Re: Building a Web Proxy with Authentication
Hi Hatton, problems with what you're doing is that these authentication schemes typically keep an auth cookie in the browser. When making an authentication request from another server, that cookie stays on the requesting entity - the server itself. You would have to pass the contents of that authentication cookie from the proxy to the client browser. This is easily done when you know the contents of that cookie. However, in Integrated Windows Authentication (IWA), you'll only get a hash of the password that cookie. The username/password So my boss comes to me the other day and says, I want to provide our clients with a unified login for all the various web based tools we provide. I said that I could. We're building a new front-end that is going to accept a client login and then provide links to the various tools we offer. My thought is to tie the unified login via a database to the login credentials for the other sites. There is going to be a proxy page that will handle the HTTP calls to the other sites so session consistency won't be an issue. My big issue now is how to call a page that uses Windows (or windows-like) authentication. Is it as simple as passing the username and password parameters for a CFHTTP call? The sites that I'm going to be linking to use either the IIS authentication or web form authentication. I know I can fudge the login for the web form with a CFHTTP post... has anyone else built a web proxy like this? Thanks! ~| Upgrade to Adobe ColdFusion MX7 The most significant release in over 10 years. Upgrade see new features. http://www.adobe.com/products/coldfusion?sdid=RVJR Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:274830 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: Building a Web Proxy with Authentication
Hi Hatton, problems with what you're doing is that these authentication schemes typically keep an auth cookie in the browser. When making an authentication request from another server, that cookie stays on the requesting entity - the server itself. You would have to pass the contents of that authentication cookie from the proxy to the client browser. This is easily done when you know the contents of that cookie. However, in Integrated Windows Authentication (IWA), you'll only get a hash of the password that cookie. The username/password So my boss comes to me the other day and says, I want to provide our clients with a unified login for all the various web based tools we provide. I said that I could. We're building a new front-end that is going to accept a client login and then provide links to the various tools we offer. My thought is to tie the unified login via a database to the login credentials for the other sites. There is going to be a proxy page that will handle the HTTP calls to the other sites so session consistency won't be an issue. My big issue now is how to call a page that uses Windows (or windows-like) authentication. Is it as simple as passing the username and password parameters for a CFHTTP call? The sites that I'm going to be linking to use either the IIS authentication or web form authentication. I know I can fudge the login for the web form with a CFHTTP post... has anyone else built a web proxy like this? Thanks! ~| Upgrade to Adobe ColdFusion MX7 The most significant release in over 10 years. Upgrade see new features. http://www.adobe.com/products/coldfusion?sdid=RVJR Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:274831 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: Building a Web Proxy with Authentication
Hi Hatton, (I was in the middle of formulating my thoughts with the previous post when I accidentally posted, please ignore it) What you can do in this instance is intercept all incoming requests for a site. On the first request from any client, you can request username/password and then store that somewhere in memory. When any request for a site comes in, if the site requires authentication, you can simply pass those credentials to the requesting site. However, you'll have to work out the issues regarding authentication/session cookies as it pertains to each client - after all, each authentication request is going to require some way to keep track of the logged-in user. You can work around the Sharepoint Intergrated Windows Authentication prompt by forcing Forms authentication with an ISAPI filter. Microsoft has has a sample ISAPI filter application called CustomAuth that does exactly this. I don't think this is terribly diffcult to program, but I think that ISA Server might already do all of this. - Matt Small ~| Upgrade to Adobe ColdFusion MX7 Experience Flex 2 MX7 integration create powerful cross-platform RIAs http://www.adobe.com/products/coldfusion/flex2/?sdid=RVJQ Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:274832 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: Building a Web Proxy with Authentication
problems with what you're doing is that these authentication schemes typically keep an auth cookie in the browser. When making an authentication request from another server, that cookie stays on the requesting entity - the server itself. You would have to pass the contents of that authentication cookie from the proxy to the client browser. Hrmmm... I was actually trying to do something a little different. I did some basic testing passing the Username and Password fields along in the CFHTTP. I was somewhat successful. Basically I got the HTML for the page but then was prompted for a username and password as the page tried to process the CSS, JS and images. My thought was to actually have the proxy download those files locally and then change the URL called within the HTML to pull from the saved files instead of the original URL. If I could bypass that by catching the cookie set and forwarding the cookie on to the client's browser it would negate the need to do that... I think. ~| Create robust enterprise, web RIAs. Upgrade integrate Adobe Coldfusion MX7 with Flex 2 http://www.adobe.com/products/coldfusion/flex2/?sdid=RVJP Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:274833 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Building a Web Proxy with Authentication
There's a big difference between Windows authentication and Windows-like authentication - I'm not even sure what you mean by that. Windows authentication typically doesn't use a password - the password itself is hashed by the client, and the hash is sent to the server for comparison. IIS might be using Windows authentication, or it might be using Basic or Digest authentication. We're trying to integrate utilities like Sharepoint, which ties in to the domain for authentication but pops up the Username and Password prompt. That's what I'm defining as Windows Like. I'm beginning to wonder if there isn't something already built out there that I can use to tie in this functionality. ~| Macromedia ColdFusion MX7 Upgrade to MX7 experience time-saving features, more productivity. http://www.adobe.com/products/coldfusion?sdid=RVJW Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:274802 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: Building a Web Proxy with Authentication
We're trying to integrate utilities like Sharepoint, which ties in to the domain for authentication but pops up the Username and Password prompt. That's what I'm defining as Windows Like. IIS can authenticate users against the domain using Basic authentication, NTLM, and Digest authentication. Which are you using? Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! This email has been processed by SmoothZap - www.smoothwall.net ~| Deploy Web Applications Quickly across the enterprise with ColdFusion MX7 Flex 2 Free Trial http://www.adobe.com/products/coldfusion/flex2/?sdid=RVJU Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:274803 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Building a Web Proxy with Authentication
On 4/8/07, Dave Watts [EMAIL PROTECTED] wrote: We're trying to integrate utilities like Sharepoint, which ties in to the domain for authentication but pops up the Username and Password prompt. That's what I'm defining as Windows Like. IIS can authenticate users against the domain using Basic authentication, NTLM, and Digest authentication. Which are you using? I'm going to go out on a limb and say basic authentication... I've done a bit more reading and I make that assumption based on the fact that all I am challenged for is a username and password. While these are pulled from the Active Directory server it appears that they are copies. ~| Create robust enterprise, web RIAs. Upgrade integrate Adobe Coldfusion MX7 with Flex 2 http://www.adobe.com/products/coldfusion/flex2/?sdid=RVJP Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:274805 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: Building a Web Proxy with Authentication
I could be forgetting but I believe that using basic authentication isn't a great option in general. If you're site is not running SSL I think password and usernames are sent as clear text. I can tell you on several security checklists I've had to read in my day they've all required the disabling of basic authentication for a different approach. :) ~| Macromedia ColdFusion MX7 Upgrade to MX7 experience time-saving features, more productivity. http://www.adobe.com/products/coldfusion?sdid=RVJW Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:274807 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: Building a Web Proxy with Authentication
I could be forgetting but I believe that using basic authentication isn't a great option in general. If you're site is not running SSL I think password and usernames are sent as clear text. Mine is not to question why or how things are working, only to build a mechanism that unifes their logins. ~| Upgrade to Adobe ColdFusion MX7 Experience Flex 2 MX7 integration create powerful cross-platform RIAs http://www.adobe.com/products/coldfusion/flex2/?sdid=RVJQ Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:274808 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Building a Web Proxy with Authentication
My big issue now is how to call a page that uses Windows (or windows-like) authentication. Is it as simple as passing the username and password parameters for a CFHTTP call? The sites that I'm going to be linking to use either the IIS authentication or web form authentication. Anyone? Bueller? Bueller? ~| ColdFusion MX7 and Flex 2 Build sales marketing dashboard RIAâs for your business. Upgrade now http://www.adobe.com/products/coldfusion/flex2?sdid=RVJT Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:274764 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: Building a Web Proxy with Authentication
My big issue now is how to call a page that uses Windows (or windows-like) authentication. Is it as simple as passing the username and password parameters for a CFHTTP call? The sites that I'm going to be linking to use either the IIS authentication or web form authentication. There's a big difference between Windows authentication and Windows-like authentication - I'm not even sure what you mean by that. Windows authentication typically doesn't use a password - the password itself is hashed by the client, and the hash is sent to the server for comparison. IIS might be using Windows authentication, or it might be using Basic or Digest authentication. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! This email has been processed by SmoothZap - www.smoothwall.net ~| Create robust enterprise, web RIAs. Upgrade integrate Adobe Coldfusion MX7 with Flex 2 http://www.adobe.com/products/coldfusion/flex2/?sdid=RVJP Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:274783 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4