portals-jetspeed-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Rajendra Kadam" <rka...@etouch.net>
Subject Re: Iframe Portlet with Authentication for external website
Date Sat, 13 Sep 2003 02:28:55 GMT
Hi Tim,

Thanks for your help.

I want to access the web sites that are protected using
"Basic" Authentication. And BasicAuthIFramePortlet does
that one.

But the PROBLEM as you said is that it exposes userid and
password to everybody as all urls becomes
http://userid:passwd@xy.com. 

Exposing userid/password is not at all acceptable solution
for our requirement.

Is there any other way we can access the websites that are
protected using Basic Authentication ? 

I was trying to get the contents using following code
snippet
------------------------------------------------------
public ConcreteElement getContent(RunData rundata)
    {
 URL url = new URL("http://userid:passwd@web.net");
 URLConnection connection = url.openConnection();
 InputStream stream = connection.getInputStream();
 BufferedInputStream in = new BufferedInputStream(stream);
 int length = 0;
 byte[] buf = new byte[BUFFER_SIZE];
 ByteArrayOutputStream out = new ByteArrayOutputStream();
 while ((in != null) && ((length = in.read(buf)) != -1))
 {
  // the data has already been read into buf
  out.write(buf, 0, length);
 }
 content = out.toString();
 return new StringElement(content);
}
-----------------------------------------------------------

But here I was getting Error as " HTTP response code: 401
for URL: http://userid:passwd@web.net" How can I tackle it?

Is above way is correct way of doing it ?
Is there any secure way to access protected websites ?

Please help me in finding the way to access websites that
are protected using BASIC Authentication.

Thanks for all your help.
rajendra


On Fri, 12 Sep 2003 01:00:19 -0400
 "Tim Reilly" <tim.reilly@consultant.com> wrote:
>I'll try to share my understanding of the 3 general
>methods available to
>bring remote website content into the portal (pertaining
>to straight http
>request/response) There are many other ways such as WSRP,
>etc, but that's
>not related to your question I don't think:
>
>** Client/Browser technology:
>The BasicAuthIFramePortlet falls into this category. This
>sounds closest to
>what you are looking for, I think.
>The iframe portlet generates the markup for creating the
>iframe html tag
>within the portlet window.
>
>Frames, and iframes (and ilayer for earlier Netscape) can
>be thought of as
>chromeless browser windows embedded in the window.document
>of a parent
>window. So anything you could do within a html
>frame/frameset as far as
>single sign-on is possible.
>
>Two possible methods are:
>1) the initial url parameter to the iframe is a url to a
>document that you
>create - use javascript in the document to post a login
>form to the target
>website's login action url. An example page might look
>like:
><html>
>   <head>
>      <title>Self posting page</title>
>   </head>
>   <body onload="document.forms[0].submit()">
>	<form
>action="https://www.myformsecuredsite.org/loginProcess.do"
>method="post">
>		<input type="hidden" name="username"
>value="yourusername">
>		<input type="hidden" name="password" value="secret">
>      </form>
>   </body>
></html>
>The page loads, the form posts to the target site, and as
>long as the target
>is not checking the http-referer or some other method to
>prevent folks from
>doing this... then the iframe (as a normal browser window
>would)
>communicates directly with the site.
>2) If basic authentication is involved then you can login
>to a basic auth
>protect site using a url in the form of:
>https://username:password@www.somebasicsite.org/thepath/
>This how the
>http://cvs.apache.org/viewcvs/jakarta-jetspeed/src/java/org/apache/jetspeed/
>portal/portlets/BASICAuthIFramePortlet.java?rev=1.2&content-type=text/vnd.vi
>ewcvs-markup works.
>
>There are security considerations involved here because
>you are sending the
>credentials over the network to the client (browser) to
>use so keep your
>security requirements in mind if you use one these (at a
>minimum ssl enable
>your portal. And realize viewing the page source will
>expose the
>credentials.)
>There are also the usability issues that goes along with
>frames and
>framesets. Here I'm thinking of how users complain about
>hitting the refresh
>button in a frame based page and not understanding why it
>reloaded to the
>initial state. The same applies within the portal.
>
>** Server "one-off"
>The WebPagePortlet falls into this category (IMHO). This
>is great for
>retrieving a single page of a remote website and bringing
>that page or page
>fragment into the portal. (The new WebClipper portlet is
>also great for
>getting part of a page) The portlet performs the task of
>the client/browser
>from the portal server. A url connection is used to
>request the page. The
>response to that request is added into the portal page
>(after parsing and
>rewriting  certain elements of the response such as urls)
>Some manipulation
>of the page is required to preserve links, images, etc.
>Cross domain
>security might be an issue - for say cookies, scripts,
>objects, applets.
>When the user clicks a link or submits a form the portal's
>window will
>either be cannibalized, or you can specify that the
>portlet should rewrite
>the link target so a new window is targeted.
>
>** Server proxy-through
>This is part of what WebPagePortlet2 aims to achieve (not
>yet complete last
>I left off). The Safeweb free privacy service/site closed
>sometime in 2001
>but if you ever used it - its exactly the http
>proxy-through that would be
>needed IMO to present an entire remote site within the
>portal if iframes are
>not in the picture. (If you're not familiar -
>http://www.pcworld.com/news/article/0,aid,75063,00.asp
>basically it was a
>http proxy web based front-end. The upper frame of the
>site was like a
>browser address bar, the bottom frame was the 'browser'
>document window)
>
>** 2 Top of my head other options:
>These require the target site to make the services
>available.
>WSRP
>Cocoon has a web service proxy component
>
>I hope you find this helpful.
>
>> -----Original Message-----
>> From: Rajendra Kadam [mailto:rkadam@etouch.net]
>> Sent: Thursday, September 11, 2003 9:14 PM
>> To: jetspeed-dev@jakarta.apache.org
>> Subject: Iframe Portlet with Authentication for external
>website
>>
>>
>> Hi all,
>>
>> This is in reference to post "Iframe Portlet with
>Parameter
>> Passing" that was posted by "Dan Elder" on this mailing
>> list in month of Jun 2003.
>>
>> In that, Dan Elder has mentions  IFrame Portlet
>(extended
>> to original one ) which can pass userid and password (
>the
>> one used to log into Jetspeed Portal ) to websites that
>> require Authentication so that it will provide seamless
>> access to protected websites too.
>>
>> Does anybody has used that Portlet to access password
>> protected websites ?
>>
>> Also want to know does it makes "Basic Authentication"
>as
>> well as "Form Based Authentication" ?
>>
>> Dan, do you have any examples that will help in
>> understanding how protected websites can be accessed ?
>>
>> Thanks,
>> rajendra
>>
>>
>---------------------------------------------------------------------
>> To unsubscribe, e-mail:
>jetspeed-dev-unsubscribe@jakarta.apache.org
>> For additional commands, e-mail:
>jetspeed-dev-help@jakarta.apache.org
>>
>>
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail:
>jetspeed-dev-unsubscribe@jakarta.apache.org
>For additional commands, e-mail:
>jetspeed-dev-help@jakarta.apache.org
>


Mime
View raw message