[
https://issues.apache.org/jira/browse/OFBIZ-10307?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jacques Le Roux reassigned OFBIZ-10307:
---------------------------------------
Assignee: Jacques Le Roux
> Navigate from a domain to another with automated signed in authentication
> -------------------------------------------------------------------------
>
> Key: OFBIZ-10307
> URL: https://issues.apache.org/jira/browse/OFBIZ-10307
> Project: OFBiz
> Issue Type: New Feature
> Components: framework
> Affects Versions: Trunk
> Reporter: Jacques Le Roux
> Assignee: Jacques Le Roux
> Priority: Major
> Fix For: Upcoming Branch
>
> Attachments: OFBIZ-10307-test.patch, OFBIZ-10307.patch,
> OFBIZ-10307.patch
>
>
> This will use a JWT Token authentication to get from one domain, where you
> are signed in, to another domain where you get signed in automatically.
> Something like ExternalLoginKey or Tomcat SSO, but not on the same domain.
> This will build upon the initial work done at OFBIZ-9833 which has been
> partially reverted in trunk with r1827439 (see OFBIZ-10304) and r1827441. I
> explained why and what I did at https://s.apache.org/a5Km
> I turned to Ajax for the "Authorization" header sending. I initially thought
> I'd just pass an "Authorization" header and use it in the
> externalServerLoginCheck preprocessor, et voil�.
> But I stumbled upon something I did not know well : CORS! And in particular
> the upstream control (Pre-verified requests):
> https://en.wikipedia.org/wiki/Cross-origin_resource_sharing#Preflight_example
> https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
> https://www.w3.org/TR/cors/
> To be able to pass an "Authorization" header, the server must respond
> positively in the Preflight HTTP response (OPTIONS). To do this, either you
> use a Tomcat filter (or your own filter, there are examples on the Net) or
> use HTTPD (or Nginx) configuration on the target server.
> I tried Tomcat first, without success. With HTTPD it's easier just 3 lines.
> For my tests, future tests by OFBiz users and as an example, I asked infra to
> put them in our HTTPD trunk demo config:
> Header set Access-Control-Allow-Origin "https://localhost:8443";
> Header set Access-Control-Allow-Headers "Authorization"
> Header set Access-Control-Allow-Credentials "true"
> No code change (either in all web.xml files for Tomcat or Java for own
> filter), and more safety. It does not give more right to outsiders than what
> we give with the admin credential.
> In Header set Access-Control-Allow-Origin you can put more domains. I just
> used https://localhost:8443 for the tests.
> It works in Chrome, Firefox and Opera and partially in IE11 (not tested in
> Edge). I did not test Safari, but I guess like other modern browsers it
> should work.
> For those (very few I guess) interested by IE11 (for Edge test yourself and
> report please), here is the solution
> https://stackoverflow.com/questions/12643960/internet-explorer-10-is-ignoring-xmlhttprequest-xhr-withcredentials-true
> https://web.archive.org/web/20130308142134/http://msdn.microsoft.com/en-us/library/ms537343%28v=vs.85%29.aspx
> https://blogs.msdn.microsoft.com/ieinternals/2013/09/17/a-quick-look-at-p3p/
> TODO (maybe) in the future, use the new Fetch API (not available yet):
> https://developer.mozilla.org/en-US/docs/Web/API/Fetch_API
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
