Re: Basic Q: Can ofbiz run in subdir and use HTTP auth?

[Shi Jinghai]

Hi Jochen,

Sorry for my late reply.

All the three ways you mentioned can be implemented in OFBiz (not OOTB AFAIK), 
I'm afraid you have to write your own login in OFBiz, and you can find many 
code pieces are there in OFBiz.

Be careful if you want to duplicate LDAP password to OFBiz, you have to make 
sure whether the password algorithm is supported in OFBiz and JDK.

There're many other functions has to be considered as well, including logout, 
login policy, password policy, create/remove a user, password change and ... 
LDAP servers down.

Kind Regards,

Shi Jinghai

-邮件原件-
发件人: Jochen.Boutens@ [mailto:finalbeta.net jochen.bout...@finalbeta.net] 
发送时间: 2018年3月30日 14:45
收件人: user@ofbiz.apache.org
主题: Re: Basic Q: Can ofbiz run in subdir and use HTTP auth?

Hello Shi, 

You are correct, the webserver (reverse proxy) in front of the ofbiz server wil 
validate the users credentials against ldap and send them in the header to the 
ofbiz server. 

What I don't yet understand is what the options are in ofbiz. Because I've 
deployed a number of systems this way, and there are many differend methods 
they handle it. 

On some systems, I have apache validating the credentials from the http header 
once more against ldap, then the application (ofbiz) just accepts that the 
credentials are validated and couples it to a local user that it creates on the 
fly. 

On some systems I have apache validating the credentials from the http header 
only to pass it to the application, where the application once more does it's 
own ldap validation and then couples it to a local user that it creates on the 
fly if needed. 

On other systems I don't need to configure basic auth on the webserver at all 
(own/nextcloud), the application just checks if the header is presend and logs 
the user in while validating the ldap credentials itself. etc. 

Sry for making it complicated, I'm just trying to understand how the process 
would actually work. 

On 2018/03/30 02:35:01, Shi Jinghai <huaru...@hotmail.com> wrote: 
> Hi Jochen,
> 
> Let's slow down.
> 
> For Q2, as you mentioned, you have a webserver deployed in front of OFBiz. If 
> so, the authn work is done in the webserver. The requests proxyed to OFBiz 
> are all authened. Right?
> 
> My puzzle is why you insist OFBiz has to validate against LDAP, for 
> authorization?
> 
> 
> -邮件原件-
> 发件人: Jochen.Boutens@ [mailto:finalbeta.net 
> jochen.bout...@finalbeta.net]
> 发送时间: 2018年3月30日 1:52
> 收件人: user@ofbiz.apache.org
> 主题: Re: Basic Q: Can ofbiz run in subdir and use HTTP auth?
> 
> 
> Hello Shi,
> 
> Thanks for your response. Q1 is clear. 
> 
> About your response to question 2. You seem to imply that LDAP + Basic auth 
> can be done. But I'm not sure what you are suggesting exaclty. 
> The Tomcat SSO you are talking about is this? ( 
> https://tomcat.apache.org/tomcat-8.0-doc/windows-auth-howto.html ) The only 
> refference it makes to Basic auth seems to be that it doesn't work and you 
> need SPNEGO. 
> Apero CAS and QAuth2 both require another server (something not in my setup) 
> right? 
> 
> To be clear, can ofbiz take the basic auth credentials from the header 
> to logon the user? (validating it against ldap, or trusting the 
> servers validation of the basic auth)
> 
> On 2018/03/29 08:44:07, Shi Jinghai <huaru...@hotmail.com> wrote: 
> > Q1: http://server/ofbiz/
> > Yes. It's a simple configuration for both Apache Httd and Nginx.
> > 
> > Q2: Http header basic authentication Not sure whether Jacques has 
> > completed the new Tomcat SSO. If yes, then it's ready OOTB.
> > For this kind authentication, OFBiz also supports Apereo CAS (by LDAP 
> > plugin) and OAuth2 (by passport plugin).
> > 
> > Have fun,
> > 
> > -邮件原件-
> > 发件人: Jochen.Boutens@ [mailto:finalbeta.net 
> > jochen.bout...@finalbeta.net]
> > 发送时间: 2018年3月29日 15:39
> > 收件人: user@ofbiz.apache.org
> > 主题: Basic Q: Can ofbiz run in subdir and use HTTP auth?
> > 
> > Hello, We are exploring functionality of several sollutions. Ofbiz seems to 
> > qualify for most tasks. 
> > 
> > I have two questions I would like to make sure before we begin testing: 
> > 
> > For integration into our systems we require the the solution to run under a 
> > subdirectory of the root of the webserver. (http://server/ofbiz/). 
> > ( The reason for this is that ofbiz will be reverse proxied and that 
> > http://reverseproxy/ is used for something else. A differend domain is not 
> > a option because of question two).
> > 
> > For integration into our systems we prefer that the ap

Re: Basic Q: Can ofbiz run in subdir and use HTTP auth?

[Jochen . Boutens]

Hello Shi, 

You are correct, the webserver (reverse proxy) in front of the ofbiz server wil 
validate the users credentials against ldap and send them in the header to the 
ofbiz server. 

What I don't yet understand is what the options are in ofbiz. Because I've 
deployed a number of systems this way, and there are many differend methods 
they handle it. 

On some systems, I have apache validating the credentials from the http header 
once more against ldap, then the application (ofbiz) just accepts that the 
credentials are validated and couples it to a local user that it creates on the 
fly. 

On some systems I have apache validating the credentials from the http header 
only to pass it to the application, where the application once more does it's 
own ldap validation and then couples it to a local user that it creates on the 
fly if needed. 

On other systems I don't need to configure basic auth on the webserver at all 
(own/nextcloud), the application just checks if the header is presend and logs 
the user in while validating the ldap credentials itself. etc. 

Sry for making it complicated, I'm just trying to understand how the process 
would actually work. 

On 2018/03/30 02:35:01, Shi Jinghai <huaru...@hotmail.com> wrote: 
> Hi Jochen,
> 
> Let's slow down.
> 
> For Q2, as you mentioned, you have a webserver deployed in front of OFBiz. If 
> so, the authn work is done in the webserver. The requests proxyed to OFBiz 
> are all authened. Right?
> 
> My puzzle is why you insist OFBiz has to validate against LDAP, for 
> authorization?
> 
> 
> -邮件原件-
> 发件人: Jochen.Boutens@ [mailto:finalbeta.net 
> jochen.bout...@finalbeta.net] 
> 发送时间: 2018年3月30日 1:52
> 收件人: user@ofbiz.apache.org
> 主题: Re: Basic Q: Can ofbiz run in subdir and use HTTP auth?
> 
> 
> Hello Shi, 
> 
> Thanks for your response. Q1 is clear. 
> 
> About your response to question 2. You seem to imply that LDAP + Basic auth 
> can be done. But I'm not sure what you are suggesting exaclty. 
> The Tomcat SSO you are talking about is this? ( 
> https://tomcat.apache.org/tomcat-8.0-doc/windows-auth-howto.html ) The only 
> refference it makes to Basic auth seems to be that it doesn't work and you 
> need SPNEGO. 
> Apero CAS and QAuth2 both require another server (something not in my setup) 
> right? 
> 
> To be clear, can ofbiz take the basic auth credentials from the header to 
> logon the user? (validating it against ldap, or trusting the servers 
> validation of the basic auth)
> 
> On 2018/03/29 08:44:07, Shi Jinghai <huaru...@hotmail.com> wrote: 
> > Q1: http://server/ofbiz/
> > Yes. It's a simple configuration for both Apache Httd and Nginx.
> > 
> > Q2: Http header basic authentication
> > Not sure whether Jacques has completed the new Tomcat SSO. If yes, then 
> > it's ready OOTB.
> > For this kind authentication, OFBiz also supports Apereo CAS (by LDAP 
> > plugin) and OAuth2 (by passport plugin).
> > 
> > Have fun,
> > 
> > -邮件原件-
> > 发件人: Jochen.Boutens@ [mailto:finalbeta.net 
> > jochen.bout...@finalbeta.net] 
> > 发送时间: 2018年3月29日 15:39
> > 收件人: user@ofbiz.apache.org
> > 主题: Basic Q: Can ofbiz run in subdir and use HTTP auth?
> > 
> > Hello, We are exploring functionality of several sollutions. Ofbiz seems to 
> > qualify for most tasks. 
> > 
> > I have two questions I would like to make sure before we begin testing: 
> > 
> > For integration into our systems we require the the solution to run under a 
> > subdirectory of the root of the webserver. (http://server/ofbiz/). 
> > ( The reason for this is that ofbiz will be reverse proxied and that 
> > http://reverseproxy/ is used for something else. A differend domain is not 
> > a option because of question two).
> > 
> > For integration into our systems we prefer that the application can use 
> > authentication data in the http header (Basic Authorization/Http 
> > authorization). Our reverse proxy sends the users (LDAP) credentials in the 
> > header allowing applications to automatically log the user in. 
> > 
> > Can these things be done with Ofbiz? 
> > 
> > Thanks for your responses. 
> > 
> > 
> > 
> 

Re: Basic Q: Can ofbiz run in subdir and use HTTP auth?

[Shi Jinghai]

Hi Jochen,

Let's slow down.

For Q2, as you mentioned, you have a webserver deployed in front of OFBiz. If 
so, the authn work is done in the webserver. The requests proxyed to OFBiz are 
all authened. Right?

My puzzle is why you insist OFBiz has to validate against LDAP, for 
authorization?


-邮件原件-
发件人: Jochen.Boutens@ [mailto:finalbeta.net jochen.bout...@finalbeta.net] 
发送时间: 2018年3月30日 1:52
收件人: user@ofbiz.apache.org
主题: Re: Basic Q: Can ofbiz run in subdir and use HTTP auth?


Hello Shi, 

Thanks for your response. Q1 is clear. 

About your response to question 2. You seem to imply that LDAP + Basic auth can 
be done. But I'm not sure what you are suggesting exaclty. 
The Tomcat SSO you are talking about is this? ( 
https://tomcat.apache.org/tomcat-8.0-doc/windows-auth-howto.html ) The only 
refference it makes to Basic auth seems to be that it doesn't work and you need 
SPNEGO. 
Apero CAS and QAuth2 both require another server (something not in my setup) 
right? 

To be clear, can ofbiz take the basic auth credentials from the header to logon 
the user? (validating it against ldap, or trusting the servers validation of 
the basic auth)

On 2018/03/29 08:44:07, Shi Jinghai <huaru...@hotmail.com> wrote: 
> Q1: http://server/ofbiz/
> Yes. It's a simple configuration for both Apache Httd and Nginx.
> 
> Q2: Http header basic authentication
> Not sure whether Jacques has completed the new Tomcat SSO. If yes, then it's 
> ready OOTB.
> For this kind authentication, OFBiz also supports Apereo CAS (by LDAP plugin) 
> and OAuth2 (by passport plugin).
> 
> Have fun,
> 
> -邮件原件-
> 发件人: Jochen.Boutens@ [mailto:finalbeta.net 
> jochen.bout...@finalbeta.net] 
> 发送时间: 2018年3月29日 15:39
> 收件人: user@ofbiz.apache.org
> 主题: Basic Q: Can ofbiz run in subdir and use HTTP auth?
> 
> Hello, We are exploring functionality of several sollutions. Ofbiz seems to 
> qualify for most tasks. 
> 
> I have two questions I would like to make sure before we begin testing: 
> 
> For integration into our systems we require the the solution to run under a 
> subdirectory of the root of the webserver. (http://server/ofbiz/). 
> ( The reason for this is that ofbiz will be reverse proxied and that 
> http://reverseproxy/ is used for something else. A differend domain is not a 
> option because of question two).
> 
> For integration into our systems we prefer that the application can use 
> authentication data in the http header (Basic Authorization/Http 
> authorization). Our reverse proxy sends the users (LDAP) credentials in the 
> header allowing applications to automatically log the user in. 
> 
> Can these things be done with Ofbiz? 
> 
> Thanks for your responses. 
> 
> 
> 

Re: Basic Q: Can ofbiz run in subdir and use HTTP auth?

[Jochen . Boutens]

Hello Shi, 

Thanks for your response. Q1 is clear. 

About your response to question 2. You seem to imply that LDAP + Basic auth can 
be done. But I'm not sure what you are suggesting exaclty. 
The Tomcat SSO you are talking about is this? ( 
https://tomcat.apache.org/tomcat-8.0-doc/windows-auth-howto.html ) The only 
refference it makes to Basic auth seems to be that it doesn't work and you need 
SPNEGO. 
Apero CAS and QAuth2 both require another server (something not in my setup) 
right? 

To be clear, can ofbiz take the basic auth credentials from the header to logon 
the user? (validating it against ldap, or trusting the servers validation of 
the basic auth)

On 2018/03/29 08:44:07, Shi Jinghai  wrote: 
> Q1: http://server/ofbiz/
> Yes. It's a simple configuration for both Apache Httd and Nginx.
> 
> Q2: Http header basic authentication
> Not sure whether Jacques has completed the new Tomcat SSO. If yes, then it's 
> ready OOTB.
> For this kind authentication, OFBiz also supports Apereo CAS (by LDAP plugin) 
> and OAuth2 (by passport plugin).
> 
> Have fun,
> 
> -邮件原件-
> 发件人: Jochen.Boutens@ [mailto:finalbeta.net 
> jochen.bout...@finalbeta.net] 
> 发送时间: 2018年3月29日 15:39
> 收件人: user@ofbiz.apache.org
> 主题: Basic Q: Can ofbiz run in subdir and use HTTP auth?
> 
> Hello, We are exploring functionality of several sollutions. Ofbiz seems to 
> qualify for most tasks. 
> 
> I have two questions I would like to make sure before we begin testing: 
> 
> For integration into our systems we require the the solution to run under a 
> subdirectory of the root of the webserver. (http://server/ofbiz/). 
> ( The reason for this is that ofbiz will be reverse proxied and that 
> http://reverseproxy/ is used for something else. A differend domain is not a 
> option because of question two).
> 
> For integration into our systems we prefer that the application can use 
> authentication data in the http header (Basic Authorization/Http 
> authorization). Our reverse proxy sends the users (LDAP) credentials in the 
> header allowing applications to automatically log the user in. 
> 
> Can these things be done with Ofbiz? 
> 
> Thanks for your responses. 
> 
> 
> 

Re: Basic Q: Can ofbiz run in subdir and use HTTP auth?

[Jacques Le Roux]

Thanks Jinghai,

Actually Tomcat SSO has been provided by James Yong at 
https://issues.apache.org/jira/browse/OFBIZ-10047
It does not support clusters yet 
https://issues.apache.org/jira/browse/OFBIZ-10123

Deepak has made another proposition to use a JWT token locally (same domain) at 
https://issues.apache.org/jira/browse/OFBIZ-9833

I have made another proposition to use Ajax+JWT+CORS at 
https://issues.apache.org/jira/browse/OFBIZ-10307 But it's more from one domain 
to another.

@Jochen: You could though use CORS for a subdomain, look for 
https://www.google.fr/search?q=cors+subdoamin=UTF-8

HTH

Jacques


Le 29/03/2018 à 10:44, Shi Jinghai a écrit :

Q1: http://server/ofbiz/
Yes. It's a simple configuration for both Apache Httd and Nginx.

Q2: Http header basic authentication
Not sure whether Jacques has completed the new Tomcat SSO. If yes, then it's 
ready OOTB.
For this kind authentication, OFBiz also supports Apereo CAS (by LDAP plugin) 
and OAuth2 (by passport plugin).

Have fun,

-邮件原件-
发件人: Jochen.Boutens@ [mailto:finalbeta.net jochen.bout...@finalbeta.net]
发送时间: 2018年3月29日 15:39
收件人: user@ofbiz.apache.org
主题: Basic Q: Can ofbiz run in subdir and use HTTP auth?

Hello, We are exploring functionality of several sollutions. Ofbiz seems to 
qualify for most tasks.

I have two questions I would like to make sure before we begin testing:

For integration into our systems we require the the solution to run under a 
subdirectory of the root of the webserver. (http://server/ofbiz/).
( The reason for this is that ofbiz will be reverse proxied and that 
http://reverseproxy/ is used for something else. A differend domain is not a 
option because of question two).

For integration into our systems we prefer that the application can use 
authentication data in the http header (Basic Authorization/Http 
authorization). Our reverse proxy sends the users (LDAP) credentials in the 
header allowing applications to automatically log the user in.

Can these things be done with Ofbiz?

Thanks for your responses.

Re: Basic Q: Can ofbiz run in subdir and use HTTP auth?

[Jochen . Boutens]

Hi Taher, 

The reason we require a subdir is because we already have a system in place 
that works like this. 

The user goes to https://reverseproxy and is presented with a login form where 
he enters his LDAP credentials. These are validated and the user is presented 
with a menu. 
The user clicks the links in the menu which takes him for example to 
https://reverseproxy/helpdesk or https://reverseproxy/monitoring or 
https://reverseproxy/files or https://reverseproxy/ofbiz (You get the idea)

As the reverse proxy sends the users credentials, the user only enters them 
once for all applications and he is logged in automatically. The single point 
of login only works when we utilise subdirectories. 

Re: Basic Q: Can ofbiz run in subdir and use HTTP auth?

[Shi Jinghai]

Q1: http://server/ofbiz/
Yes. It's a simple configuration for both Apache Httd and Nginx.

Q2: Http header basic authentication
Not sure whether Jacques has completed the new Tomcat SSO. If yes, then it's 
ready OOTB.
For this kind authentication, OFBiz also supports Apereo CAS (by LDAP plugin) 
and OAuth2 (by passport plugin).

Have fun,

-邮件原件-
发件人: Jochen.Boutens@ [mailto:finalbeta.net jochen.bout...@finalbeta.net] 
发送时间: 2018年3月29日 15:39
收件人: user@ofbiz.apache.org
主题: Basic Q: Can ofbiz run in subdir and use HTTP auth?

Hello, We are exploring functionality of several sollutions. Ofbiz seems to 
qualify for most tasks. 

I have two questions I would like to make sure before we begin testing: 

For integration into our systems we require the the solution to run under a 
subdirectory of the root of the webserver. (http://server/ofbiz/). 
( The reason for this is that ofbiz will be reverse proxied and that 
http://reverseproxy/ is used for something else. A differend domain is not a 
option because of question two).

For integration into our systems we prefer that the application can use 
authentication data in the http header (Basic Authorization/Http 
authorization). Our reverse proxy sends the users (LDAP) credentials in the 
header allowing applications to automatically log the user in. 

Can these things be done with Ofbiz? 

Thanks for your responses. 

Re: Basic Q: Can ofbiz run in subdir and use HTTP auth?

[Taher Alkhateeb]

Hello Jochen, welcome to the community.

I'm sure you'll get better responses from the rest of the community,
but naturally there are many ways to go about this. For one thing,
read the section on configuring OFBiz with LDAP in [1].

Now with respect to doing something like http://yourserver/ofbiz, I
think this might be difficult to achieve because OFBiz ships with its
own Servlet Container (Tomcat). So maybe a simpler option which we
used before is to simply seek a sub-domain to map into OFBiz. So it
would be something like http://ofbiz.yourserver which is mapped from
your reverse proxy (nginx I assume?)

Would that not still work given that the sub-domain is withing your control?

[1] 
https://cwiki.apache.org/confluence/display/OFBIZ/Apache+OFBiz+Technical+Production+Setup+Guide

On Thu, Mar 29, 2018 at 10:39 AM, jochen.bout...@finalbeta.net
 wrote:
> Hello, We are exploring functionality of several sollutions. Ofbiz seems to 
> qualify for most tasks.
>
> I have two questions I would like to make sure before we begin testing:
>
> For integration into our systems we require the the solution to run under a 
> subdirectory of the root of the webserver. (http://server/ofbiz/).
> ( The reason for this is that ofbiz will be reverse proxied and that 
> http://reverseproxy/ is used for something else. A differend domain is not a 
> option because of question two).
>
> For integration into our systems we prefer that the application can use 
> authentication data in the http header (Basic Authorization/Http 
> authorization). Our reverse proxy sends the users (LDAP) credentials in the 
> header allowing applications to automatically log the user in.
>
> Can these things be done with Ofbiz?
>
> Thanks for your responses.
>
>