Hello
Is it possible to write a custom login page that does our own authentication. We are having some problems using a virtual IP (from BigIP hardware) for https.
In other words, does the API exist to initiate a web application session to the cms server?
Thanks,
db.
Yes, such an API exists. It’s also possible to write a custom login module.
However, if you’re trying to use SSL that terminates at a load balancer (such as BigIP), this is not the solution to your problem.
What you have to do is modify the server.xml file for the internal Tomcat instance. This file is located at:
/Rhythmyx/AppServer/server/rx/deploy/jbossweb-tomcat55.sar/server.xml
The connector node will look like this:
<Connector URIEncoding="UTF-8" acceptCount="100" address="${jboss.bind.address}" connectionTimeout="20000" disableUploadTimeout="true" emptySessionPath="true" enableLookups="false" maxHttpHeaderSize="8192" maxSpareThreads="75" maxThreads="250" minSpareThreads="25" port="9992" redirectPort="8443" scheme="https" strategy="ms" proxyName="BigIP.somedomain" proxyPort="443" secure="true"/>
You’ll need to set the proxyName to match the actual server address of your BigIP device, and restart Rhythmyx.
Once you’ve changed this, you will only be able to access Rhythmyx via the BigIP device, you cannot access it directly.
Dave
If we can get the SSL configuration to work that will be ideal. However I would also like to develop an SSO application that will pass a token with a timestamped hash from our schools portal.
Can you point me towards the api to initiate a web session to the cms so I can implement both of these solutions in parallel?
There are 2 different approaches, if you want to replace the login screen (and perhaps do a little custom processing) you can create a new login.jsp. This process is explained in the Security chapter of the Rhythmyx Technical Reference. Rhythmyx 6.5.2 documentation
If you need to have the login process outside of Rhythmyx (on another system, for example), then you can do this with Web Services. Login using the standard calls in the Security interface. The returned PSLogin object has a getSessionId() method. This will return a String (actually, a long hex number) that represents the session. Pass this as the “pssessionid” parameter when you open the browser.
I hope this helps
Dave
Dave
Thanks for the pointers. I was able to integrate the CMS login with our school’s portal single sign on by adding some custom processing in the rxlogin.jsp
Interesting. Some of the documentation advises system designers to add new “CMS role” fields to the SSO LDAP, something that won’t happen anytime soon here. Were you able to avoid that step with your custom JSP? Where is your role and community information stored?
The method we are using is just to protecting a clear text password from going over the network since our cms server is off site at a remote data center.
So what we will do is write a custom login page on some server protected with SSL ( not the cms server ).
The psuedo cms login page will look something like this:
FORM action=encypt_password.jsp method=post
INPUT id=j_username type=text name=j_username
INPUT id=j_password type=password name=j_password
INPUT name=Submit type=submit value="Submit Query
FORM
Then the encrypt_password.jsp will blowfish the password with a secret key and post the user_name and encrypted password to http://localhost:9992/Rhythmyx/login
If you look at rxlogin.jsp located at
/cms/Rhythmyx/AppServer/server/rx/deploy/rxapp.ear/rxapp.war/
you will see the following code:
String username = request.getParameter("j_username");
String password = request.getParameter("j_password");
String error = request.getParameter("j_error");
if (username == null)
username = "";
if (password == null)
password = "";
We will modify the code to something like this:
String username = request.getParameter("j_username");
String password = request.getParameter("j_password");
String crypt_password = request.getParameter("crpt_password");
if (crypt_password!=null){
password = decypt_password(secret_key,crypt_password);
}
String error = request.getParameter("j_error");
if (username == null)
username = "";
if (password == null)
password = "";
Doing this avoids having to add CMS role to our ldap directory. We just use the default setup out of the box for role and community. Essentially this customization takes a crypted password and decrypts it in the login page.
Acccording to the developer at the other end of my office, CAS (the central authentication service which we and many universities use), works a little differently. You cannot just make a call to a web service via programmatic APIs. You first have to send the user to the CAS site, and then they log in there (SSL protected site). They are then returned to the page passed in the returnUrl= GET parameter. When they get to that page they have a ticket in the url (ticket=). The page looks for that ticket, and then sends a programmatic request to the CAS service to validate the ticket. When the ticket is validated, it gets returned with a user ID number and a username. The page then takes that, and passes it to the Rhythmyx system for authorization in the CMS. Essentially, the login page in the CMS will not have any actual HTML on it because it never really gets seen by anyone.
In order to use CAS, you would have to implement some code on th cms server to do custom validation and initialize a web session from the rhythmyx web app, correct?
barre57e, essentially you are correct, according to my developer friend. However, if the Rhythmyx web app can already do some kind of session creation and validation, we can just tap into that. One way he’s done this before is to set all user passwords to the same thing, and then use that to just validate that in fact their user ID was in the application database. Since the login occurs through CAS, the password in Rhythmyx is not really important anymore. After the login is validated (through CAS), we pass the user ID to Rhythmyx as if it were a username, with the standard password.
He continues:
I also believe that you can change the query run to get the username/passwords and validate them. In this case, we could modify the system so that only the username is returned and do away with the password all together. I’m not sure how to accomplish this using Eclipse [Workbench] however, and I’m pretty sure that would need to be done as well.
Here is the working code minus our desEncrypter method. It works without using any additional jars… just drop the new page in and add your own desEncrypter call.
Still playing around with the javascript autosubmit.
Hello - I know this is a very old thread, but we are looking at doing something similar and was hoping that there is an updated solution ?
Thanks
Jeff