portals-jetspeed-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Tim Reilly" <tim.rei...@consultant.com>
Subject RE: Iframe Portlet with Authentication for external website
Date Sat, 13 Sep 2003 04:35:59 GMT
Sorry I must be tired I just realized you wanted iframe...
in which case one approach is to start with what I sent, but make it a
servlet that web proxies.
You'll have to make the rewriter rewrite links, form actions, and other
elements back to the servlet.
Check out David's work with the rewriters for WebPagePortlet2.

The result of which might look something like:
  was: href="http://xy.com/newpage.html"
  becomes: href="myservlet?uri=http%3A%2F%2Fxy.com%2Fnewpage.html"

So in the end you would use the iframe portlet to point to your servlet that
does the proxy-through.

Or you may consider a commercial product if you have budget;
something like - WebSphere Transcoding Publisher
I've not used it myself so I can't guess if it'll work for you.

> -----Original Message-----
> From: Tim Reilly [mailto:tim.reilly@consultant.com]
> Sent: Saturday, September 13, 2003 12:02 AM
> To: Jetspeed Developers List
> Subject: RE: Iframe Portlet with Authentication for external website
>
>
> I can share some code I was working on to integrate
> commons-httpclient into
> WebPagePortlet2. I'm still persuing this, but at this time I've changed my
> scope to accomodate something similar for work. I'm currently working on a
> service that exposes the httpclient functionality as a portlet service;
> basically a very similar service exists in J2 (I thought, but
> can't seem to
> find it now) anyhow it doesn't use HttpClient... (additionally -
> working on
> a 'HttpClientProfile' and 'HttpClientProfileService'
> 'HttpClientProfileServiceImpl' to manage "Profiles" = certain
> attributes of
> httpclient.HostConfiguration, httpclient.HttpState, and HttpClient
> attributes. (goal is to make these profiles sort of like Mozilla profiles,
> but with an admin portlet to manage)
> If your interested I could share some early work I've got, but here is
> something less involved that may help you now.
>
> //I slapped this together so go easy and of course map this back
> to portlet
> methods
> //I've been using the latest RC from Commons-HttpClient, possibly a full
> release in Nov
> //...
> import java.io.IOException;
>
> import org.apache.commons.httpclient.Credentials;
> import org.apache.commons.httpclient.HostConfiguration;
> import org.apache.commons.httpclient.HttpClient;
> import org.apache.commons.httpclient.HttpMethod;
> import org.apache.commons.httpclient.HttpState;
> import org.apache.commons.httpclient.URI;
> import org.apache.commons.httpclient.UsernamePasswordCredentials;
> import org.apache.commons.httpclient.methods.GetMethod;
>
> public class XSample {
>     HttpClient client;
>
>     public void init(){
>         client = new HttpClient();
>     }
>
>     public byte[] getSiteContent(URI uri, Credentials creds)
>         throws IOException{
>         //May be able to move these to the init depending on your use
>         HttpMethod method = new GetMethod();
>         HostConfiguration config = new HostConfiguration();
>         HttpState remoteSession = new HttpState();
>
>         config.setHost(uri);
>         remoteSession.setCredentials(null, uri.getHost(), creds);
>
>             client.executeMethod(config, method, remoteSession);
>         byte[] bytes = method.getResponseBodyAsString().getBytes();
>         method.releaseConnection();
>
>         return bytes;
>     }
>
>     public String getContent(URI uri, Credentials creds) throws
> IOException{
>       byte[] in = getSiteContent(uri, creds);
>
>     //...
>     // you'll need pass 'in' through the rewriters just like
> WebPagePortlet
>     //...
>
>       return new String(in);
>      }
>
>
>     public static void main(String[] args) {
>         try{
>             URI uri = new URI("http://localhost/manager/html");
>             Credentials creds =
>                 new UsernamePasswordCredentials("admin","secret");
>             XSample foo = new XSample();
>             foo.init();
>             foo.getContent(uri, creds);
>             System.out.print(foo.getContent(uri, creds));
>         }catch(Exception e){
>             e.printStackTrace();
>         }
>     }
> }
>
> Best regards
> > -----Original Message-----
> > From: Rajendra Kadam [mailto:rkadam@etouch.net]
> > Sent: Friday, September 12, 2003 10:29 PM
> > To: Jetspeed Developers List
> > Subject: Re: Iframe Portlet with Authentication for external website
> >
> >
> > Hi Tim,
> >
> > Thanks for your help.
> >
> > I want to access the web sites that are protected using
> > "Basic" Authentication. And BasicAuthIFramePortlet does
> > that one.
> >
> > But the PROBLEM as you said is that it exposes userid and
> > password to everybody as all urls becomes
> > http://userid:passwd@xy.com.
> >
> > Exposing userid/password is not at all acceptable solution
> > for our requirement.
> >
> > Is there any other way we can access the websites that are
> > protected using Basic Authentication ?
> >
> > I was trying to get the contents using following code
> > snippet
> > ------------------------------------------------------
> > public ConcreteElement getContent(RunData rundata)
> >     {
> >  URL url = new URL("http://userid:passwd@web.net");
> >  URLConnection connection = url.openConnection();
> >  InputStream stream = connection.getInputStream();
> >  BufferedInputStream in = new BufferedInputStream(stream);
> >  int length = 0;
> >  byte[] buf = new byte[BUFFER_SIZE];
> >  ByteArrayOutputStream out = new ByteArrayOutputStream();
> >  while ((in != null) && ((length = in.read(buf)) != -1))
> >  {
> >   // the data has already been read into buf
> >   out.write(buf, 0, length);
> >  }
> >  content = out.toString();
> >  return new StringElement(content);
> > }
> > -----------------------------------------------------------
> >
> > But here I was getting Error as " HTTP response code: 401
> > for URL: http://userid:passwd@web.net" How can I tackle it?
> >
> > Is above way is correct way of doing it ?
> > Is there any secure way to access protected websites ?
> >
> > Please help me in finding the way to access websites that
> > are protected using BASIC Authentication.
> >
> > Thanks for all your help.
> > rajendra
> >
> >
> > On Fri, 12 Sep 2003 01:00:19 -0400
> >  "Tim Reilly" <tim.reilly@consultant.com> wrote:
> > >I'll try to share my understanding of the 3 general
> > >methods available to
> > >bring remote website content into the portal (pertaining
> > >to straight http
> > >request/response) There are many other ways such as WSRP,
> > >etc, but that's
> > >not related to your question I don't think:
> > >
> > >** Client/Browser technology:
> > >The BasicAuthIFramePortlet falls into this category. This
> > >sounds closest to
> > >what you are looking for, I think.
> > >The iframe portlet generates the markup for creating the
> > >iframe html tag
> > >within the portlet window.
> > >
> > >Frames, and iframes (and ilayer for earlier Netscape) can
> > >be thought of as
> > >chromeless browser windows embedded in the window.document
> > >of a parent
> > >window. So anything you could do within a html
> > >frame/frameset as far as
> > >single sign-on is possible.
> > >
> > >Two possible methods are:
> > >1) the initial url parameter to the iframe is a url to a
> > >document that you
> > >create - use javascript in the document to post a login
> > >form to the target
> > >website's login action url. An example page might look
> > >like:
> > ><html>
> > >   <head>
> > >      <title>Self posting page</title>
> > >   </head>
> > >   <body onload="document.forms[0].submit()">
> > >	<form
> > >action="https://www.myformsecuredsite.org/loginProcess.do"
> > >method="post">
> > >		<input type="hidden" name="username"
> > >value="yourusername">
> > >		<input type="hidden" name="password" value="secret">
> > >      </form>
> > >   </body>
> > ></html>
> > >The page loads, the form posts to the target site, and as
> > >long as the target
> > >is not checking the http-referer or some other method to
> > >prevent folks from
> > >doing this... then the iframe (as a normal browser window
> > >would)
> > >communicates directly with the site.
> > >2) If basic authentication is involved then you can login
> > >to a basic auth
> > >protect site using a url in the form of:
> > >https://username:password@www.somebasicsite.org/thepath/
> > >This how the
> > >http://cvs.apache.org/viewcvs/jakarta-jetspeed/src/java/org/apach
> > e/jetspeed/
> > >portal/portlets/BASICAuthIFramePortlet.java?rev=1.2&content-type=
> > text/vnd.vi
> > >ewcvs-markup works.
> > >
> > >There are security considerations involved here because
> > >you are sending the
> > >credentials over the network to the client (browser) to
> > >use so keep your
> > >security requirements in mind if you use one these (at a
> > >minimum ssl enable
> > >your portal. And realize viewing the page source will
> > >expose the
> > >credentials.)
> > >There are also the usability issues that goes along with
> > >frames and
> > >framesets. Here I'm thinking of how users complain about
> > >hitting the refresh
> > >button in a frame based page and not understanding why it
> > >reloaded to the
> > >initial state. The same applies within the portal.
> > >
> > >** Server "one-off"
> > >The WebPagePortlet falls into this category (IMHO). This
> > >is great for
> > >retrieving a single page of a remote website and bringing
> > >that page or page
> > >fragment into the portal. (The new WebClipper portlet is
> > >also great for
> > >getting part of a page) The portlet performs the task of
> > >the client/browser
> > >from the portal server. A url connection is used to
> > >request the page. The
> > >response to that request is added into the portal page
> > >(after parsing and
> > >rewriting  certain elements of the response such as urls)
> > >Some manipulation
> > >of the page is required to preserve links, images, etc.
> > >Cross domain
> > >security might be an issue - for say cookies, scripts,
> > >objects, applets.
> > >When the user clicks a link or submits a form the portal's
> > >window will
> > >either be cannibalized, or you can specify that the
> > >portlet should rewrite
> > >the link target so a new window is targeted.
> > >
> > >** Server proxy-through
> > >This is part of what WebPagePortlet2 aims to achieve (not
> > >yet complete last
> > >I left off). The Safeweb free privacy service/site closed
> > >sometime in 2001
> > >but if you ever used it - its exactly the http
> > >proxy-through that would be
> > >needed IMO to present an entire remote site within the
> > >portal if iframes are
> > >not in the picture. (If you're not familiar -
> > >http://www.pcworld.com/news/article/0,aid,75063,00.asp
> > >basically it was a
> > >http proxy web based front-end. The upper frame of the
> > >site was like a
> > >browser address bar, the bottom frame was the 'browser'
> > >document window)
> > >
> > >** 2 Top of my head other options:
> > >These require the target site to make the services
> > >available.
> > >WSRP
> > >Cocoon has a web service proxy component
> > >
> > >I hope you find this helpful.
> > >
> > >> -----Original Message-----
> > >> From: Rajendra Kadam [mailto:rkadam@etouch.net]
> > >> Sent: Thursday, September 11, 2003 9:14 PM
> > >> To: jetspeed-dev@jakarta.apache.org
> > >> Subject: Iframe Portlet with Authentication for external
> > >website
> > >>
> > >>
> > >> Hi all,
> > >>
> > >> This is in reference to post "Iframe Portlet with
> > >Parameter
> > >> Passing" that was posted by "Dan Elder" on this mailing
> > >> list in month of Jun 2003.
> > >>
> > >> In that, Dan Elder has mentions  IFrame Portlet
> > >(extended
> > >> to original one ) which can pass userid and password (
> > >the
> > >> one used to log into Jetspeed Portal ) to websites that
> > >> require Authentication so that it will provide seamless
> > >> access to protected websites too.
> > >>
> > >> Does anybody has used that Portlet to access password
> > >> protected websites ?
> > >>
> > >> Also want to know does it makes "Basic Authentication"
> > >as
> > >> well as "Form Based Authentication" ?
> > >>
> > >> Dan, do you have any examples that will help in
> > >> understanding how protected websites can be accessed ?
> > >>
> > >> Thanks,
> > >> rajendra
> > >>
> > >>
> > >---------------------------------------------------------------------
> > >> To unsubscribe, e-mail:
> > >jetspeed-dev-unsubscribe@jakarta.apache.org
> > >> For additional commands, e-mail:
> > >jetspeed-dev-help@jakarta.apache.org
> > >>
> > >>
> > >
> > >
> > >---------------------------------------------------------------------
> > >To unsubscribe, e-mail:
> > >jetspeed-dev-unsubscribe@jakarta.apache.org
> > >For additional commands, e-mail:
> > >jetspeed-dev-help@jakarta.apache.org
> > >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: jetspeed-dev-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: jetspeed-dev-help@jakarta.apache.org
> >
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: jetspeed-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: jetspeed-dev-help@jakarta.apache.org
>
>


Mime
View raw message