portals-jetspeed-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Tim Reilly" <tim.rei...@consultant.com>
Subject RE: Iframe Portlet with Authentication for external website
Date Sat, 13 Sep 2003 04:02:08 GMT
I can share some code I was working on to integrate commons-httpclient into
WebPagePortlet2. I'm still persuing this, but at this time I've changed my
scope to accomodate something similar for work. I'm currently working on a
service that exposes the httpclient functionality as a portlet service;
basically a very similar service exists in J2 (I thought, but can't seem to
find it now) anyhow it doesn't use HttpClient... (additionally -  working on
a 'HttpClientProfile' and 'HttpClientProfileService'
'HttpClientProfileServiceImpl' to manage "Profiles" = certain attributes of
httpclient.HostConfiguration, httpclient.HttpState, and HttpClient
attributes. (goal is to make these profiles sort of like Mozilla profiles,
but with an admin portlet to manage)
If your interested I could share some early work I've got, but here is
something less involved that may help you now.

//I slapped this together so go easy and of course map this back to portlet
methods
//I've been using the latest RC from Commons-HttpClient, possibly a full
release in Nov
//...
import java.io.IOException;

import org.apache.commons.httpclient.Credentials;
import org.apache.commons.httpclient.HostConfiguration;
import org.apache.commons.httpclient.HttpClient;
import org.apache.commons.httpclient.HttpMethod;
import org.apache.commons.httpclient.HttpState;
import org.apache.commons.httpclient.URI;
import org.apache.commons.httpclient.UsernamePasswordCredentials;
import org.apache.commons.httpclient.methods.GetMethod;

public class XSample {
    HttpClient client;

    public void init(){
        client = new HttpClient();
    }

    public byte[] getSiteContent(URI uri, Credentials creds)
        throws IOException{
        //May be able to move these to the init depending on your use
        HttpMethod method = new GetMethod();
        HostConfiguration config = new HostConfiguration();
        HttpState remoteSession = new HttpState();

        config.setHost(uri);
        remoteSession.setCredentials(null, uri.getHost(), creds);

            client.executeMethod(config, method, remoteSession);
        byte[] bytes = method.getResponseBodyAsString().getBytes();
        method.releaseConnection();

        return bytes;
    }

    public String getContent(URI uri, Credentials creds) throws IOException{
      byte[] in = getSiteContent(uri, creds);

    //...
    // you'll need pass 'in' through the rewriters just like WebPagePortlet
    //...

      return new String(in);
     }


    public static void main(String[] args) {
        try{
            URI uri = new URI("http://localhost/manager/html");
            Credentials creds =
                new UsernamePasswordCredentials("admin","secret");
            XSample foo = new XSample();
            foo.init();
            foo.getContent(uri, creds);
            System.out.print(foo.getContent(uri, creds));
        }catch(Exception e){
            e.printStackTrace();
        }
    }
}

Best regards
> -----Original Message-----
> From: Rajendra Kadam [mailto:rkadam@etouch.net]
> Sent: Friday, September 12, 2003 10:29 PM
> To: Jetspeed Developers List
> Subject: Re: Iframe Portlet with Authentication for external website
>
>
> Hi Tim,
>
> Thanks for your help.
>
> I want to access the web sites that are protected using
> "Basic" Authentication. And BasicAuthIFramePortlet does
> that one.
>
> But the PROBLEM as you said is that it exposes userid and
> password to everybody as all urls becomes
> http://userid:passwd@xy.com.
>
> Exposing userid/password is not at all acceptable solution
> for our requirement.
>
> Is there any other way we can access the websites that are
> protected using Basic Authentication ?
>
> I was trying to get the contents using following code
> snippet
> ------------------------------------------------------
> public ConcreteElement getContent(RunData rundata)
>     {
>  URL url = new URL("http://userid:passwd@web.net");
>  URLConnection connection = url.openConnection();
>  InputStream stream = connection.getInputStream();
>  BufferedInputStream in = new BufferedInputStream(stream);
>  int length = 0;
>  byte[] buf = new byte[BUFFER_SIZE];
>  ByteArrayOutputStream out = new ByteArrayOutputStream();
>  while ((in != null) && ((length = in.read(buf)) != -1))
>  {
>   // the data has already been read into buf
>   out.write(buf, 0, length);
>  }
>  content = out.toString();
>  return new StringElement(content);
> }
> -----------------------------------------------------------
>
> But here I was getting Error as " HTTP response code: 401
> for URL: http://userid:passwd@web.net" How can I tackle it?
>
> Is above way is correct way of doing it ?
> Is there any secure way to access protected websites ?
>
> Please help me in finding the way to access websites that
> are protected using BASIC Authentication.
>
> Thanks for all your help.
> rajendra
>
>
> On Fri, 12 Sep 2003 01:00:19 -0400
>  "Tim Reilly" <tim.reilly@consultant.com> wrote:
> >I'll try to share my understanding of the 3 general
> >methods available to
> >bring remote website content into the portal (pertaining
> >to straight http
> >request/response) There are many other ways such as WSRP,
> >etc, but that's
> >not related to your question I don't think:
> >
> >** Client/Browser technology:
> >The BasicAuthIFramePortlet falls into this category. This
> >sounds closest to
> >what you are looking for, I think.
> >The iframe portlet generates the markup for creating the
> >iframe html tag
> >within the portlet window.
> >
> >Frames, and iframes (and ilayer for earlier Netscape) can
> >be thought of as
> >chromeless browser windows embedded in the window.document
> >of a parent
> >window. So anything you could do within a html
> >frame/frameset as far as
> >single sign-on is possible.
> >
> >Two possible methods are:
> >1) the initial url parameter to the iframe is a url to a
> >document that you
> >create - use javascript in the document to post a login
> >form to the target
> >website's login action url. An example page might look
> >like:
> ><html>
> >   <head>
> >      <title>Self posting page</title>
> >   </head>
> >   <body onload="document.forms[0].submit()">
> >	<form
> >action="https://www.myformsecuredsite.org/loginProcess.do"
> >method="post">
> >		<input type="hidden" name="username"
> >value="yourusername">
> >		<input type="hidden" name="password" value="secret">
> >      </form>
> >   </body>
> ></html>
> >The page loads, the form posts to the target site, and as
> >long as the target
> >is not checking the http-referer or some other method to
> >prevent folks from
> >doing this... then the iframe (as a normal browser window
> >would)
> >communicates directly with the site.
> >2) If basic authentication is involved then you can login
> >to a basic auth
> >protect site using a url in the form of:
> >https://username:password@www.somebasicsite.org/thepath/
> >This how the
> >http://cvs.apache.org/viewcvs/jakarta-jetspeed/src/java/org/apach
> e/jetspeed/
> >portal/portlets/BASICAuthIFramePortlet.java?rev=1.2&content-type=
> text/vnd.vi
> >ewcvs-markup works.
> >
> >There are security considerations involved here because
> >you are sending the
> >credentials over the network to the client (browser) to
> >use so keep your
> >security requirements in mind if you use one these (at a
> >minimum ssl enable
> >your portal. And realize viewing the page source will
> >expose the
> >credentials.)
> >There are also the usability issues that goes along with
> >frames and
> >framesets. Here I'm thinking of how users complain about
> >hitting the refresh
> >button in a frame based page and not understanding why it
> >reloaded to the
> >initial state. The same applies within the portal.
> >
> >** Server "one-off"
> >The WebPagePortlet falls into this category (IMHO). This
> >is great for
> >retrieving a single page of a remote website and bringing
> >that page or page
> >fragment into the portal. (The new WebClipper portlet is
> >also great for
> >getting part of a page) The portlet performs the task of
> >the client/browser
> >from the portal server. A url connection is used to
> >request the page. The
> >response to that request is added into the portal page
> >(after parsing and
> >rewriting  certain elements of the response such as urls)
> >Some manipulation
> >of the page is required to preserve links, images, etc.
> >Cross domain
> >security might be an issue - for say cookies, scripts,
> >objects, applets.
> >When the user clicks a link or submits a form the portal's
> >window will
> >either be cannibalized, or you can specify that the
> >portlet should rewrite
> >the link target so a new window is targeted.
> >
> >** Server proxy-through
> >This is part of what WebPagePortlet2 aims to achieve (not
> >yet complete last
> >I left off). The Safeweb free privacy service/site closed
> >sometime in 2001
> >but if you ever used it - its exactly the http
> >proxy-through that would be
> >needed IMO to present an entire remote site within the
> >portal if iframes are
> >not in the picture. (If you're not familiar -
> >http://www.pcworld.com/news/article/0,aid,75063,00.asp
> >basically it was a
> >http proxy web based front-end. The upper frame of the
> >site was like a
> >browser address bar, the bottom frame was the 'browser'
> >document window)
> >
> >** 2 Top of my head other options:
> >These require the target site to make the services
> >available.
> >WSRP
> >Cocoon has a web service proxy component
> >
> >I hope you find this helpful.
> >
> >> -----Original Message-----
> >> From: Rajendra Kadam [mailto:rkadam@etouch.net]
> >> Sent: Thursday, September 11, 2003 9:14 PM
> >> To: jetspeed-dev@jakarta.apache.org
> >> Subject: Iframe Portlet with Authentication for external
> >website
> >>
> >>
> >> Hi all,
> >>
> >> This is in reference to post "Iframe Portlet with
> >Parameter
> >> Passing" that was posted by "Dan Elder" on this mailing
> >> list in month of Jun 2003.
> >>
> >> In that, Dan Elder has mentions  IFrame Portlet
> >(extended
> >> to original one ) which can pass userid and password (
> >the
> >> one used to log into Jetspeed Portal ) to websites that
> >> require Authentication so that it will provide seamless
> >> access to protected websites too.
> >>
> >> Does anybody has used that Portlet to access password
> >> protected websites ?
> >>
> >> Also want to know does it makes "Basic Authentication"
> >as
> >> well as "Form Based Authentication" ?
> >>
> >> Dan, do you have any examples that will help in
> >> understanding how protected websites can be accessed ?
> >>
> >> Thanks,
> >> rajendra
> >>
> >>
> >---------------------------------------------------------------------
> >> To unsubscribe, e-mail:
> >jetspeed-dev-unsubscribe@jakarta.apache.org
> >> For additional commands, e-mail:
> >jetspeed-dev-help@jakarta.apache.org
> >>
> >>
> >
> >
> >---------------------------------------------------------------------
> >To unsubscribe, e-mail:
> >jetspeed-dev-unsubscribe@jakarta.apache.org
> >For additional commands, e-mail:
> >jetspeed-dev-help@jakarta.apache.org
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: jetspeed-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: jetspeed-dev-help@jakarta.apache.org
>
>


Mime
View raw message