FirstSpirit rich client in combination with reverse proxies

Zendesk API User

• 12 novembre 2014 16:31

Author: king
Publication Date: 11/12/2014 16:31

Dear FirstSpirit community,

we just want to know, whether both FirstSpirit rich clients:

• FirstSpirit JavaClient
• FirstSpirit SiteArchitect

are enabled for a communication over a reverse proxy e.g. IBM WebSeal Web Access Manager?

When known problems do exist please let us know :smileyhappy:

Tags: 4.2r4, 5.1, fs, proxy

Associé à

• Customers

0

• 

  Zendesk API User

  • 14 novembre 2014 09:43

  Author: isenberg - 11/14/2014 9:43
  

  Yes, FirstSpirit supports reverse proxies. Some of our customers use it over the following web application firewall systems: IBM Webseal, CA Siteminder, Astaro UTM. To have complete transparent support for FirstSpirit, i.e. without any firewall exceptions, the reverse proxy is required to forward the session cookie which is used between client and reverse proxy towards the FirstSpirit backend. In FirstSpirit configuration file fs-server.conf the parameter clientCookieNames must list the name of this cookie. Without forwarding of the cookie, some firewall exception must be added or two files within firstspirit5/web/fs5root enhanced with some Javascript code.

  http or https can be used between the reverse proxy and FirstSpirit

  For forwarding the SSO authentication of the reverse proxy, a custom FirstSpirit JAAS login module is available which uses mutual https authentication for security (https client certificate on reverse proxy). The username is forwarded as http header by the proxy, for instance as "iv-user" when using Webseal.

  URL exceptions, if clientCookieNames is not used in fs-server.conf:

  http://fshost.e-spirit.de/jnlp/*

  http://fshost.e-spirit.de/servlet/ClientIO/*

  http://fshost.e-spirit.de/start/FIRSTspirit.jnlp:

  Configuration for Webseal used at one of our customers:

  
  

  Junction Path: /jctfirstspirit

  Destination: https://fsserver.domain:8443

  Scripting-Support: no

  mutual SSL Auth: yes

  Parameter: iv-user

  transparent Junction: yes (means, path /jctfirstspirit will be send to backend FirstSpirit)

  firstspirit5/conf/fs-server.conf:

  URL=https://websealhost.domain/jctfirstspirit

  fs.url.hostname=websealhost.domain

  fs.url.httpport=443

  WEBAPP_ROOT_URL=/jctfirstspirit

  WEBAPP_PREVIEW_URL=/jctfirstspirit/fs5preview

  WEBAPP_STAGING_URL=/jctfirstspirit/fs5staging

  WEBAPP_WEBMON_URL=/jctfirstspirit/fs5webmon

  WEBAPP_WEBEDIT5_URL=/jctfirstspirit/fs5webedit

  With Webseal you can also use VirtualHost-Junctions so the /jfctfirstspirit path is not required.

  0

Vous devez vous connecter pour laisser un commentaire.