It's all about the answers!

Ask a question
QuestionsTagsUsersBadges
Guidelines | FAQ
Follow this question
Question details

×10,950
×10,877
×7,450
×5,899
×4,309
×1,395
×1,279
×1

question asked: Jun 15 '23, 4:25 a.m.
question was seen: 1,702 times
last updated: Jun 21 '23, 2:43 a.m.

Related questions

Opensocial Gadget in Jazz installation with JAS

0
Jean-François CHAPELLE (6414) | asked Jun 15 '23, 4:25 a.m.
edited Jun 15 '23, 4:27 a.m.

We encounter differences in behavior (between V6 & V7.0.2 installation) on OpenSocial gadgets that we have developed specifically.


To introduce our JAZZ installations :
  • JAZZ V6 installation does not use JAS server, and some gadgets work fine
  • JAZZ V7.0.2 installation use JAS server, and some gadgets do not work
  • JTS and other applications advanced properties are correctly set (https://www.ibm.com/support/pages/node/6466981)
To introduce our gadget developments
  • Gadgets are written with Javascript
  • We use JQuery 3.5+ and AJAX to manage the queries (GET, PAST ...)
To explain this difference in behavior, I will take the example of a very simple gadget which makes it possible to check whether the CORS policy has been correctly configured on the Liberty servers of our JAZZ installations.

This opensocial gadget is installed in a personnel dashboard (personnal dashboard hosted on the JTS server).

What does this gadget do ?

It sends requests to JTS, GC, CCM, RM, AM to check if the CORS policy is correctly configured on servers, and for each request sent it must return an HTTP=200 code.

An example query is :

for JTS : GET on https://agsjts-2.snm.snecma:9443/jts/friends
for CCM : GET on https://agsccm-2.snm.snecma:9443/ccm/process/project-areas
for GC : GET on https://agsjts-2.snm.snecma:9443/gc/process/project-areas
for RM : GET on https://agsrm-2.snm.snecma:9443/rm/process/project-areas
for AM : GET on https://agsdm-2.snm.snecma:9443/am/process/project-areas

We find that the behavior of the gadget is totally different between JAZZ v6 and JAZZ v7.0.2.

On JAZZ V6 (without JAS server), the gadget works fine :

- The user logs in, opens the personal dashboard and the gadget runs without problems. 

On JAZZ V7 (with JAS server), the gadget has not the same behavior :

- The user logs in, opens the personal dashboard, but the gadget fails on some requests (only JTS is fine, because a request from JTS to JTS is always OK)
- The user open CCM application and return in the gadget, and refresh it : this time the request to CCM is OK
- And if he continues the same way with all applications (RM, GC...), all requests will eventually be OK
It seems that authentication is not done smoothly between applications, thus disrupting the execution of inter-application requests.

In the browser, when I use the debug tool with the network tab :


  • when the gadget runs and query for https://<rm-server>/rm/process/project-areas, for example, the response code is directly HTTP = 401
  • when I copy/paste the same URL in another browser tab, the response codes are 302, 303 and 200

In the gadget, for the same request, the redirect authentication steps seem not done or possible.


Regards.

Comments
Ralph Schoon commented Jun 15 '23, 5:30 a.m. | edited Jun 15 '23, 5:35 a.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER

I do not know how the open social gadgets authenticate with the server and how to inherit this authentication. From a protocol perspective it is obvious that the two scenarios work completely different. When using JAS, the authentication works over a 401 challenge. See: https://jazz.net/wiki/bin/view/Main/NativeClientAuthentication
200 and 302 are used in the form challenge that is used if you do not use JAS. Here some more information about the authentication: https://rsjazz.wordpress.com/2021/10/15/elm-authentication/

You can, as far as I can tell, not compare a GET request from your gadget with using a browser. The browser deals with redirects and also sends cookies that store your authentication with these requests, which probably explains the other response codes. 

It would be important to look into what is really sent to the server, including cookies and understand how the open social gadgets are supposed to inherit the authentication. In addition please be aware that there are whitelist properties that you might need to add your server hosting the gadget to. 

Jean-François CHAPELLE commented Jun 16 '23, 10:32 a.m.

Thank you for your post.


We have been careful to configure correctly the whitelist properties.

Jean-François CHAPELLE commented Jun 21 '23, 2:43 a.m.

When I execute the gadget with the browser debug window open, in the "Network" tab, I can see the "401" error. The response header displayed in the "Network" tab contains "X-Jsa-Authorization-Redirect" et "Www-Authenticate".


Now if I get this response header in my Javascript code (with jqXHR.getAllResponseHeaders()), I have only the following values :

cache-control: no-cache="set-cookie, set-cookie2"
content-language: en-US
content-type: text/html; charset=UTF-8
expires: Thu, 01 Dec 1994 16:00:00 GMT

One answer

Most liked answers ↑|Newest answers|Oldest answers

0
permanent link
Ian Barnard (2.0k613) | answered Jun 15 '23, 12:20 p.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER
edited Jun 15 '23, 12:23 p.m.
Hi

Those are quite different environments you're comparing and say they work differently.

I think the problem you're having might be that JAS uses a different name for the session cookie from JTS authentication you were using in 6.x, and the JTS proxy needs to be configured for the JAS session cookie name when using JSA. See under the heading "Ensure that the web service has the appropriate handling for the SSO token" here https://jazz.net/wiki/bin/view/Main/RMExtensionsUsingExternalWebService702

In jts/advanced settings, by default "Jazz Authentication Proxy SSO Cookies" has "LtpaToken, LtpaToken2, JSESSIONIDSSO". Change this field's value to "LtpaToken, LtpaToken2, JSESSIONIDSSO, JSA_SESSION_IDENTITY" (without the quotation marks). By changing this fields value, JSA_SESSION_IDENTITY is the cookie that enables a widget to request a resource passing on this authentication cookie with the request.


HTH
Ian
Comments
Jean-François CHAPELLE commented Jun 19 '23, 3:15 a.m.

 Ian,


I have updated the JTS advanced properties, but the gadget behavior does non change.

I continue to search ...

Regards

Your answer

Register or to post your answer.


Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.