Topic
2 replies Latest Post - ‏2014-02-26T17:58:21Z by FWQC_Jarrett_Peterson
FWQC_Jarrett_Peterson
3 Posts
ACCEPTED ANSWER

Pinned topic FSSO Config with Oracle BPEL Worklist -b Supply

‏2014-02-19T19:28:53Z |

Hi I'm attempting to configure FSSO to log into the Oracle BPEL worklist application.  I'm having some issues with it as I can't tell whether WebSEAL is even trying to connect or not.  I've been using Firebug and httpfox in order to see the various headers but I keep getting kicked back to the login page.

Ideally I'd like to be able to just pass the tam username and password as we can configure the app to work with ldap.  if that doesn't work then I'd like to configure it to pass the users tam name and -b supply generic password.  I'm not sure how to pass either password and I'm working on verifying that tam is actually intercepting the login page correctly.

We're on a tight schedule and this task got thrown to me as I manage our Development TAM environment and wrote the SSO code for the previous version of the app utilizing the PDJRTE (this method no longer viable), so I would appreciate any help that could be posted as I continue to research it.

Output from HTMLFOX:

00:00:07.103 0.551 618 219 GET 302 Redirect to: https://URL/integration/worklistapp/faces/login.jspx 

https://URL/integration/worklistapp/faces/home.jspx?_afrWindowMode=0&_afrLoop=343953083561000&_adf.ctrl-state=7kybsw135_14

----

00:00:07.695 0.353 548 2833 GET 200 text/html https://URL/integration/worklistapp/faces/login.jspx

<html lang="en-US"><head><script>
/*
** Copyright (c) 2008, Oracle and/or its affiliates. All rights reserved.
*/

/**
 * This is the loopback script to process the url before the real page loads. It introduces
 * a separate round trip. During this first roundtrip, we currently do two things:
 * - check the url hash portion, this is for the PPR Navigation.
 * - do the new window detection
 * the above two are both controled by parameters in web.xml
 *
 * Since it's very lightweight, so the network latency is the only impact.
 *
 * here are the list of will-pass-in parameters (these will replace the param in this whole
 * pattern:
 *        viewIdLength                           view Id length (characters),
 *        loopbackIdParam                        loopback Id param name,
 *        loopbackId                             loopback Id,
 *        windowModeIdParam                      window mode param name,
 *        clientWindowIdParam                    client window Id param name,
 *        windowId                               window Id,
 *        initPageLaunch                         initPageLaunch,
 *        enableNewWindowDetect                  whether we want to enable new window detection
 *        jsessionId                             session Id that needs to be appended to the redirect URL
 *        enablePPRNav                           whether we want to enable PPR Navigation
 *        internalParamsObj                      an object whose keys are the names of the internal parameters and whose values evaluate as true
 *        noLoopbackViewId                       View Id used where the page should be redirected when the session cannot be established due to the
 *                                               browser with disabled cookies accessing a server with URL rewriting disabled
 */
 
 
function _addParam(queryString, paramName, value)
{
  var hasValue = (value != null && value !== '');
   
  if (hasValue)
  {
    if (queryString == null || queryString ==='')
    {
      queryString = "?";
    }
    else
    {
      queryString += "&";
    }
    queryString = queryString + paramName + '=' + value;
  }
  return queryString;
}

function _cookiesEnabled()
{
  return (navigator && navigator.cookieEnabled);
}

var internalParams = {'_afrLoop':1,'_afrWindowMode':1,'_afrWindowId':1,'_afrRedirect':1};
var queryParamNames = [];
var queryParamValues = [];


function _addQS(pname, pvalue)
{
  if (!internalParams[pname])
  {
    queryParamNames.push(pname);
    queryParamValues.push(pvalue)
  }   
}

function _replaceCallback (p0, pname, p2, pvalue)
{
  _addQS(pname, pvalue);
}


var id = null;
var query = null;
var href = document.location.href;
var hashIndex = href.indexOf("#");
var hash = null;

/* process the hash part of the url, split the url */
if (hashIndex > 0)
{
  hash = href.substring(hashIndex + 1);
  /* only analyze hash when pprNav is on */
  if (false && hash && hash.length > 0)
  {
    hash = decodeURIComponent(hash);
    if (hash.charAt(0) == "@")
    {
      query = hash.substring(1);
    }
    else
    {
      var state = hash.split("@");
      id = state[0];
      query = state[1];
    }
  }
  href = href.substring(0, hashIndex);
}

/* process the query part */
var queryIndex = href.indexOf("?");
if (queryIndex > 0)
{
  // only when pprNav is on, we take in the query from the hash portion
  query = (query || (id && id.length>0))? query: href.substring(queryIndex);
  href = href.substring(0, queryIndex);
}

if (query != null && query.length > 0)
{
  // extract all query parameters
  query.replace(/([^?=&]+)(=([^&]*))?/g, _replaceCallback);
 
  query = null;
  if (queryParamNames.length > 0)
  {
    query = '';
   
    for (var i = 0; i < queryParamNames.length; i++)
    {
      var n = queryParamNames[i];
      var v = queryParamValues[i];
      query = query +  ((i == 0) ? '?' : '&')  + n +  '=' + ((v == null) ? '' : v);
    }
  }
}

var jsessionIndex = href.indexOf(';');
if (jsessionIndex > 0)
{
  href = href.substring(0, jsessionIndex);
}


// Check whether HTTP session can be established by verifying that cookies are enabled or URL rewriting is on.
// If not, abort processing and redirect to an error page
if (!'' && !_cookiesEnabled())
{
  window.location.replace(href.substring(0, href.length - 11) + '/_noloopbackerror_');
}
else
{
  /* we will replace the viewId only when pprNav is turned on */
  if (false)
  {
    if (id != null && id.length > 0)
    {
      href = href.substring(0, href.length - 11) + id;
    }
  }
 
  query = _addParam(query, "_afrLoop", "432442189908000");
 
  /* below is the new window detection logic */
  var initWindowName = "_afr_init_"; // temporary window name set to a new window
  var windowName = window.name;
 
  // if the window name is "_afr_init_", treat it as redirect case of a new window
  if ((true) && (!windowName || windowName==initWindowName ||
      windowName!="null")) 
  {
    /* append the _afrWindowMode param */
    var windowMode;
    if (true)
    {
      /* this is the initial page launch case,
         also this could be that we couldn't detect the real windowId from the server side */
      windowMode=0;
    }
    else if ((href.indexOf("/__ADFvDlg__") > 0) || (query.indexOf("__ADFvDlg__") >= 0))
    {
      /* this is the dialog case */
      windowMode=1;
    }
    else
    {
      /* this is the ctrl-N case */
      windowMode=2;
    }
   
    query = _addParam(query, "_afrWindowMode", windowMode);
 
    /* append the _afrWindowId param */
    var clientWindowId;
    /* in case we couldn't detect the windowId from the server side */
    if (!windowName || windowName == initWindowName)
    {
      clientWindowId = "null";
     
      // set window name to an initial name so we can figure out whether a page is loaded from
      // cache when doing Ctrl+N with IE
      window.name = initWindowName;
    }
    else
    {
      clientWindowId = windowName;
    } 
   
    query = _addParam(query, "_afrWindowId", clientWindowId);
   
  }
 
  var sess = "";
 
  if (sess)
  {
    /* here we check the jsessionId, if we ask the container to send jsessionId as */
    /* a parameter then it will look like "?jsessionid=xxx". */
    if (sess.indexOf(";")==0)
    {
      href += sess;
    }
    else if (sess.indexOf("?") == 0)
    {
      /* at this time query should already be non-empty */
      query += "&" + sess.substr(1);
    }
  }
 
  /* if pprNav is on, then the hash portion should have already been processed */
  if ((false) || (hash == null))
    document.location.replace(href + query);
  else
    document.location.replace(href + query + "#" + hash);
}
</script><noscript>This page uses JavaScript and requires a JavaScript enabled browser.Your browser is not JavaScript enabled.</noscript></head></html>

-----

00:00:08.078 0.039 524 (2506) GET (Cache) text/html https://URL/integration/worklistapp/faces/login.jspx

----

00:00:08.165 0.178 689 249 GET 302 Redirect to: https://URL/integration/worklistapp/faces/login.jspx?_afrLoop=432442671063000&_afrWindowMode=0&_adf.ctrl-state=qg5qkw73t_4 

https://URL/integration/worklistapp/faces/login.jspx?_afrLoop=432442189908000&_afrWindowMode=0&_afrWindowId=9t8p8nree_1

---

 

When I manually log into the form since no redirect (using - b supply password a this time but could put in tam password on a different server with realm configured)

 

j_character_encoding utf-8
j_username USERNAME

j_password PASSWORD

event loginButton
event.loginButton <m xmlns="http://oracle.com/richClient/comm"><k v="type"><s>action</s></k></m>

-----

fsso.conf

[forms-sso-login-pages]
login-page-stanza = oracle_login_page

[oracle_login_page]
# The HelpNow site redirects you to this page
# you are required to log in.
login-page = /integration/worklistapp/ faces/login.jspx\?*

# The login form is the first in the page, so we can just call it
# '*'.
login-form-action = *

# The GSO resource, helpnow, contains the employee serial number.
gso-resource =

# Authentication arguments follow.
argument-stanza = auth-data

[auth-data]
# The 'data' field contains the employee serial number.
j_username = cred:azn_cred_principal_name
#j_password = not sure what to put here
event = loginButton

# The Cntselect field contains a number corresponding to the employee's
# country of origin. The string "897" corresponds to the USA.
#Cntselect = string:897

 s t webseal create -t tcp -h host -f -S /opt/pdweb/fsso/fsso.conf -b supply -c iv_user,iv_groups -j -p 8001 /bpelworklist

  • FWQC_Jarrett_Peterson
    3 Posts
    ACCEPTED ANSWER

    Re: FSSO Config with Oracle BPEL Worklist -b Supply

    ‏2014-02-20T19:22:04Z  in response to FWQC_Jarrett_Peterson

    Would really love some help with this if someone has played around with it more.

    • FWQC_Jarrett_Peterson
      3 Posts
      ACCEPTED ANSWER

      Re: FSSO Config with Oracle BPEL Worklist -b Supply

      ‏2014-02-26T17:58:21Z  in response to FWQC_Jarrett_Peterson

      Got it to work to where it actually processes the page but it's unable to find the login form -- possibly due to javascript.  IBM support assisted with providing the debug code to enable us to see what fsso was actually doing