Authentication between Widget and SBT - ibm-connections

Background
I need to display the list of Top 3 downloaded file, in an widget when a person logs into a Community.
I am using Social Business Toolkit at the backend to fetch that data, and send it as JSON string to the widget, to display the same.
Question:
To fetch the Files from the community via SBT requires authentication (endpoint access).
In this scenario how can the user credentials from iWidget be passed to the customized servlet, so that it can fetch all the files from the same Connections Community
I would avoid re-authentication as the user has already authenticated when he enters the Community.
Get the following error when called from the iWidget
java.lang.NoClassDefFoundError: org/apache/http/client/methods/HttpUriRequest at org.apache.http.impl.client.AbstractHttpClient.determineTarget(AbstractHttpClient.java:584) at
org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:576) at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:554) at com.ibm.sbt.services.client.ClientService.executeRequest(ClientService.java:1108) at com.ibm.sbt.services.client.ClientService._xhr(ClientService.java:1071) at com.ibm.sbt.services.client.ClientService.execRequest(ClientService.java:1037) at com.ibm.sbt.services.client.ClientService.xhr(ClientService.java:997) at com.ibm.sbt.services.client.ClientService.get(ClientService.java:873) at com.ibm.sbt.services.client.ClientService.get(ClientService.java:869) at com.ibm.sbt.services.client.base.BaseService.retrieveData(BaseService.java:371) at com.ibm.sbt.services.client.base.BaseService.retrieveData(BaseService.java:395) at com.ibm.sbt.services.client.base.BaseService.retrieveData(BaseService.java:346) at com.ibm.sbt.services.client.base.BaseService.getEntities(BaseService.java:205) at com.ibm.sbt.services.client.connections.communities.CommunityService.getMyCommunities(CommunityService.java:260) at
com.ibm.sbt.services.client.connections.communities.CommunityService.getMyCommunities(CommunityService.java:244) at com.ibm._jsp._Test._jspService(_Test.java:124) at
This is what the Lib folder looks inside

You should use the ConnectionsSSOEndpoint in your managed-beans.xml file
<!-- Connections SSO -->
<managed-bean>
<managed-bean-name>connections</managed-bean-name>
<managed-bean-class>com.ibm.sbt.services.endpoints.ConnectionsSSOEndpoint</managed-bean-class>
<managed-bean-scope>session</managed-bean-scope>
<managed-property>
<property-name>url</property-name>
<value>${connectionsUrl}</value>
</managed-property>
<!-- Trust the connection -->
<managed-property>
<property-name>forceTrustSSLCertificate</property-name>
<value>true</value>
</managed-property>
<managed-property>
<property-name>serviceMaps</property-name>
<value>${connectionsMaps}</value>
</managed-property>
</managed-bean>
The SSO Endpoint uses the ltpatoken and ltpatoken2 tokens from the existing session to automatically log you in to the backend service

Related

Java EE Container Based Security

I am attempting to implement JDBC Realm Authentication with Wildfly.
I have used this article as reference:
http://blog.eisele.net/2015/01/jdbc-realm-wildfly820-primefaces51.html
As well as the accompanying source code on GitHub at https://github.com/myfear/SimpleJDBCRealmWildFly/
I am presented with the login form if I try to access one of the protected areas of the application but after filling in my username and password it never seems to successfully authenticate(loginError.xhtml).
The only difference between my application and the above example is that my form specifies
action="j_security_check"
whereas the GitHib example uses
onsubmit="document.loginForm.action = 'j_security_check';"
In my web.xml I specify
<security-role>
<role-name>ADMIN</role-name>
</security-role>
Which matches what I specified for my user in my role table..What am I still missing?

What the bean scope of a confluence plugin component and how to control it?

I develop a confluence plugin using atlassian sdk. When using plugins-version 2, according to Atlassian docs, for every a bean is instantiated, if the bean is public, it is also exposed as OSGI service (which i can see on the Felix console). (See atlassian docu.)
I have 3 copmponents in my confluence plugin so far, one of them is public, the others are "private" (public="false"). My main bean (named "artifact-store") - the one which is public - i use in some macro classes and inject it via constructor. In atlassian-plugin.xml i've declared the component like this:
<component key="artifact-store" class="info.magnolia.sys.confluence.plugin.artifactinfo.artifactstore.ArtifactCache" name="Artifact store to cache artifacts" public="true">
<interface>info.magnolia.sys.confluence.plugin.artifactinfo.ArtifactSearch</interface>
<description key="artifact-store.decription">Artifact store to cache artifacts based on Atlassian cache api.</description>
</component>
Atlassian docu says: "Instances are created per usage (prototype-scope) ..." I doubt about this. When debugging my macros, i always see the same instance of "artifact-store", that's why i think the scope is NOT "prototype".
This would be fine for me, i want the scope "singleton", but i'm unsure whether it really is.
For further bean control Atlassian recommends declaring the beans in META-INF/spring/, hence i've created the spring beans "definition" artifact-info-plugin/src/main/resources/META-INF/spring/artifact-info-plugin.xml; i have added there one bean:
<bean id="artifactSearchBean" class="info.magnolia.sys.confluence.plugin.artifactinfo.artifactstore.ArtifactCache" scope="singleton">
<description>A bean chaching artifact data</description>
</bean>
In In atlassian-plugin.xml i've changed the component definition to:
<component key="artifact-store" class="bean:artifactSearchBean" name="Artifact store to cache artifacts" public="true">
<interface>info.magnolia.sys.confluence.plugin.artifactinfo.ArtifactSearch</interface>
<description key="artifact-store.decription">Artifact store to cache artifacts based on Atlassian cache api.</description>
</component>
I've tried it out, but doesn't work for me, there is no more bean available; none of the components are created; as a consequence, the macros (consuming component beans) also aren't available any more.
To summarize the questions:
What's the bean scope of a confluence plugin <component/>?
Is the scope the same for both public and "private" component beans?
How can i ensure to have a singleton scoped bean?
Is it really possible to declare the component bean in META-INF/spring/beans.xml? If yes, how? Could you provide an short example?
Some maybe further interesting infos about my environment:
in pom:
<confluence.version>5.8.9</confluence.version>
<confluence.data.version>5.8.9</confluence.data.version>
<amps.version>5.1.11</amps.version>
in atlassian-plugin.xml: <atlassian-plugin plugins-version="2"/>
Because i'm not allowed to add more then 2 links, i'll add complete links to pom file, plugin xml and beans xml as comments.
What's the bean scope of a confluence plugin ?
It's singleton
Is the scope the same for both public and "private" component beans?
Yes
How can i ensure to have a singleton scoped bean?
If defined in atlassian-plugin.xml they already are singleton.
Is it really possible to declare the component bean in META-INF/spring/beans.xml? If yes, how? Could you provide an short example?
I never tried defining beans.xml. I only have spring annotation config:
Added src/main/resources/META-INF/spring/spring.xml with following content:
<beans xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:context="http://www.springframework.org/schema/context" xmlns="http://www.springframework.org/schema/beans" xsi:schemaLocation=" http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.5.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-2.5.xsd">
<context:annotation-config />
<context:component-scan base-package="com.jiraworkcalendar" />
</beans

EJBAccessException when invoke local EJB on Wildfly

When I try to invoke local EJB I get EJBAccessException running my migrated Glassfish web application on Wildfly 8.2. I found the JBoss documentation all other than strait forward and need help, i.e. no link to JBoss documentation please.
I have no #DeclareRoles notation on my EJB to make it simple for now. I tried with and without using the security realm other adding jboss-web and jboss-ejb3 to tie the bean to a realm. But I still get the same exception.
I've read these tutorials, but can't get it to work. I am using MongoDB and JDBC security realm setup don't help me much. But for now I bypass the user-role authentication.
Migrating a Java EE App from GlassFish to WildFly
Invoke EJB from WildFly safely
And others
How can I run local EJB on Wildfly in my web application?
#Stateless
public class MyBean {
public String sayHello() {
...
jboss-web.xml
<jboss-web>
<security-domain>other</security-domain>
</jboss-web>
jboss-ejb3.xml
<assembly-descriptor>
<s:security>
<!-- Even wildcard * is supported -->
<ejb-name>*</ejb-name>
<!-- Name of the security domain which is configured in the EJB3 subsystem -->
<s:security-domain>other</s:security-domain>
</s:security>
</assembly-descriptor>
In WildFly 8, such methods which have no explicit security configurations, in a secured bean, will be treated similar to a method with #DenyAll configuration.
This behaviour can be controlled via the jboss-ejb3.xml deployment descriptor at a per bean level or a per deployment level as follows:
<?xml version="1.0" encoding="UTF-8"?>
<jboss:jboss
xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:jboss="http://www.jboss.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:s="urn:security:1.1"
version="3.1" impl-version="2.0">
<assembly-descriptor>
<s:security>
<!-- Even wildcard * is supported where * is equivalent to all EJBs in the deployment -->
<ejb-name>FooBean</ejb-name>
<s:missing-method-permissions-deny-access>false</s:missing-method-permissions-deny-access>
</s:security>
</assembly-descriptor>
</jboss:jboss>
Setting missing-method-permissions-deny-access to false allows access to such methods for all users i.e. the behaviour will be switched to be similar to #PermitAll.

Disable use of a proxy in IBM Social Business ToolKit

I am running into a Access-Control-Allow-Origin error when I am trying to build an OpenSocial Gadget with IBM Social Business ToolKit for IBM Connections.
I have 3 servers participating in this gadget:
CONNECTIONS: The IBM Connections 4.0 Server that will be hosting the gadget
IBMSBT: A server hosting the Social Business Toolkit scripts and app
JESSE_API: My application server hosting the API that the gadget will be using
The gadget xml is loaded from JESSE_API by CONNECTIONS. The view for the gadget loads scripts and makes calls to JESSE_API. I would like to use the Social Business Toolkit for accessing parts of Connections so the gadget view is also loading those components from IBMSBT.
I am currently just prototyping this - I was able to make this work just using the Connections 4.0 API but would rather use the SBT libraries.
For getting started I just dropped in the "Get My Communities - Main Window" snippet into my gadget's view and included the following scripts:
<script type="text/javascript">
var djConfig = {
parseOnLoad: true
};
</script>
<script src="//IBMSBT/sbt.dojo180/dojo/dojo.js"></script>
<script src="//IBMSBT/sbt.sample.web/library?ver=1.8.0"></script>
Reloading the gadget gives the following error in the console:
XMLHttpRequest cannot load http://IBMSBT/sbt.sample.web/service/proxy/connections/http/CONNECTIONS/communities/service/atom/communities/my?ps=5
Since my gadget was running on the CONNECTIONS server I should not need the proxy. I did not see an immediate way to disable the proxy for this endpoint so I just set a breakpoint in Endpoint.js before line 160 where the following code is executed:
if(this.proxy) {
args.url = this.proxy.rewriteUrl(args.url,this.proxyPath);
}
When the breakpoint hits, I set this.proxy = null which causes the proxy to not be used and the community information to return correctly.
My question is should I be doing this differently or should a way be added to bypass the use of a proxy given the structure I am currently using?
The SDK Proxy does not need to be used in this environment. We've made some changes in this area recently as part of the work to support OAuth. What you need to do is configure the SDK library initialization so it knows it's running in a Gadget context.
Take a look at the acme.social.sample.webapp:
In faces-config.xml you will see an environment for use with OpenSocial
<!-- OpenSocial Environment -->
<managed-bean>
<managed-bean-name>openSocial</managed-bean-name>
<managed-bean-class>com.ibm.sbt.jslibrary.SBTEnvironment</managed-bean-class>
<managed-bean-scope>application</managed-bean-scope>
<managed-property>
<property-name>endpoints</property-name>
<value>acmeAirOS:acmeAir</value>
</managed-property>
</managed-bean>
The endpoint definition used a gadget endpoint (further down in the faces-config.xml)
<managed-bean>
<managed-bean-name>acmeAirOS</managed-bean-name>
<managed-bean-class>com.ibm.sbt.services.endpoints.GadgetOAuthEndpoint</managed-bean-class>
<managed-bean-scope>session</managed-bean-scope>
<managed-property>
<property-name>url</property-name>
<value>%{acme.url}</value>
</managed-property>
</managed-bean>
In the gadget xml (or imported html) when loading the library pass a parameter to indicate that the OpenSocial environment should be used
<script type="text/javascript" src="../../library?ver=1.8.0&context=gadget&env=openSocial"></script>
Based on the information from Mark Wallace, I looked a bit closer at what the /library/ endpoint was doing.
I was not able to make it quite work exactly with that code but the following works nicely:
<script data-dojo-config="parseOnLoad:true"
src="//IBMSBT/sbt.dojo180/dojo/dojo.js.uncompressed.js"></script>
<script>
if(typeof _sbt=='undefined' || window._sbt_bridge_compat){
_sbt=0;
dojo.registerModulePath('sbt','http://IBMSBT/sbt/js/sdk/sbt');
dojo.registerModulePath('sbt/_bridge','http://IBMSBT/sbt/js/sdk/_bridges/dojo-amd');
dojo.registerModulePath('sbt/dojo','http://IBMSBT/sbt/js/sdk/dojo');
define('sbt/config',['sbt/Proxy','sbt/_bridge/Transport','sbt/authenticator/Basic','sbt/Endpoint'],function(Proxy,Transport,Basic,Endpoint){
window.sbt = {};
sbt.Properties={
"sbtUrl":"http:\/\/IBMSBT\/sbt\/js\/sdk"
};
sbt.Endpoints={
'connections':new Endpoint({
"baseUrl":"http:\/\/connectionsww.demos.ibm.com",
"transport":new Transport({}),
"authType":"basic",
"authenticator":new Basic({}),
"proxyPath":"connections"})
};
return sbt;
});
}
</script>
The contents of the script tag was basically the output from the /library/ endpoint. The sbt.Endpoints.connections definition originally included a defined proxy attribute which I removed.

linkout failing with conflicting JSESSIONID

I have an issue with the linkout of my application (say App2) on another application (say App1).
Both are web applications and so both are creating there own JSESSION IDs. The linkout opens in a pop up and single sign on works (siteminder passing the sm user cookie), but as soon as I perform any transaction on the linked application I am thrown out stating the session is either timed out or invalid.
I looked at the cookies present on the browser and found that both the JSESSION IDs are present. The only difference is in the domain scope of both the JSESSION IDs. App1 application has domain scope of say abc.com whereas App2 has app2.abc.com
I tried changing the name of the JSESSION ID cookie of App2 but the application did not work with the renamed JSESSION cookie.
Any suggestion on how can I fix this ?
Note : The environment for App2 is was5
Regards
AVN
You should use different cookie name in config.xml. Change any one of the app to use different cookie name other than JSESSIONID. Something like following.
War:
<?xml version="1.0" encoding="UTF-8"?>
<weblogic-web-app xmlns="http://www.bea.com/ns/weblogic/90">
<session-descriptor>
<cookie-name>APP1SESSIONID </cookie-name>
</session-descriptor>
</weblogic-web-app>
Ear:
<?xml version="1.0" encoding="UTF-8"?>
<weblogic-application xmlns="http://www.bea.com/ns/weblogic/90">
<session-descriptor>
<cookie-name>APP1SESSIONID </cookie-name>
</session-descriptor>
</weblogic-application>
Now you will have both the cookies and it will not overwrite one another.

Resources