It's all about the answers!

Ask a question

Unsecured RSS Feeds


Jason Bird (511) | asked Jul 18 '09, 2:12 p.m.
Hey folks!

We have some people internally who really want to use Outlook to see all work item changes.

I don't think email notifications will work because:

1) I don't think there's a way to automagically subscribe them to all work items (and all new work items) and
2) I don't think there's an email notification setting for "all work items regardless of my relationship with them"

So I figured the easiest way would be to simply subscribe them to an RSS feed of work item changes.

Here I ran into the problem of Outlook not being able to handling authenticated feeds. I found a Jazz technote (http://jazz.net/library/technote/75) by Ritchie that seems to give me 2 options:

a) Switch from Form-based to Basic auth or
b) Unsecure just the RSS URLs

I don't want to try 'a' because we are stuck with Tomcat for the time being and Basic auth would not be performant. So I want to make just the RSS feeds non-secure.

Per the technote, I first added the following security contstraint to the web.xml in the jazz web app:

<opens>
<security>
<web>
<web>unsecure_feeds</web>
<url>/events/*</url>
</web>
</security>

I then restarted Jazz (making sure that the web.xml change was not overwritten for any reason) and tried the following URL:

http://build:9080/jazz/events?itemType=WorkItem

However, this does not work - I am still redirected to the Form auth page and required to login.

So my question is, is this approach still valid in 2.0? And if so, what am I missing?

Thanks!
Jason

Accepted answer


permanent link
Ritchie Schacher - IBM (47611) | answered Oct 16 '09, 2:02 p.m.
FORUM MODERATOR / JAZZ DEVELOPER
The tech-tip applies to RTC 1.0 and needs an update for 2.0.

This changed with the introduction of oauth support. See work item Clarify
story for unsecuring url patterns (76724).

You can unsecure "events" now by setting the advanced config. property named
"Allowed Anonymous URL Prefixes".

I tested this just now and it works.
--
Ritchie Schacher
Jazz Server Development

"ryanman" <ryanman> wrote in message
news:hba6l3$fm5$1@localhost.localdomain...
Ok. So essentially, the unauthenticated feeds guidance in
http://jazz.net/library/technote/75 is not really complete. If
followed, it doesn't really work. You just get redirected back to
https and forced to login.
Ritchie Schacher - IBM selected this answer as the correct answer

12 other answers



permanent link
Jason Bird (511) | answered Jul 18 '09, 2:15 p.m.
Non-garbled version of the security constraint XML:

<!-- opens up /jazz/events -->
<security-constraint>
<web-resource-collection>
<web-resource-name>unsecure_feeds</web-resource-name>
<url-pattern>/events/*</url-pattern>
</web-resource-collection>
</security-constraint>

And for the URL I tested - "build" is the name of our build machine.

permanent link
Jason Bird (511) | answered Jul 23 '09, 8:15 p.m.
No replies on this yet - anyone? Buehler?

permanent link
Work Item & UI Commons Team (1.3k1) | answered Oct 14 '09, 11:42 a.m.
jbirdman wrote:
Non-garbled version of the security constraint XML:

!-- opens up /jazz/events --
security-constraint
web-resource-collection

web-resource-name>unsecure_feeds</web>/events/*</url-pattern
/web-resource-collection
/security-constraint

And for the URL I tested - "build" is the name of our build
machine.


We have the same issue on Jazz.net at the moment and I think our
webmaster wanted to look into changing feed access to base
authentication instead of form based one to support 3rd party readers
but I am not aware of the outcome of this (I think we are still on form
based authentication).

Anyhow, I guess the problem is that feeds are loaded from the feed
service, e.g. URLs for feeds look like this:

/jazz/service/com.ibm.team.repository.common.internal.IFeedService?...

I guess in your case you are redirected to this URL and as such have to
log in again. Can you confirm?

Regards,
Ben

--
Benjamin Pasero
Work Item & UI Commons Team

permanent link
Jason Bird (511) | answered Oct 14 '09, 12:30 p.m.
jbirdman wrote:
Non-garbled version of the security constraint XML:

/snip

I guess in your case you are redirected to this URL and as such have to
log in again. Can you confirm?

Regards,
Ben

--
Benjamin Pasero
Work Item & UI Commons Team


Hi Ben, thanks for responding.

Yes, I can confirm I am redirected and am forced to login again.

jb

permanent link
Work Item & UI Commons Team (1.3k1) | answered Oct 15 '09, 4:56 a.m.
jbirdman wrote:
jbirdman wrote:
Non-garbled version of the security constraint XML:

/snip

I guess in your case you are redirected to this URL and as such have
to
log in again. Can you confirm?

Regards,
Ben

--
Benjamin Pasero
Work Item & UI Commons Team

Hi Ben, thanks for responding.

Yes, I can confirm I am redirected and am forced to login again.

jb


And you are redirected to the IFeedService right? You need to ensure
that the server is configured to whitelist these URLs.

--
Benjamin Pasero
Work Item & UI Commons Team

permanent link
Ryan Manwiller (1.3k1) | answered Oct 15 '09, 3:03 p.m.
JAZZ DEVELOPER
Ben, can you provide any help for where to add this whitelist entry and what it might look like? Is this in the tomcat web.xml?

Thanks

permanent link
Work Item & UI Commons Team (1.3k1) | answered Oct 16 '09, 7:06 a.m.
ryanman wrote:
Ben, can you provide any help for where to add this whitelist entry
and what it might look like? Is this in the tomcat web.xml?

Thanks


I know we recently did this for jazz.net. I have the work item in front
of me, but I doubt you will be able to access it. Looks like Curtis
d'Entremont was providing the solution. Could you ping him? Otherwise,
you can drop me a mail and I can send you the details of our solution
copied from the work item. The XML snippet used to whitelist looks like
this:

ProxyPass
/jazz/service/com.ibm.team.repository.common.internal.IFeedService
https://<snip>:9443/jazz/service/com.ibm.team.repository.common.internal.IFeedService
<Location>
LdapConfigFile <snip>
ProxyPassReverse
/jazz/service/com.ibm.team.repository.common.internal.IFeedService
</Location>

hth

--
Benjamin Pasero
Work Item & UI Commons Team

permanent link
Ryan Manwiller (1.3k1) | answered Oct 16 '09, 11:52 a.m.
JAZZ DEVELOPER
At this point my unanswered question is:

In what tomcat file do I put these proxypass settings?

We are using plain tomcat (the default server.zip).

No apache.
No ldap.

Thanks

permanent link
Curtis d'Entremont (1.3k3) | answered Oct 16 '09, 12:02 p.m.
FORUM MODERATOR / JAZZ DEVELOPER
The whitelist is purely a jazz.net security measure and is not part of the Jazz product. We have a Web server for the community site, and a backing Jazz server which we reverse-proxy to (hence all the proxy stuff in the snippet).

I think this is purely a Tomcat config issue, i.e. you need to tell it in the config file to either not require auth for that path or tell it to use basic HTTP auth instead of form-based auth for that path. I don't know how to do that off the top of my head because we use a custom auth solution. But I'm sure there are lots of google-able resources out there explaining how to do this.

If you can't find it, let me know and I can dig up some rules.

Your answer


Register or to post your answer.