Unsecured RSS Feeds
Hey folks!
We have some people internally who really want to use Outlook to see all work item changes. I don't think email notifications will work because: 1) I don't think there's a way to automagically subscribe them to all work items (and all new work items) and 2) I don't think there's an email notification setting for "all work items regardless of my relationship with them" So I figured the easiest way would be to simply subscribe them to an RSS feed of work item changes. Here I ran into the problem of Outlook not being able to handling authenticated feeds. I found a Jazz technote (http://jazz.net/library/technote/75) by Ritchie that seems to give me 2 options: a) Switch from Form-based to Basic auth or b) Unsecure just the RSS URLs I don't want to try 'a' because we are stuck with Tomcat for the time being and Basic auth would not be performant. So I want to make just the RSS feeds non-secure. Per the technote, I first added the following security contstraint to the web.xml in the jazz web app: <opens> <security> <web> <web>unsecure_feeds</web> <url>/events/*</url> </web> </security> I then restarted Jazz (making sure that the web.xml change was not overwritten for any reason) and tried the following URL: http://build:9080/jazz/events?itemType=WorkItem However, this does not work - I am still redirected to the Form auth page and required to login. So my question is, is this approach still valid in 2.0? And if so, what am I missing? Thanks! Jason |
Accepted answer
The tech-tip applies to RTC 1.0 and needs an update for 2.0.
This changed with the introduction of oauth support. See work item Clarify story for unsecuring url patterns (76724). You can unsecure "events" now by setting the advanced config. property named "Allowed Anonymous URL Prefixes". I tested this just now and it works. -- Ritchie Schacher Jazz Server Development "ryanman" <ryanman> wrote in message news:hba6l3$fm5$1@localhost.localdomain... Ok. So essentially, the unauthenticated feeds guidance in Ritchie Schacher - IBM selected this answer as the correct answer
|
12 other answers
|
Non-garbled version of the security constraint XML:
<!-- opens up /jazz/events --> <security-constraint> <web-resource-collection> <web-resource-name>unsecure_feeds</web-resource-name> <url-pattern>/events/*</url-pattern> </web-resource-collection> </security-constraint> And for the URL I tested - "build" is the name of our build machine. |
|
|
jbirdman wrote:
Non-garbled version of the security constraint XML: We have the same issue on Jazz.net at the moment and I think our webmaster wanted to look into changing feed access to base authentication instead of form based one to support 3rd party readers but I am not aware of the outcome of this (I think we are still on form based authentication). Anyhow, I guess the problem is that feeds are loaded from the feed service, e.g. URLs for feeds look like this: /jazz/service/com.ibm.team.repository.common.internal.IFeedService?... I guess in your case you are redirected to this URL and as such have to log in again. Can you confirm? Regards, Ben -- Benjamin Pasero Work Item & UI Commons Team |
jbirdman wrote:Non-garbled version of the security constraint XML: |
|
jbirdman wrote:
jbirdman wrote: And you are redirected to the IFeedService right? You need to ensure that the server is configured to whitelist these URLs. -- Benjamin Pasero Work Item & UI Commons Team |
Ben, can you provide any help for where to add this whitelist entry and what it might look like? Is this in the tomcat web.xml?
Thanks |
|
ryanman wrote:
Ben, can you provide any help for where to add this whitelist entry I know we recently did this for jazz.net. I have the work item in front of me, but I doubt you will be able to access it. Looks like Curtis d'Entremont was providing the solution. Could you ping him? Otherwise, you can drop me a mail and I can send you the details of our solution copied from the work item. The XML snippet used to whitelist looks like this: ProxyPass /jazz/service/com.ibm.team.repository.common.internal.IFeedService https://<snip>:9443/jazz/service/com.ibm.team.repository.common.internal.IFeedService <Location> LdapConfigFile <snip> ProxyPassReverse /jazz/service/com.ibm.team.repository.common.internal.IFeedService </Location> hth -- Benjamin Pasero Work Item & UI Commons Team |
|
At this point my unanswered question is:
In what tomcat file do I put these proxypass settings? We are using plain tomcat (the default server.zip). No apache. No ldap. Thanks |
The whitelist is purely a jazz.net security measure and is not part of the Jazz product. We have a Web server for the community site, and a backing Jazz server which we reverse-proxy to (hence all the proxy stuff in the snippet).
I think this is purely a Tomcat config issue, i.e. you need to tell it in the config file to either not require auth for that path or tell it to use basic HTTP auth instead of form-based auth for that path. I don't know how to do that off the top of my head because we use a custom auth solution. But I'm sure there are lots of google-able resources out there explaining how to do this. If you can't find it, let me know and I can dig up some rules. |
Your answer
Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.