[
https://issues.apache.org/jira/browse/OFBIZ-10307?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jacques Le Roux updated OFBIZ-10307:
------------------------------------
Description:
This will use a JWT Token authentication to get from one domain, where you are
signed in, to another domain where you get signed in automatically. Something
like ExternalLoginKey or Tomcat SSO, but not on the same domain.
This will build upon the initial work done at OFBIZ-9833 which has been
partially reverted in trunk with r1827439 (see OFBIZ-10304) and r1827441. I
explained why and what I did at https://s.apache.org/a5Km
I turned to Ajax for the "Authorization" header sending. I initially thought
I'd just pass an "Authorization" header and use it in the
externalServerLoginCheck preprocessor, et voil�.
But I stumbled upon something I did not know well : CORS! And in particular the
upstream control (Pre-verified requests):
https://en.wikipedia.org/wiki/Cross-origin_resource_sharing#Preflight_example
https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
https://www.w3.org/TR/cors/
To be able to pass an "Authorization" header, the server must respond
positively in the Preflight HTTP response (OPTIONS). To do this, either you use
a Tomcat filter (or your own filter, there are examples on the Net) or use
HTTPD (or Nginx) configuration on the target server.
I tried Tomcat first, without success. With HTTPD it's easier just 3 lines. For
my tests, future tests by OFBiz users and as an example, I asked infra to put
them in our HTTPD trunk demo config:
Header set Access-Control-Allow-Origin "https://localhost:8443";
Header set Access-Control-Allow-Headers "Authorization"
Header set Access-Control-Allow-Credentials "true"
No code change (either in all web.xml files for Tomcat or Java for own filter),
and more safety. It does not give more right to outsiders than what we give
with the admin credential.
In Header set Access-Control-Allow-Origin you can put more domains. I just used
https://localhost:8443 for the tests.
It works in Chrome, Firefox and Opera and partially in IE11 (not tested in
Edge). I did not test Safari, but I guess like other modern browsers it should
work.
For those (very few I guess) interested by IE11 (for Edge test yourself and
report please), here is the solution
https://stackoverflow.com/questions/12643960/internet-explorer-10-is-ignoring-xmlhttprequest-xhr-withcredentials-true
https://web.archive.org/web/20130308142134/http://msdn.microsoft.com/en-us/library/ms537343%28v=vs.85%29.aspx
https://blogs.msdn.microsoft.com/ieinternals/2013/09/17/a-quick-look-at-p3p/
TODO (maybe) in the future, use the new Fetch API (not available yet):
https://developer.mozilla.org/en-US/docs/Web/API/Fetch_API
was:
This will use a JWT Token authentication to get from one domain, where you are
signed in, to another domain where you get signed in automatically. Something
like ExternalLoginKey or Tomcat SSO, but not on the same domain.
This will build upon the initial work done at OFBIZ-9833 which has been
partially reverted in trunk with r1827439 (see OFBIZ-10304) and r1827441. I
explained why and what I did at https://s.apache.org/a5Km
> Navigate from a domain to another with automated signed in authentication
> -------------------------------------------------------------------------
>
> Key: OFBIZ-10307
> URL: https://issues.apache.org/jira/browse/OFBIZ-10307
> Project: OFBiz
> Issue Type: New Feature
> Components: framework
> Affects Versions: Trunk
> Reporter: Jacques Le Roux
> Priority: Major
> Fix For: Upcoming Branch
>
> Attachments: OFBIZ-10307.patch
>
>
> This will use a JWT Token authentication to get from one domain, where you
> are signed in, to another domain where you get signed in automatically.
> Something like ExternalLoginKey or Tomcat SSO, but not on the same domain.
> This will build upon the initial work done at OFBIZ-9833 which has been
> partially reverted in trunk with r1827439 (see OFBIZ-10304) and r1827441. I
> explained why and what I did at https://s.apache.org/a5Km
> I turned to Ajax for the "Authorization" header sending. I initially thought
> I'd just pass an "Authorization" header and use it in the
> externalServerLoginCheck preprocessor, et voil�.
> But I stumbled upon something I did not know well : CORS! And in particular
> the upstream control (Pre-verified requests):
> https://en.wikipedia.org/wiki/Cross-origin_resource_sharing#Preflight_example
> https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
> https://www.w3.org/TR/cors/
> To be able to pass an "Authorization" header, the server must respond
> positively in the Preflight HTTP response (OPTIONS). To do this, either you
> use a Tomcat filter (or your own filter, there are examples on the Net) or
> use HTTPD (or Nginx) configuration on the target server.
> I tried Tomcat first, without success. With HTTPD it's easier just 3 lines.
> For my tests, future tests by OFBiz users and as an example, I asked infra to
> put them in our HTTPD trunk demo config:
> Header set Access-Control-Allow-Origin "https://localhost:8443";
> Header set Access-Control-Allow-Headers "Authorization"
> Header set Access-Control-Allow-Credentials "true"
> No code change (either in all web.xml files for Tomcat or Java for own
> filter), and more safety. It does not give more right to outsiders than what
> we give with the admin credential.
> In Header set Access-Control-Allow-Origin you can put more domains. I just
> used https://localhost:8443 for the tests.
> It works in Chrome, Firefox and Opera and partially in IE11 (not tested in
> Edge). I did not test Safari, but I guess like other modern browsers it
> should work.
> For those (very few I guess) interested by IE11 (for Edge test yourself and
> report please), here is the solution
> https://stackoverflow.com/questions/12643960/internet-explorer-10-is-ignoring-xmlhttprequest-xhr-withcredentials-true
> https://web.archive.org/web/20130308142134/http://msdn.microsoft.com/en-us/library/ms537343%28v=vs.85%29.aspx
> https://blogs.msdn.microsoft.com/ieinternals/2013/09/17/a-quick-look-at-p3p/
> TODO (maybe) in the future, use the new Fetch API (not available yet):
> https://developer.mozilla.org/en-US/docs/Web/API/Fetch_API
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
