Actually, I have found that I cannot manually log into this site when in the reverse proxy portlet, but works fine on a vanilla browser page.
From: Woonsan Ko <[email protected]> To: Jetspeed Users List <[email protected]> Date: 08/18/2010 05:28 PM Subject: Re: SSO IFrame form authentication Did you configure `emptySessionPath="true"' for the Connector in $CATALINA_HOME/conf/server.xml? Because all the SSO credentials are shared via session between the portlet and reverse proxy service servlet, the option above is necessary. The option name is case-sensitive and tomcat must be restarted. (Sometimes, you should check if the process is still running after trying to stop tomcat.) Also, are you using j2-admin's reverse proxy service servlet (/j2-admin/rproxy or ${contextPath}/rproxy) with j2-admin's SSOReveseProxyIFramePortlet? Session can be shared inside the same web application. By the way, can you test it after refreshing the session? I've just found that the SSO credentials information are initialized when there's no existing one in the session. And, when you right-click in the iframe, is the page properly reverse-proxied? The page should be from /j2-admin/rproxy/.... Otherwise, the reverse proxy configuration could be wrong. -Woonsan ----- Original Message ---- > From: "[email protected]" <[email protected]> > To: Jetspeed Users List <[email protected]> > Sent: Wed, August 18, 2010 1:47:59 PM > Subject: Re: SSO IFrame form authentication > > Well, that surprises me, as the SSO doc refers to an sso.form.Action > property. And this works fine in the sso webcontent portlet in 2.2.0 I > successfully configured it to post my login form, using sso.form.Action, > log me in, then navigate to the SRC url. Works great, except webcontent > has problems rendering the page properly. Thats why I want to use SSO > IFrame. The makes no distinction between IFrame and Webcontent portlets > as it relates to form based auth. At any rate, I have went thru your > previous responses, tried using login.htm in the src, but I still never > get a post . It simply does a get on the login.htm and renders the page. > I have been very careful to assure my SSO Admin properties are synced with > my portlet properties, so it should map to a set of credentials, but they > never get posted. The best I can do with the proxy portlets is get it to > do basic auth, which of course will not work with my target url. > > > > From: > Woonsan Ko <[email protected]> > To: > Jetspeed Users List <[email protected]> > Date: > 08/18/2010 02:12 PM > Subject: > Re: SSO IFrame form authentication > > > > Unfortunately, the portlet or any other SSO-related portlet does not > provide > different form auth URL from the navigating URL. > So, the SRC URL must be the form auth target URL. It's up to the form auth > > target URL to redirect to other contents. > The SSOReverseProxyIFramePortlet is responsible only for sending > credentials > information to the target form auth page with specified parameter names in > POST > method. > This limitation is because it could be complicated if it should manage > some > states in a general way to check if the target site has authenticated or > not. > On the other hand, it would be easier to add or customize a form auth > target > page; it can do authentication, store some session attributes and redirect > to > other pages. > SSOReverseProxyIFramePortlet remembers the last visited page; so when you > visit > the page back, it will remember the navigation states during the session. > Also, you could choose basic authentication if you don't want to add or > customize the form auth target page. > > Here are some details on SSO configurations. > There are two places to configure SSO configs. > Firstly, the system administrator should register SSO SITEs in j2-admin's > SSO > Admin portlet. [1] > Secondly, each user should register the SSO credentials information in > my-account.psml which can be navigated by a link in the login portlet > after > authenticated. > Thirdly, SSOReverseProxyIFramePortlet retrieves the SSO SITE information > and the > user's SSO credentials information, determining those from the SRC url. > > In your example, you need to register an SSO SITE with > http://host.domainname.com:8090/ATGAdmin/ or > http://host.domainname.com:8090/ > with proper authentication mechanism. > If the SSO SITE needs form authentication, you should provide proper form > auth > parameters for username and password. > When you visit a portal page including the sso reverse proxy iframe > portlet, the > portlet will find the best matched SSO SITE from the current navigation > url. > So, if the current proxied url > is http://host.domainname.com:8090/ATGAdmin/login.jsp, then the portlet > will > retrieve the SSO SITE and credentials information for the user. > If it is form-auth for the SSO SITE, the portlet will send the credentials > > information with the specified parameter names in POST method to the > target form > auth page. > > [1] > http://portals.apache.org/jetspeed-2/adminguide/sso.html#SSO_Management > > HTH, > > Woonsan > > > ----- Original Message ---- > > From: "[email protected]" <[email protected]> > > To: Jetspeed Users List <[email protected]> > > Sent: Wed, August 18, 2010 11:37:23 AM > > Subject: Re: SSO IFrame form authentication > > > > Thanks for the much needed documentaton. However, I still can't seem to > > > tie the SSO configuration to the portlet. I can use the SSO Reverse > Proxy > > portlet to render the remote content, but I do not see how to get the > > portlet to preemptively log into the site. My src is > > http://host.domainname.com:8090/ATGAdmin/customers.htm, however, SSO > > should be logging into > http://host.domainname.com:8090/ATGAdmin/login.htm > > I don't see how the SSO config knows that, and in my case, it certainly > > does not do it. To net it out, I can get the SSO portlet to render the > > site, but the login never happens. > > > > > > > > From: > > Woonsan Ko <[email protected]> > > To: > > Jetspeed Users List <[email protected]> > > Date: > > 08/18/2010 12:28 PM > > Subject: > > Re: SSO IFrame form authentication > > > > > > > > Hi, > > > > For the preferences of the portlet, you can refer to this > documentation: > > http://portals.apache.org/applications/webcontent/index.html > > > > For URL related stuffs, there are three: SRC, PROXYREMOTEURL and > > PROXYLOCALPATH. > > The SRC preference is the same as the default IFrame portlet. > > The PROXYREMOTEURL preference is for configuring the remote proxy target > > > url > > base path. > > The PROXYLOCALPATH preference is for configuring the local proxy pass > base > > path. > > So, for example, if SRC is http://www.yourcompany.com/foo/bar/test.html > > > and your > > reverse proxy service (servlet) is configured to map > /j2-admin/rproxy/foo/ > > to > > http://www.yourcompany.com/foo/, then PROXYREMOTEURL should be set > > to http://www.yourcompany.com/foo/ and PROXYLOCALPATH should be set > > to /j2-admin/rproxy/foo/ or $[contextPath}/rproxy/foo/. > > Also, please see the following documentation on how to configure > reverse > > proxy > > service: > > http://portals.apache.org/applications/webcontent/rproxy.html > > > > Regards, > > > > Woonsan > > > > > > ----- Original Message ---- > > > From: "[email protected]" <[email protected]> > > > To: Jetspeed Users List <[email protected]> > > > Sent: Wed, August 18, 2010 7:22:38 AM > > > Subject: Re: SSO IFrame form authentication > > > > > > I was able to successfully get form-based auth to work with your > example > > > > > scenario, however, my own test case does not. I still simply go > > directly > > > to the login screen. I'm sure it has to do with the proxyremoteurl > and > > > > > proxylocalpath args, but I have not seen any detailed doc on how > they > > > work. > > > > > > > > > > > > From: > > > David Sean Taylor <[email protected]> > > > To: > > > Jetspeed Users List <[email protected]> > > > Date: > > > 08/17/2010 07:19 PM > > > Subject: > > > Re: SSO IFrame form authentication > > > > > > > > > > > > On Tue, Aug 17, 2010 at 1:40 PM, <[email protected]> wrote: > > > > How did your testing go? I compared SSO Webcontent (which works, > > sort > > > of) > > > > to SSO IFrame classes and I see a method for preemptive login in > the > > > > webcontent class but no reference at all in the SSO IFrame class. > > Does > > > > this just mean it is being done differently, or is something amiss > in > > > > > the > > > > SSO IFrame class? > > > > > > There are two SSOIFrame classes: > > > > > > 1. SSOIFramePortlet > > > 2. SSOReverseProxyIFramePortlet > > > > > > Suggest using the second one, SSOReverseProxyIFramePortlet as it > gives > > > you features not available in the older SSOIFramePortlet such as > > > auto-resizing and form-based authentication (what you are after) > > > > > > I tested with SSOReverseProxyIFramePortlet and it worked in the > > > example that comes with Jetspeed, but it takes a little bit of > > > configuration. > > > > > > First, ensure your Tomcat will need this attribute set in the > > > <Connector> element of server.xml: > > > > > > emptySessionPath="true" > > > > > > more detail here: > > > > > > http://portals.apache.org/applications/webcontent/index.html > > > > > > If you had to change server.xml setting, then restart your server > > > > > > I took these steps to verify SSO with the example form-based login > > > that comes with Jetspeed: > > > > > > 1. login as admin > > > 2. navigate to the Jetspeed Administration space, SSO Management > page, > > > or just go here: > > > > > > http://localhost:8080/jetspeed/ui/Administrative/sso-admin.psml > > > > > > Add a new Site with following parameters: > > > > > > Site Name: Form Example > > > Site URL: http://localhost:8080/j2-admin/examples/formauth.jsp > > > Field name for User ID: user > > > Field name For Password value: pass > > > > > > Press Save > > > > > > Add a new credential for this site in the portlet on the right side > > > (SSO Details): > > > > > > Portal Principal: admin > > > Remote Principal: admin > > > Remote Credential: admin > > > > > > Press Add > > > > > > You can verify that the remote credential was added for the admin > > > user by going here: > > > > > > http://localhost:8080/jetspeed/ui/my-account.psml > > > > > > see the portlet on the right "SSO Change Passwords", a remote site > > > entry should be there named "Form Example" > > > > > > Next, you can use the Toolbox to find the Reverse Proxy Iframe > Portlet > > > by searching on "iframe" and then selecting it from there and adding > > > to a page. To make things simple, I just added a page and then added > > > the Reverse Proxy Iframe Portlet there. At first this portlet seems > to > > > want to use Basic Authentication, so just hit cancel when challenged. > > > I then switched to edit mode (pencil icon), and entered the following > > > preferences: > > > > > > TITLE: My SSO Test > > > SRC: http://localhost:$ > {serverPort}${contextPath}/examples/formauth.jsp > > > > > > Press Save > > > > > > You should see in your portlet content something like: > > > > > > "Hello, admin. You have been authorized by form-based authentication > > > !!!" > > > > > > Give that a try and see if it works. Then, move on to your specific > > > IFrame source and let us know how it goes... > > > > > > --------------------------------------------------------------------- > > > To unsubscribe, e-mail: [email protected] > > > For additional commands, e-mail: > [email protected] > > > > > > > > > -- > > > This message has been scanned for viruses and > > > dangerous content by MailScanner, and is > > > believed to be clean (mailgw2:E659D1E6FC.D1395). > > > > > > > > > > > > > > > This communication and any attachments are confidential, protected > by > > > Communications Privacy Act 18 USCS § 2510, solely for the use of the > > > > intended recipient, and may contain legally privileged material. If > you > > > > > are not the intended recipient, please return or destroy it > > immediately. > > > Thank you. > > > > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [email protected] > > For additional commands, e-mail: [email protected] > > > > > > -- > > This message has been scanned for viruses and > > dangerous content by MailScanner, and is > > believed to be clean (mailgw2:8B67A1E701.EB059). > > > > > > > > > > This communication and any attachments are confidential, protected by > > Communications Privacy Act 18 USCS § 2510, solely for the use of the > > intended recipient, and may contain legally privileged material. If you > > > are not the intended recipient, please return or destroy it > immediately. > > Thank you. > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean (mailgw2:AB8841E700.50A86). > > > > > This communication and any attachments are confidential, protected by > Communications Privacy Act 18 USCS § 2510, solely for the use of the > intended recipient, and may contain legally privileged material. If you > are not the intended recipient, please return or destroy it immediately. > Thank you. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean (mailgw2:C70BC1E6FE.B6E38). This communication and any attachments are confidential, protected by Communications Privacy Act 18 USCS § 2510, solely for the use of the intended recipient, and may contain legally privileged material. If you are not the intended recipient, please return or destroy it immediately. Thank you.
