Well, not sure how, but it started working. Since I don't know what I did to make it work, I'm skeptical that it will continue to work, but we'll hope. Curious if something got cached to allow it to work and when the cache expires it will quit. Only issue is that I get the base page rendered just fine and then click a link on the the page which goes to a different path, ie, I was on http://host/otrs/... and the link takes me to http://host/otrs-web/... at which point that content gets a 404 in the portlet. Of course, thats not the case in a non portlet page. Does this mean I have to do more configuration or what?
From: Woonsan Ko <[email protected]> To: Jetspeed Users List <[email protected]> Date: 08/19/2010 01:19 PM Subject: Re: SSO IFrame form authentication Regarding the additional hidden fields, can you append those in the SRC url like this? http://host.domainname.com:8090/ATGAdmin/login.jsp?hidden1=a&hidden2=b --- On Thu, 8/19/10, [email protected] <[email protected]> wrote: > From: [email protected] <[email protected]> > Subject: Re: SSO IFrame form authentication > To: "Jetspeed Users List" <[email protected]> > Date: Thursday, August 19, 2010, 6:41 PM > OK, finally got my simple case to > work. I was able to set my src to > customers.htm and my SSO url to login.htm and it works > great now. However, > this was a simple case and not the solution I need. I > am now trying to > login into a url which requires form auth with User & > Password fields, and > also has 3 or 4 hidden fields it is expecting. The > sso doc in the > deployment guide refers to sso.form.Args, but this doesn't > seem to work. > Should it, or is there another way to accomplish. The > net result is > reverse proxy is rendering my url but it doesn't log me > in. > > > > From: > Woonsan Ko <[email protected]> > To: > Jetspeed Users List <[email protected]> > Date: > 08/18/2010 05:28 PM > Subject: > Re: SSO IFrame form authentication > > > > Did you configure `emptySessionPath="true"' for the > Connector in > $CATALINA_HOME/conf/server.xml? > Because all the SSO credentials are shared via session > between the portlet > and > reverse proxy service servlet, the option above is > necessary. The option > name is > case-sensitive and tomcat must be restarted. (Sometimes, > you should check > if the > process is still running after trying to stop tomcat.) > Also, are you using j2-admin's reverse proxy service > servlet > (/j2-admin/rproxy > or ${contextPath}/rproxy) with j2-admin's > SSOReveseProxyIFramePortlet? > Session can be shared inside the same web application. > By the way, can you test it after refreshing the session? > I've just found > that > the SSO credentials information are initialized when > there's no existing > one in > the session. > And, when you right-click in the iframe, is the page > properly > reverse-proxied? > The page should be from /j2-admin/rproxy/.... Otherwise, > the reverse proxy > > configuration could be wrong. > > -Woonsan > > > ----- Original Message ---- > > From: "[email protected]" > <[email protected]> > > To: Jetspeed Users List <[email protected]> > > Sent: Wed, August 18, 2010 1:47:59 PM > > Subject: Re: SSO IFrame form authentication > > > > Well, that surprises me, as the SSO doc refers to an > sso.form.Action > > property. And this works fine in the sso > webcontent portlet in 2.2.0 I > > > successfully configured it to post my login form, > using sso.form.Action, > > > log me in, then navigate to the SRC url. Works > great, except > webcontent > > has problems rendering the page properly. Thats > why I want to use SSO > > IFrame. The makes no distinction between IFrame > and Webcontent > portlets > > as it relates to form based auth. At any rate, > I have went thru your > > previous responses, tried using login.htm in the > src, but I still never > > > get a post . It simply does a get on the > login.htm and renders the > page. > > I have been very careful to assure my SSO Admin > properties are synced > with > > my portlet properties, so it should map to a set > of credentials, but > they > > never get posted. The best I can do with > the proxy portlets is get it > to > > do basic auth, which of course will not work > with my target url. > > > > > > > > From: > > Woonsan Ko <[email protected]> > > To: > > Jetspeed Users List <[email protected]> > > Date: > > 08/18/2010 02:12 PM > > Subject: > > Re: SSO IFrame form authentication > > > > > > > > Unfortunately, the portlet or any other > SSO-related portlet does not > > provide > > different form auth URL from the navigating > URL. > > So, the SRC URL must be the form auth target URL. It's > up to the form > auth > > > > target URL to redirect to other contents. > > The SSOReverseProxyIFramePortlet is responsible > only for sending > > credentials > > information to the target form auth page with > specified parameter names > in > > POST > > method. > > This limitation is because it could be complicated if > it should manage > > some > > states in a general way to check if the target > site has authenticated > or > > not. > > On the other hand, it would be easier to add or > customize a form auth > > target > > page; it can do authentication, store some > session attributes and > redirect > > to > > other pages. > > SSOReverseProxyIFramePortlet remembers the last > visited page; so when > you > > visit > > the page back, it will remember the navigation states > during the > session. > > Also, you could choose basic authentication if you > don't want to add or > > > customize the form auth target page. > > > > Here are some details on SSO configurations. > > There are two places to configure SSO configs. > > Firstly, the system administrator should register SSO > SITEs in > j2-admin's > > SSO > > Admin portlet. [1] > > Secondly, each user should register the SSO > credentials information in > > my-account.psml which can be navigated by a link > in the login portlet > > after > > authenticated. > > Thirdly, SSOReverseProxyIFramePortlet retrieves > the SSO SITE > information > > and the > > user's SSO credentials information, determining those > from the SRC url. > > > > In your example, you need to register an SSO SITE with > > > http://host.domainname.com:8090/ATGAdmin/ > or > > http://host.domainname.com:8090/ > > with proper authentication mechanism. > > If the SSO SITE needs form authentication, you should > provide proper > form > > auth > > parameters for username and password. > > When you visit a portal page including the sso > reverse proxy iframe > > portlet, the > > portlet will find the best matched SSO SITE from the > current navigation > > url. > > So, if the current proxied url > > is http://host.domainname.com:8090/ATGAdmin/login.jsp, > then the portlet > > > will > > retrieve the SSO SITE and credentials information for > the user. > > If it is form-auth for the SSO SITE, the portlet > will send the > credentials > > > > information with the specified parameter names in POST > method to the > > target form > > auth page. > > > > [1] > > http://portals.apache.org/jetspeed-2/adminguide/sso.html#SSO_Management > > > > HTH, > > > > Woonsan > > > > > > ----- Original Message ---- > > > From: "[email protected]" > <[email protected]> > > > To: Jetspeed Users List <[email protected]> > > > Sent: Wed, August 18, 2010 11:37:23 AM > > > Subject: Re: SSO IFrame form > authentication > > > > > > Thanks for the much needed > documentaton. However, I still can't seem > to > > > > > tie the SSO configuration to the > portlet. I can use the SSO Reverse > > Proxy > > > portlet to render the remote content, but I > do not see how to get the > > > > portlet to preemptively log into the > site. My src is > > > http://host.domainname.com:8090/ATGAdmin/customers.htm, > however, SSO > > > should be logging into > > http://host.domainname.com:8090/ATGAdmin/login.htm > > > I don't see how the SSO config knows that, and in > my case, it > certainly > > > does not do it. To net it out, I can get > the SSO portlet to render > the > > > site, but the login never happens. > > > > > > > > > > > > From: > > > Woonsan Ko <[email protected]> > > > To: > > > Jetspeed Users List <[email protected]> > > > Date: > > > 08/18/2010 12:28 PM > > > Subject: > > > Re: SSO IFrame form authentication > > > > > > > > > > > > Hi, > > > > > > For the preferences of the portlet, you can > refer to this > > documentation: > > > http://portals.apache.org/applications/webcontent/index.html > > > > > > For URL related stuffs, there are > three: SRC, PROXYREMOTEURL and > > > PROXYLOCALPATH. > > > The SRC preference is the same as the > default IFrame portlet. > > > The PROXYREMOTEURL preference is for > configuring the remote proxy > target > > > > > url > > > base path. > > > The PROXYLOCALPATH preference is for > configuring the local proxy > pass > > base > > > path. > > > So, for example, if SRC is > http://www.yourcompany.com/foo/bar/test.html > > > > > and your > > > reverse proxy service (servlet) is > configured to map > > /j2-admin/rproxy/foo/ > > > to > > > http://www.yourcompany.com/foo/, > then PROXYREMOTEURL should be set > > > to http://www.yourcompany.com/foo/ and > PROXYLOCALPATH should be set > > > to /j2-admin/rproxy/foo/ or > $[contextPath}/rproxy/foo/. > > > Also, please see the following > documentation on how to configure > > reverse > > > proxy > > > service: > > > http://portals.apache.org/applications/webcontent/rproxy.html > > > > > > Regards, > > > > > > Woonsan > > > > > > > > > ----- Original Message ---- > > > > From: "[email protected]" > <[email protected]> > > > > To: Jetspeed Users List <[email protected]> > > > > Sent: Wed, August 18, 2010 > 7:22:38 AM > > > > Subject: Re: SSO IFrame form > authentication > > > > > > > > I was able to successfully get > form-based auth to work with your > > example > > > > > > > scenario, however, my own test case > does not. I still simply go > > > directly > > > > to the login screen. I'm > sure it has to do with the > proxyremoteurl > > and > > > > > > > proxylocalpath args, but I > have not seen any detailed doc on how > > they > > > > work. > > > > > > > > > > > > > > > > From: > > > > David Sean Taylor <[email protected]> > > > > To: > > > > Jetspeed Users List <[email protected]> > > > > Date: > > > > 08/17/2010 07:19 PM > > > > Subject: > > > > Re: SSO IFrame form authentication > > > > > > > > > > > > > > > > On Tue, Aug 17, 2010 at > 1:40 PM, <[email protected]> > > wrote: > > > > > How did your testing go? I > compared SSO Webcontent (which > works, > > > sort > > > > of) > > > > > to SSO IFrame classes and I > see a method for preemptive login > in > > the > > > > > webcontent class but no reference > at all in the SSO IFrame > class. > > > Does > > > > > this just mean it is being > done differently, or is something > amiss > > in > > > > > > > the > > > > > SSO IFrame class? > > > > > > > > There are two SSOIFrame classes: > > > > > > > > 1. SSOIFramePortlet > > > > 2. > SSOReverseProxyIFramePortlet > > > > > > > > Suggest using the second > one, SSOReverseProxyIFramePortlet as it > > gives > > > > you features not available in > the older SSOIFramePortlet such as > > > > auto-resizing and form-based > authentication (what you are after) > > > > > > > > I tested with > SSOReverseProxyIFramePortlet and it worked in the > > > > example that comes with > Jetspeed, but it takes a little bit of > > > > configuration. > > > > > > > > First, ensure your Tomcat will need > this attribute set in the > > > > <Connector> element > of server.xml: > > > > > > > > emptySessionPath="true" > > > > > > > > more detail here: > > > > > > > > http://portals.apache.org/applications/webcontent/index.html > > > > > > > > If you had to change server.xml > setting, then restart your server > > > > > > > > I took these steps to verify SSO > with the example form-based > login > > > > that comes with Jetspeed: > > > > > > > > 1. login as admin > > > > 2. navigate to the Jetspeed > Administration space, SSO Management > > page, > > > > or just go here: > > > > > > > > http://localhost:8080/jetspeed/ui/Administrative/sso-admin.psml > > > > > > > > Add a new Site with following > parameters: > > > > > > > > Site Name: Form Example > > > > Site URL: http://localhost:8080/j2-admin/examples/formauth.jsp > > > > Field name for User ID: > user > > > > Field name For Password value: pass > > > > > > > > Press Save > > > > > > > > Add a new credential for this > site in the portlet on the right > side > > > > (SSO Details): > > > > > > > > > Portal Principal: admin > > > > Remote Principal: admin > > > > Remote Credential: admin > > > > > > > > Press Add > > > > > > > > You can verify that the > remote credential was added for the > admin > > > > user by going here: > > > > > > > > http://localhost:8080/jetspeed/ui/my-account.psml > > > > > > > > see the portlet on the > right "SSO Change Passwords", a remote > site > > > > entry should be there named > "Form Example" > > > > > > > > Next, you can use the Toolbox to > find the Reverse Proxy Iframe > > Portlet > > > > by searching on "iframe" > and then selecting it from there and > adding > > > > to a page. To make things > simple, I just added a page and then > added > > > > the Reverse Proxy Iframe Portlet > there. At first this portlet > seems > > to > > > > want to use Basic > Authentication, so just hit cancel when > challenged. > > > > I then switched to edit mode > (pencil icon), and entered the > following > > > > preferences: > > > > > > > > TITLE: My SSO Test > > > > SRC: http://localhost:$ > > {serverPort}${contextPath}/examples/formauth.jsp > > > > > > > > Press Save > > > > > > > > You should see in your portlet > content something like: > > > > > > > > "Hello, admin. You have been > authorized by form-based > authentication > > > > > !!!" > > > > > > > > Give that a try and see if it > works. Then, move on to your > specific > > > > IFrame source and let us know > how it goes... > > > > > > > > > --------------------------------------------------------------------- > > > > To unsubscribe, e-mail: > [email protected] > > > > For additional commands, > e-mail: > > [email protected] > > > > > > > > > > > > -- > > > > This message has been scanned > for viruses and > > > > dangerous content by > MailScanner, and is > > > > believed to be > clean (mailgw2:E659D1E6FC.D1395). > > > > > > > > > > > > > > > > > > > > This communication and any attachments > are confidential, protected > > > by > > > > Communications Privacy Act 18 > USCS § 2510, solely for the use of > the > > > > > > intended recipient, and may > contain legally privileged material. > If > > you > > > > > > > are not the intended recipient, > please return or destroy it > > > immediately. > > > > Thank you. > > > > > > > > > > > > > > > > --------------------------------------------------------------------- > > > To unsubscribe, e-mail: [email protected] > > > For additional commands, e-mail: > [email protected] > > > > > > > > > -- > > > This message has been scanned for > viruses and > > > dangerous content by MailScanner, and is > > > believed to be clean > (mailgw2:8B67A1E701.EB059). > > > > > > > > > > > > > > > This communication and any attachments are > confidential, protected > by > > > Communications Privacy Act 18 USCS § 2510, > solely for the use of the > > > > intended recipient, and may contain > legally privileged material. If > you > > > > > are not the intended recipient, > please return or destroy it > > immediately. > > > Thank you. > > > > > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [email protected] > > For additional commands, e-mail: [email protected] > > > > > > -- > > This message has been scanned for viruses and > > dangerous content by MailScanner, and is > > believed to be clean > (mailgw2:AB8841E700.50A86). > > > > > > > > > > This communication and any attachments are > confidential, protected by > > Communications Privacy Act 18 USCS § 2510, > solely for the use of the > > intended recipient, and may contain legally > privileged material. If you > > > are not the intended recipient, please return or > destroy it > immediately. > > Thank you. > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean (mailgw2:C70BC1E6FE.B6E38). > > > > > This communication and any attachments are confidential, > protected by > Communications Privacy Act 18 USCS § 2510, solely for the > use of the > intended recipient, and may contain legally privileged > material. If you > are not the intended recipient, please return or destroy it > immediately. > Thank you. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean (mailgw2:99F5A1E6FF.2A7BF). This communication and any attachments are confidential, protected by Communications Privacy Act 18 USCS § 2510, solely for the use of the intended recipient, and may contain legally privileged material. If you are not the intended recipient, please return or destroy it immediately. Thank you.
