bc329c4f2e3cd511e23a',
that script line is not rewritten by default.
(By the way, you can refer to the default rewriting class here if you're interested in: http://svn.apache.org/repos/asf/portals/applications/webcontent/trunk/webcontent-jar/src/main/java/org/apache/portals/applications/webcontent/proxy/impl/DefaultReverseProxyLinkRewritingParserAaptor.java)

If the redirecting script line is simple, then you can add a custom replace pattern in the
reverse proxy configuration like the following example:

proxy.reverse.pass.issues.rewriter.parserAdaptor.html.property.customPatterns = \\/otrs\\/customer\\.pl
proxy.reverse.pass.issues.rewriter.parserAdaptor.html.property.customReplaces = /j2-admin/rproxy/otrs/otrs/customer.pl

The above additional custom replace configuration will replace every line having that regex
pattern.

-Woonsan

--- On Fri, 8/20/10, mballard@oreillyauto.com <mballard@oreillyauto.com> wrote:

> From: mballard@oreillyauto.com <mballard@oreillyauto.com>
> Subject: Re: SSO IFrame form authentication
> To: "Jetspeed Users List" <jetspeed-user@portals.apache.org>
> Date: Friday, August 20, 2010, 8:19 PM
> I am using
> j2-admin::SSOReverseProxyIFramePortlet.  I also believe
> I am 
> using the exact reverse properties as the apache
> example.  I have 
> discovered one issue when accessing directly in that it
> appears when I 
> enter 
> http://host.domain-name.com:8080/j2-admin/rproxy/otrs/otrs/customer.pl,
> 
> and login manually, I am redirected to 
> http://host.domain-name.com:8080/otrs/customer.pl?CSID=1047f4e2a54420bc329c4f2e3cd511e23a
> 
> and I get an HTTP 404 error.  If I then correct the
> url and put the 
> j2-admin/rproxy/otrs back in, I get the correct page
> rendered and I am 
> logged in.  In any case, once I get logged in and try
> to drill down to an 
> incident link, I get an error trying to load the javascript
> because 
> something has changed the .js in the link to .html 
> Again, I am using the 
> apache example config for rewriting.
> 
> # ... Set max matching path part count
> proxy.reverse.pass.maxMatchingPathPartCount = 2
> 
> # ... Sets detail attributes for apache path mapping
> proxy.reverse.pass = otrs
> proxy.reverse.pass.otrs.local = /otrs/
> proxy.reverse.pass.otrs.remote = http://host.domain-name.com/
> proxy.reverse.pass.otrs.rewriter.basic = 
> org.apache.portals.applications.webcontent.rewriter.WebContentRewriter
> proxy.reverse.pass.otrs.rewriter.parserAdaptor = html
> proxy.reverse.pass.otrs.rewriter.parserAdaptor.html = 
> org.apache.portals.applications.webcontent.proxy.impl.DefaultReverseProxyLinkRewritingParserAaptor
> proxy.reverse.pass.otrs.rewriter.parserAdaptor.html.mimeType
> = text/html
> proxy.reverse.pass.otrs.rewriter.parserAdaptor.html.property.lookUpAllMappings
> 
> = true
> 
> Thanks, MikeB
> 
> Mike Ballard
> Director of Internet Development and Networking
> O'Reilly Auto Parts
> (417) 874-7107 Ofc
> (417) 838-0271 Cell
> 
> This message is protected by the Electronic Communications
> Privacy Act, 18 
> USCS § 2510 et seq., and may not be used, copied or
> forwarded without the 
> consent of the named recipient(s).  The information
> contained in this 
> message is confidential, is intended only for the use of
> the individual or 
> entity named.  If the reader of this message is not
> the intended 
> recipient, you are hereby notified that any dissemination,
> distribution or 
> copying of this communication is strictly prohibited. 
> If you have 
> received this communication in error, please notify me
> immediately at 
> 417-874-7107. 
> 
> 
> 
> From:
> Woonsan Ko <woon_san@yahoo.com>
> To:
> Jetspeed Users List <jetspeed-user@portals.apache.org>
> Date:
> 08/20/2010 12:55 PM
> Subject:
> Re: SSO IFrame form authentication
> 
> 
> 
> Regarding the problem of javascript link ending in .js to
> .html, with 
> which portlet do you meet the problem?
> j2-admin::SSOReverseProxyIFramePortlet, 
> j2-admin::SSOFormBasedAuthReverseProxyIFramePortlet, 
> j2-admin::SSOIFramePortlet, j2-admin::SSOWebContentPortlet,
> or 
> j2-admin::SSOProxyPortletPortlet?
> 
> j2-admin::SSOReverseProxyIFramePortlet and 
> j2-admin::SSOFormBasedAuthReverseProxyIFramePortlet only
> are using the 
> reverse proxy service.
> 
> If you are using those reverse proxy portlets, then how's
> the rewriter 
> configurations for the reverse proxy pass mapping in 
> /j2-admin/WEB-INF/conf/reverseproxy.properties?
> I'd like to recommend you to use the default configuration
> like the apache 
> example:
> 
> # ... Sets detail attributes for apache path mapping
> proxy.reverse.pass.apache.local = /apache/
> proxy.reverse.pass.apache.remote = http://apache.org/
> proxy.reverse.pass.apache.rewriter.basic = 
> org.apache.portals.applications.webcontent.rewriter.WebContentRewriter
> proxy.reverse.pass.apache.rewriter.parserAdaptor = html
> proxy.reverse.pass.apache.rewriter.parserAdaptor.html = 
> org.apache.portals.applications.webcontent.proxy.impl.DefaultReverseProxyLinkRewritingParserAaptor
> proxy.reverse.pass.apache.rewriter.parserAdaptor.html.mimeType
> = text/html
> proxy.reverse.pass.apache.rewriter.parserAdaptor.html.property.lookUpAllMappings
> 
> = true
> 
> With the default example above, the rewriting xml rule
> files such as 
> default-rewriter-rules.xml and rewriter-rules-mapping do
> not play any role 
> with reverse proxying portlets.
> 
> The last example in the configuration file still uses the
> Neko and Sax 
> parser adaptor configuation, which was provided for the old
> web content 
> portlets. However, it turns out to be less useful in this
> reverse proxy 
> portlets. (The old rewriting xml rules were mainly for
> rewriting urls to 
> portlet urls, while reverse proxy service is just another
> servlet-based 
> solution with integration to portlet, meaning the url
> rewriting doesn't 
> need to be that complex any more.)
> 
> One more tip is that you could test the reverse proxying by
> navigating the 
> proxied urls directly.
> So, for example, if http://www.yourdomain.com/orders/ is mapped to 
> /j2-admin/rproxy/yourdomain/orders/, then you can browse
> directly to 
> http://localhost:8080/j2-admin/rproxy/yourdomain/orders/.
> You can see what 
> happens for rewriting problems with this direct access.
> 
> HTH,
> 
> Woonsan
> 
> --- On Fri, 8/20/10, mballard@oreillyauto.com
> <mballard@oreillyauto.com>
> 
> wrote:
> 
> > From: mballard@oreillyauto.com
> <mballard@oreillyauto.com>
> > Subject: Re: SSO IFrame form authentication
> > To: "Jetspeed Users List" <jetspeed-user@portals.apache.org>
> > Date: Friday, August 20, 2010, 6:55 PM
> > Good to know.  So I have rebuilt
> > my site on 2.2.1 and it seems to be 
> > stable, unlike the previous implementation on Derby. 
> > Not sure if that's 
> > an indication of a problem with 2.2.1 & Derby, or
> just
> > a local issue.  My 
> > remaining issue is the rewrite in the reverse proxy
> portlet
> > is changing a 
> > javascript link ending in .js to .html  Any
> ideas?
> > 
> > 
> > 
> > From:
> > Woonsan Ko <woon_san@yahoo.com>
> > To:
> > Jetspeed Users List <jetspeed-user@portals.apache.org>
> > Date:
> > 08/20/2010 11:50 AM
> > Subject:
> > Re: SSO IFrame form authentication
> > 
> > 
> > 
> > I believe the pages can be simply copied because I
> cannot
> > find anything to 
> > watch with psml pages either.
> > By the way, you can copy those pages into any other
> folder
> > by configuring 
> > the path in
> /jetspeed/WEB-INF/conf/override.properties. For
> > example,
> > 
> > # default path to (XML) PSML pages root folder
> > psml.pages.path =
> > ${applicationRoot}/WEB-INF/migrated_pages
> > 
> > Regards,
> > 
> > Woonsan
> > 
> > --- On Fri, 8/20/10, mballard@oreillyauto.com
> > <mballard@oreillyauto.com>
> > 
> > wrote:
> > 
> > > From: mballard@oreillyauto.com
> > <mballard@oreillyauto.com>
> > > Subject: Re: SSO IFrame form authentication
> > > To: "Jetspeed Users List" <jetspeed-user@portals.apache.org>
> > > Date: Friday, August 20, 2010, 3:05 PM
> > > I have installed 2.2.1 with MySQL and
> > > I now need to move my pages and 
> > > layouts from the 2.2.0 installation.  Given
> that
> > my
> > > previous 2.2.1 
> > > installation on Derby is defunct, is there
> anything I
> > > should watch out for 
> > > this time?  Can I simply copy the psml's
> from
> > the
> > > 2.2.0 directories to the 
> > > 2.2.1 directories?   I have not
> seen a
> > > migration guide to address this 
> > > need.
> > > 
> > > 
> > > 
> > > From:
> > > Woonsan Ko <woon_san@yahoo.com>
> > > To:
> > > Jetspeed Users List <jetspeed-user@portals.apache.org>
> > > Date:
> > > 08/18/2010 12:35 PM
> > > Subject:
> > > Re: SSO IFrame form authentication
> > > 
> > > 
> > > 
> > > Hi,
> > > 
> > > I haven't heard of that preferences data problem
> yet
> > in
> > > 2.2.1.
> > > IMHO, It could help to localize the problems if
> you
> > test
> > > against other 
> > > databases 
> > > like PostgreSQL or MySQL.
> > > On the other hand, I think you could deploy
> newer
> > > j2-admin.war and 
> > > apa-webcontent.war which were included in 2.2.1.
> > > 
> > > -Woonsan
> > > 
> > > 
> > > ----- Original Message ----
> > > > From: "mballard@oreillyauto.com"
> > > <mballard@oreillyauto.com>
> > > > To: Jetspeed Users List <jetspeed-user@portals.apache.org>
> > > > Sent: Wed, August 18, 2010 6:10:25 AM
> > > > Subject: Re: SSO IFrame form authentication
> > > > 
> > > > Well, here's the rub.  I believe the
> > > SSOReverseProxyIFramePortlet is new 
> > > 
> > > > in 2.2.1, which is where I was when I first
> > posted,
> > > however, I found 
> > > that 
> > > > my configuration kept getting scrambled, so
> I
> > reverted
> > > to 2.2.0  I will 
> > > > try your suggestion on 2.2.1, but I will
> have to
> > > address the scrambling 
> > > > issue.  What is happening is
> this.  I
> > have
> > > cloned the  IFramePortlet 
> > > > several times and configured each for
> different
> > static
> > > content  being 
> > > > served from apache2.  I have avoided
> setting
> > any
> > > user  preferences, and, 
> > > 
> > > > instead, set the preferences for each clone
> in
> > the
> > > PAM  portlet. 
> > > Everything 
> > > > worked fine.  Then after a few hours,
> the 
> > > IFramePortlet content was all 
> > > 
> > > > mixed up.  For instance, the portlet on
> 
> > > page 1 would be showing the 
> > > > content I had configured for the portlet on
> page
> > 
> > > 2 and so on.  I went 
> > > into 
> > > > PAM and corrected the preferences to what 
> > they
> > > should be and assumed I 
> > > was 
> > > > ok, but the next morning things were 
> > scrambled
> > > again.  I did some 
> > > queries 
> > > > in the derby db and it appears  they
> are
> > wrong
> > > there.  I don't know if 
> > > this 
> > > > is a portlet id issue or an  indexing
> > problem or
> > > what, but I need a 
> > > > resolution before I can proceed to 
> 2.2.1 
> > > Of course, I have the exact 
> > > same 
> > > > configuration in 2.2.0 and am  having
> no
> > problem
> > > there, but I also have 
> > > no 
> > > > SSOReverseProxyIFrame  there. 
> Any
> > ideas?
> > > > 
> > > > 
> > > > 
> > > > From:
> > > > David Sean Taylor <d.taylor@onehippo.com>
> > > > To:
> > > > Jetspeed  Users List <jetspeed-user@portals.apache.org>
> > > > Date:
> > > > 08/17/2010  07:19 PM
> > > > Subject:
> > > > Re: SSO IFrame form authentication
> > > > 
> > > > 
> > > > 
> > > > On  Tue, Aug 17, 2010 at 1:40 PM, 
> > <mballard@oreillyauto.com>
> > 
> > > wrote:
> > > > > How did your testing go?  I
> compared
> > SSO
> > > Webcontent (which  works, 
> > > sort 
> > > > of)
> > > > > to SSO IFrame classes and I see a
> method
> > > for  preemptive login in the
> > > > > webcontent class but no reference at
> all in
> > > the  SSO IFrame class. 
> > > Does
> > > > > this just mean it is being done 
> > > differently, or is something amiss in 
> > > 
> > > > the
> > > > > SSO IFrame  class?
> > > > 
> > > > There are two SSOIFrame classes:
> > > > 
> > > > 1. SSOIFramePortlet
> > > > 2.  SSOReverseProxyIFramePortlet
> > > > 
> > > > Suggest using the second one, 
> > > SSOReverseProxyIFramePortlet as it gives
> > > > you features not available in the 
> older
> > > SSOIFramePortlet such as
> > > > auto-resizing and form-based authentication
> 
> > > (what you are after)
> > > > 
> > > > I tested with SSOReverseProxyIFramePortlet
> and
> > > it  worked in the
> > > > example that comes with Jetspeed, but it
> takes a
> > > little bit  of
> > > > configuration.
> > > > 
> > > > First, ensure your Tomcat will need this
> > > attribute  set in the
> > > > <Connector> element of 
> server.xml:
> > > > 
> > > > emptySessionPath="true"
> > > > 
> > > > more detail  here:
> > > > 
> > > > http://portals.apache.org/applications/webcontent/index.html
> > > > 
> > > > If  you had to change server.xml
> setting,
> > then
> > > restart your server
> > > > 
> > > > I took  these steps to verify SSO with
> the
> > > example form-based login
> > > > that comes with  Jetspeed:
> > > > 
> > > > 1. login as admin
> > > > 2. navigate to the Jetspeed Administration 
> > > space, SSO Management page,
> > > > or just go  here:
> > > > 
> > > > http://localhost:8080/jetspeed/ui/Administrative/sso-admin.psml
> > > > 
> > > > Add  a new Site with following
> parameters:
> > > > 
> > > > Site Name: Form Example
> > > > Site  URL: http://localhost:8080/j2-admin/examples/formauth.jsp
> > > > Field name for User  ID: user
> > > > Field name For Password value: pass
> > > > 
> > > > Press Save
> > > > 
> > > > Add a  new credential for this site in
> the
> > > portlet on the right side
> > > > (SSO  Details):
> > > > 
> > > > Portal Principal:   admin
> > > > Remote Principal:   admin
> > > > Remote Credential: admin
> > > > 
> > > > Press Add
> > > > 
> > > > You  can verify  that the remote
> > credential
> > > was added for the admin
> > > > user by going  here:
> > > > 
> > > > http://localhost:8080/jetspeed/ui/my-account.psml
> > > > 
> > > > see the  portlet on the right "SSO
> Change
> > > Passwords", a remote site
> > > > entry should be  there named "Form
> Example"
> > > > 
> > > > Next, you can use the Toolbox to find the 
> > > Reverse Proxy Iframe Portlet
> > > > by searching on "iframe" and then selecting
> it 
> > > from there and adding
> > > > to a page. To make things simple, I just
> added a
> > > page  and then added
> > > > the Reverse Proxy Iframe Portlet there. At
> first
> > this
> > > portlet  seems to
> > > > want to use Basic Authentication, so just
> hit
> > cancel
> > > when  challenged.
> > > > I then switched to edit mode (pencil icon),
> and
> > > entered the  following
> > > > preferences:
> > > > 
> > > > TITLE: My SSO Test
> > > > SRC:  http://localhost:$
> > {serverPort}${contextPath}/examples/formauth.jsp
> > > > 
> > > > Press  Save
> > > > 
> > > > You should see in your portlet content
> something
> > 
> > > like:
> > > > 
> > > > "Hello, admin. You have been authorized by
> > > form-based  authentication 
> > > !!!"
> > > > 
> > > > Give that a try and see if it works. Then,
> move
> > on
> > > to  your specific
> > > > IFrame source and let us know how it 
> > goes...
> > > > 
> > > >
> > >
> >
> ---------------------------------------------------------------------
> > > > To  unsubscribe, e-mail: 
> jetspeed-user-unsubscribe@portals.apache.org
> > > > For  additional commands, e-mail: 
> > jetspeed-user-help@portals.apache.org
> > > > 
> > > > 
> > > > --
> > > > This  message has been scanned for
> viruses
> > and
> > > > dangerous content by MailScanner,  and
> is
> > > > believed to be clean 
> > > (mailgw2:E659D1E6FC.D1395).
> > > > 
> > > > 
> > > > 
> > > > 
> > > > This communication and any  attachments
> are
> > > confidential, protected by 
> > > > Communications Privacy Act 18  USCS §
> > 2510,
> > > solely for the use of the 
> > > > intended recipient, and may contain 
> > legally
> > > privileged material. If you 
> > > 
> > > > are not the intended recipient, please 
> > return or
> > > destroy it 
> > > immediately. 
> > > > Thank you.
> > > 
> > > 
> > > 
> > > 
> > >
> >
> ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
> > > For additional commands, e-mail: jetspeed-user-help@portals.apache.org
> > > 
> > > 
> > > --
> > > This message has been scanned for viruses and
> > > dangerous content by MailScanner, and is
> > > believed to be clean (mailgw2:9902C1E701.B0EA8).
> > > 
> > > 
> > > 
> > > 
> > > This communication and any attachments are
> > confidential,
> > > protected by 
> > > Communications Privacy Act 18 USCS § 2510,
> solely for
> > the
> > > use of the 
> > > intended recipient, and may contain legally
> > privileged
> > > material. If you 
> > > are not the intended recipient, please return or
> > destroy it
> > > immediately. 
> > > Thank you.
> > 
> > 
> > 
> > 
> >
> ---------------------------------------------------------------------
> > To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
> > For additional commands, e-mail: jetspeed-user-help@portals.apache.org
> > 
> > 
> > --
> > This message has been scanned for viruses and
> > dangerous content by MailScanner, and is
> > believed to be clean (mailgw2:8B04D2A000C.7088C).
> > 
> > 
> > 
> > 
> > This communication and any attachments are
> confidential,
> > protected by 
> > Communications Privacy Act 18 USCS § 2510, solely for
> the
> > use of the 
> > intended recipient, and may contain legally
> privileged
> > material. If you 
> > are not the intended recipient, please return or
> destroy it
> > immediately. 
> > Thank you.
> 
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
> For additional commands, e-mail: jetspeed-user-help@portals.apache.org
> 
> 
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean (mailgw2:792FC1E702.4691D).
> 
> 
> 
> 
> This communication and any attachments are confidential,
> protected by 
> Communications Privacy Act 18 USCS § 2510, solely for the
> use of the 
> intended recipient, and may contain legally privileged
> material. If you 
> are not the intended recipient, please return or destroy it
> immediately. 
> Thank you.


      

---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-user-help@portals.apache.org


Mime
View raw message