Web Proxy Channel

nervousripSecurity

Nov 5, 2013 (3 years and 7 months ago)

61 views

Web Proxy Channel
and Portlet

Andrew Petro

JA
-
SIG Denver

26 June 2007

© Copyright Unicon, Inc., 2007. Some rights reserved.
http://creativecommons.org/licenses/by
-
nc/3.0/us/

Portions borrowed from
previous JA
-
SIG presentations by Andrew and others.



Meet your speaker


Andrew Petro


Unicon, Inc.


Software developer, cooperative support
uPortal lead, and occasional uPortal
consultant


Previously with Yale University ITS
Technology & Planning





This presentation


Web proxy generally


The CWebProxy channel that’s included in
uPortal, originally developed by Memorial
University Newfoundland


The Web Proxy Portlet open source project
spearheaded by University of Wisconsin
-
Madison

Web proxy generally



Inline frames


Browser performs
aggregation

Browser

Portal

External web server

<
iframe

/>

<
iframe

/>



Web proxies

Browser

Portal

External web server


Portal performs aggregation



Advantages of each

Inline frame


Simple


Fast (potentially)


Transparent handling of
backing css, javascript

Web proxy


Portal (and firewalls,
etc.) can insulate the
backing server


Transformation of
content


Portal services (authN,
attributes, permission)


Caching



JSR
-
168 portlets


JSR
-
168 portlets run inside the portal JVM


Possibly with some classloader isolation


Action vs. Render distinction


Easy preferences


… Cf. Matt Young’s talk, e.g.



JSR
-
168 portlets

Browser

Portal


Portal performs aggregation

?



What if Something Goes Wrong?

Browser

Portal

?

!



What if Something Goes REALLY Wrong?

Browser

Portal

?

!



Doctor, it hurts when I do this…


Well, don’t do that


Memory leaks / abuse


Lock thrash


Infinite recursion



Web proxy as way to share inside
-
portal
codebase across many outside
-
portal proxied
applications




Service windows


Upgrading proxied applications without
restarting the portal


independent service
windows





Arbitrary backing web technology


PHP


Perl


Ruby (On Rails)


ColdFusion


Plain Old HTML


ASP





Spring, and Spring PortletMVC are excellent


But you might want to use, or have existing expertise
in:



Exposing Portal Views


Maybe you have a well
-
functioning Spring
WebMVC application


Portal views as just additional elements in the
view layer


Re
-
use existing DataSources, services, hosting,
development


Just expose a few more URLs and associated
portal
-
appropriate views

Web Proxy channel



Traditional web proxy


Proxied application produces XHTML


WebProxy proxies it


simple



Web Proxy of Tomcat’s Number Guessing



http://localhost:8080/jsp
-
examples/num/numguess.jsp



Channel Markup

<form method="get"
action="
tag.9ebcc3d6be8e1c38.render.userLayoutRo
otNode.target.n23.uP
#n23">


What's your guess?


<input type="text" name="guess" />


<input type="submit" value="Submit" />

</form>



Web Proxy Channel Config



Pass
-
through type


What renders will “pass through” the channel,
the little box on the screen?


All


Application


just those sharing URI prefix with the
initial XML URI


Marked


just URLs with special attributes in their
HTML elements will be rendered inside the portal


None



Publishing a new web proxy







Lots of options



Tidy?


Brad Johnson’s suggestion of moving to more
accomodating “TagSoup” library




You can proxy markup other than HTML!


This is just one selection of XSLTs you can
use


Can use CWebProxy as a CGenericXSLT on
steroids



Passing uPortal user attributes


Show up as request attributes to the remote
application


Useful for passing username, identifiers



LocalConnectionContext


Applies context to the request from portal to
backing application


Can be based on Security Context


E.g., CAS proxy ticket



LocalConnectionContext uses


Authentication


Proxy CAS


BASIC authentication


Modify URLs to take advantage of an proxy
server for performance




YaleInfo Recent Email


Uses Proxy CAS * 2


Links to message in IMP


Not a full e
-
mail client in uPortal

portal

Recent

E
-
mail

Channel

servlet

IMAP

Server

IMAP

Protocol

HTTPS

Request


XML

response



YaleInfo Network Registration


Building applications to be proxied



Choose a link scheme


All in channel?


Application?


Marked?



Take care in HTML production


Performs better if CWebProxy doesn’t need
to tidy the output



Choose an authentication scheme


Proxy CAS is compelling

portal

Recent

E
-
mail

Channel

servlet

IMAP

Server

IMAP

Protocol

HTTPS

Request


XML

response



Use uPortal CSS styles


Or add new styles to your portal


New in default theme/skin:


channels.css , a designated place for you to add
your extra CSS styles



Securing Web Proxies



Blocking Proxying of Local Files


Web proxy


Convenient


Simple


Powerful


But can be too much so



What if I’m clever yet mean


And tell the web proxy channel to proxy a
file:// on the portal server?


Or some other resource the portal can get to
that I’m not intended to get to?



Additional configuration



How this works


Blocked URI prefixes


if blocked, X


Allowed URI prefixes


if not allowed, X


Control whether initial URL should be subject
to these rules


Allows end
-
user
-
setting
-
ChannelStaticData CPDs
to be secured


E.g., RSS reader via XSLT


University of Wisconsin
-
Madison

Web Proxy Portlet



Fortunately, Eric is right here


And has designs for refactoring it



So maybe he can say a few words on that
topic…



http://my.wisc.edu/



Example: Lost and Found service



URLs adjust the web proxy configuration


https://my
-
demo.doit.wisc.edu/portal/tag.ac784df01d3c8
0be.render.userLayoutRootNode.target.u21l1
n100.uP?uP_portlet_action=true&uP_window
_state=normal&edu.wisc.my.webproxy.
URL=
http%3A%2F%2Fwww.doit.wisc.edu%2Fport
al%2Fdemo%2Flostandfound%2Fviewfound.
html
#u21l1n100

Next steps for uPortal



Ship UW Web Proxy Portlet with uPortal


It’s been out for review more than long
enough


UW
-
Wisc has exercised it


With Eric’s additional refactoring it will be
especially ready for wide use



Continue to ship CWebProxy


Adopters have written applications designed
especially to work with it


Marked URL features and all


Begin exploring whether these can be
accomodated in Web Proxy Portlet



Converge on Web Proxy Portlet


If/When Web Proxy Portlet takes hold like
CWebProxy


And backwards compatibility or migration
path is in place


Consider deprecating CWebProxy


But no immediate plans for this


CWebProxy remains a viable channel to use and
build against



Andrew Petro

apetro@unicon.net


Questions?