Portal/Portlets Integration and SSL
I have built a portal using Jetspeed. It is configured on a Linux platform with Apache, Tomcat running behind the Apache and ZServer for the Zope. The Apache has been configured to be secure, has its own CA with the mod_jk connector between Apache and Tomcat. The portal of course has portlets of various web services and applications. A few portlets support the presentation of content coming from Zope. We do this using an IFrame portlet with a short piece of Java code on the server side to service the portlet. So, when the portlet comes up, it might contain a couple of hyper-links for the user to click on that will display a document within the portlet frame. Thus, the embedded links for the portlet will have a http://www.xyz.net:8000/... pointing to the location of the document. This all works fine, however now I have 1 or 2 documents that are confidential and must be handled via https://... for a particular portlet. I have been experimenting without much success. The browser of course will indicate that not all components on the page are secure because of the fact that the embedded links in the page have http in them. As soon as I make the change to the https protocol, the links will not resolve. Do I have to somehow make the ZServer also SSL compliant in some manner in order for it to figure out what https means. Any help or comments would be very much appreciated. TIA. John Wubbel John Wubbel Consultancy
On Tue, Jul 01, 2003 at 08:58:46AM -0400, John Wubbel wrote: (snip)
for the portlet will have a http://www.xyz.net:8000/... pointing to the location of the document. This all works fine, however now I have 1 or 2 documents that are confidential and must be handled via https://... for a particular portlet.
I have been experimenting without much success. The browser of course will indicate that not all components on the page are secure because of the fact that the embedded links in the page have http in them. As soon as I make the change to the https protocol, the links will not resolve.
of course not... zope isn't running https.
Do I have to somehow make the ZServer also SSL compliant in some manner in order for it to figure out what https means. Any help or comments would be very much appreciated. TIA.
The usual way to do this is to run zope behind an SSL server, e.g. Apache. There are many documents available about this. An alternative approach adds SSL support directly to Zope: http://www.zope.org/Members/Ioan/ZopeSSL For a totally different approach - including content from zope directly into a JSP - see here: http://sourceforge.net/projects/pstream/ -- Paul Winkler http://www.slinkp.com Look! Up in the sky! It's POLYTECHNICIAN HYPER ! (random hero from isometric.spaceninja.com)
I'd suggest using Apache as a reverse proxy for Zope. No sense in setting up SSL for Zope if you've already got it set up for Apache. See: http://www.zope.org/Documentation/Books/ZopeBook/2_6Edition/VirtualHosting.s... HTH, Dylan On Tue, 2003-07-01 at 05:58, John Wubbel wrote:
I have built a portal using Jetspeed. It is configured on a Linux platform with Apache, Tomcat running behind the Apache and ZServer for the Zope. The Apache has been configured to be secure, has its own CA with the mod_jk connector between Apache and Tomcat. The portal of course has portlets of various web services and applications. A few portlets support the presentation of content coming from Zope. We do this using an IFrame portlet with a short piece of Java code on the server side to service the portlet. So, when the portlet comes up, it might contain a couple of hyper-links for the user to click on that will display a document within the portlet frame. Thus, the embedded links for the portlet will have a http://www.xyz.net:8000/... pointing to the location of the document. This all works fine, however now I have 1 or 2 documents that are confidential and must be handled via https://... for a particular portlet.
I have been experimenting without much success. The browser of course will indicate that not all components on the page are secure because of the fact that the embedded links in the page have http in them. As soon as I make the change to the https protocol, the links will not resolve. Do I have to somehow make the ZServer also SSL compliant in some manner in order for it to figure out what https means. Any help or comments would be very much appreciated. TIA.
John Wubbel John Wubbel Consultancy
_______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Thank you to all who replied. The information was very helpful. I decided to take up Dylan's suggestion. To resolve the problem I configured httpd.conf under <VirtualHost _default_:443> with the following: ProxyPass /sdp/ http://localhost:8000/ ProxyPassReverse /sdp/ http://localhost:8000/ ProxyVia on Our portal supports multiple client companies and their documentation is not generic enough for use across all clients. Thus in our IFrame portlets we have a piece of Java code that looks at who is logged on and gets the client company id (i.e., sjgkc6qcu1_O). The initial URL is built for the page contained within this portlets frame https://www.mydomainname.net/sdp/sjgkc6qcu1_O/SD_Business_Contingency_and_Di saster_Recovery_Plans/BC_DR_Plans Since the ZServer sits behind Apache the https://www.mydomainname.net/sdp resolves to http://localhost:8000/sjgkc6qcu1_O/SD_Business_Contingency_and_Disaster_Reco very_Plans/BC_DR We have a folder for each client such as sjgkc6qcu1_O and the last problem to overcome was the fact that content returned by Zope contained hyperlinks to other Zope documents. If the link was clicked on, it would pass to Apache the https://localhost:8000 etc. to the client and fail. We resolved this by using the "siteroot" object in the client folder as discussed in http://www.zope.org/Members/anser/apache_zserver. All this and we thus far have not had the need to develop any RewriteRules. Consequently, if a clients document is confidential its transport is safe and secure. The only remaining problem that is not portal related, is if we use the Zope Administration and navigate into a clients folder where we defined "siteroot" the mini icons for the folders are missing. It seems like the path for the icon is wrong: <td bgcolor="#000000" rowspan="4"><img src="/sjgkc6qcu1_O/p_/sp" width="2" height="1" alt="" /></td> I am not sure yet where it is picking up the /sp. I tried to set a ProxyPass /misc_ & ProxyPass /p_ but it still is not resolving the location of the icon images. We will keep working on it. Thus far we are very satisfied. Thanks again Dylan! Best Regards, John Wubbel ----- Original Message ----- From: "Dylan Reinhardt" <zope@dylanreinhardt.com> To: <john@johnwubbel.com> Cc: <zope@zope.org> Sent: Tuesday, July 01, 2003 11:36 AM Subject: Re: [Zope] Portal/Portlets Integration and SSL
I'd suggest using Apache as a reverse proxy for Zope. No sense in setting up SSL for Zope if you've already got it set up for Apache.
See:
http://www.zope.org/Documentation/Books/ZopeBook/2_6Edition/VirtualHosting.s tx
HTH,
Dylan
On Tue, 2003-07-01 at 05:58, John Wubbel wrote:
I have built a portal using Jetspeed. It is configured on a Linux platform with Apache, Tomcat running behind the Apache and ZServer for the Zope. The Apache has been configured to be secure, has its own CA with the mod_jk connector between Apache and Tomcat. The portal of course has portlets of various web services and applications. A few portlets support the presentation of content coming from Zope. We do this using an IFrame portlet with a short piece of Java code on the server side to service the portlet. So, when the portlet comes up, it might contain a couple of hyper-links for the user to click on that will display a document within the portlet frame. Thus, the embedded links for the portlet will have a http://www.xyz.net:8000/... pointing to the location of the document. This all works fine, however now I have 1 or 2 documents that are confidential and must be handled via https://... for a particular portlet.
I have been experimenting without much success. The browser of course will indicate that not all components on the page are secure because of the fact that the embedded links in the page have http in them. As soon as I make the change to the https protocol, the links will not resolve. Do I have to somehow make the ZServer also SSL compliant in some manner in order for it to figure out what https means. Any help or comments would be very much appreciated. TIA.
John Wubbel John Wubbel Consultancy
_______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
_______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
On Tue, Jul 01, 2003 at 08:58:46AM -0400, John Wubbel wrote:
Thus, the embedded links for the portlet will have a http://www.xyz.net:8000/... pointing to the location of the document. This all works fine, however now I have 1 or 2 documents that are confidential and must be handled via https://... for a particular portlet.
If your Apache front is also handling SSL for Zope, there is a product called SSLAbsoluteURL (or something like that) that allows Zope to dynamically/programmtically decide to serve http or https URLs. <plug> Alternatively, you can run ZServerSSL; see URL in my .sig. </plug> -- Ng Pheng Siong <ngps@netmemetic.com> http://firewall.rulemaker.net -+- Manage Your Firewall Rulebase Changes http://www.post1.com/home/ngps -+- Open Source Python Crypto & SSL
participants (5)
-
Dylan Reinhardt -
John Wubbel -
John Wubbel -
Ng Pheng Siong -
Paul Winkler