[opencms-dev] Securing OpenCms workplace login
Jeremy Cavagnolo
jeremy at paradoxcomponents.com
Thu Feb 10 18:27:20 CET 2005
Thanks for responding, Alex. My server.xml and opencms-system.xml
follow. However, I think the problem is the JSESSIONID cookie. When I
go to http://cms.mainserver.com/system/login/ I am automatically
forwarded to https://www.mainserver.com/system/login/. The login page
is displayed and no cookie has been set yet. After entering my
credentials, the JSESSIONID cookie from www.mainserver.com is set, The
new workplace window is open, then the login prompt pops up. After
entering my credentials again, the JSESSIONID cookie from
cms.mainserver.com is set and the workplace opens.
I read in the apache manual that you can only have one SSL virtual host
per IP address because SSL works below the application (i.e. apache)
level. I would like to simply redirect to https://cms.mainserver.com
then back to http://cms.mainserver.com, but I need
https://www.mainserver.com for other content. Does anyone have
suggestions about setting up apache with multiple, secure virtual hosts,
or manipulating the cookies in either/both the tomcat configuration or
apache configuration?
Thanks,
jeremy
server.xml:
===========
<Server port="8005" shutdown="SHUTDOWN" debug="0">
<Service name="Catalina">
<!-- Define a combined connector for www.site1.com -->
<Connector
port="8081" minProcessors="5" maxProcessors="75"
proxyName="www.site1.com" proxyPort="80"
enableLookups="true" redirectPort="8443"
acceptCount="100" debug="10" connectionTimeout="20000"
useURIValidationHack="false" disableUploadTimeout="true" />
<!-- Define a combined connector for www.site2.com -->
<Connector
port="8082" minProcessors="5" maxProcessors="75"
proxyName="www.site2.com" proxyPort="80"
enableLookups="true" redirectPort="8443"
acceptCount="100" debug="10" connectionTimeout="20000"
useURIValidationHack="false" disableUploadTimeout="true" />
<!-- Define one connector for the OpenCms editor server -->
<Connector
port="8083" minProcessors="5" maxProcessors="75"
proxyName="cms.mainserver.com" proxyPort="80"
enableLookups="true" redirectPort="8443"
acceptCount="100" debug="10" connectionTimeout="20000"
useURIValidationHack="false" disableUploadTimeout="true" />
<!-- Define a Connector on port 8009 (used for other apps) -->
<Connector port="8009"
enableLookups="false" redirectPort="8443" debug="0"
protocol="AJP/1.3" />
<Engine name="Catalina" defaultHost="mainserver.com" debug="10">
<!-- Global logger unless overridden at lower levels -->
<Logger className="org.apache.catalina.logger.FileLogger"
prefix="catalina_log." suffix=".txt"
timestamp="true"/>
<Host name="mainserver.com" debug="10" appBase="webapps"
unpackWARs="true" autoDeploy="true" xmlValidation="false"
xmlNamespaceAware="false">
...
...
</Host>
</Engine>
</Service>
</Server>
opencms-system.xml (just the 'sites' section):
==============================================
<opencms>
<system>
...
...
...
<sites>
<workplace-server>
http://cms.alf-learning.org
</workplace-server>
<default-uri>/sites/default/</default-uri>
<site server="http://nm.alf-learning.org"
uri="/sites/default/"/>
<site server="http://wffnproof.com"
uri="/sites/wffnproof.com/"/>
</sites>
...
...
...
</system>
</opencms>
On Thu, 2005-02-10 at 00:41, Alexander Kandzior wrote:
> You configuration looks ok, even though I didn't check every detail.
>
> What does the opencms site configuration look like?
> And what about Tomcat server.xml?
>
> Best Regards,
> Alex.
>
> Alexander Kandzior
> Alkacon Software - The OpenCms Experts
> http://www.alkacon.com
>
>
>
> > -----Original Message-----
> > From: opencms-dev-bounces at opencms.org
> > [mailto:opencms-dev-bounces at opencms.org] On Behalf Of Jeremy Cavagnolo
> > Sent: Wednesday, February 09, 2005 9:08 PM
> > To: opencms-dev at opencms.org
> > Subject: [opencms-dev] Securing OpenCms workplace login
> >
> > Hello:
> >
> > I have been working with opencms 6alpha3 for about a month
> > now, and have finally set up apache (2.0.51) with mod_proxy
> > to serve multiple sites, thanks to some good discussion on
> > this list and the mod_proxy, etc documentation. I would now
> > like to protect passwords with https.
> > The relevant http.conf that I am working with is posted
> > below. With this configuration, when I go to
> > http://cms.mainserver.com/system/login/ I am appropriately
> > redirected to https://www.mainserver.com/system/login/ and
> > the login page comes up correctly. However, after I enter a
> > username and password, the workplace window opens, but I am
> > prompted with a username/password dialog. This dialog is
> > issued by the cms.mainserver.com virtual host, and is
> > unprotected. Can anyone find some obvious mistakes in my
> > configuration, or suggest methods that they have used to
> > achieve password security?
> >
> > Any help is appreciated,
> >
> > -jeremy
> >
> >
> > <VirtualHost _default_:443>
> > ServerName www.mainserver.com:443
> > ProxyPass /system/login/
> > http://localhost:8083/opencms/system/login/
> > ProxyPassReverse /system/login/ \
> > http://localhost:8083/opencms/system/login/
> > RewriteEngine On
> > RewriteCond %{REQUEST_URI} !^/system/login.* RewriteCond
> > %{REQUEST_URI} ^/system.* RewriteRule ^/(.*)
> > http://cms.mainserver.com/$1 [R,L] </VirtualHost>
> >
> > # cms server
> > <VirtualHost *:80>
> > ServerName cms.mainserver.com
> >
> > ProxyErrorOverride On
> > ProxyPass /opencms/ !
> > RedirectPermanent /opencms/ http://cms.alf-learning.org/
> >
> > ProxyPass /resources/ !
> > ProxyPass /export/ !
> >
> > ProxyPass / http://localhost:8083/opencms/
> > ProxyPassReverse / http://localhost:8083/opencms/
> >
> >
> > RewriteEngine On
> > RewriteCond %{REQUEST_URI} ^/system/login.* RewriteRule
> > ^/(.*) https://www.mainserver.com/$1 [L,R] </VirtualHost>
> >
> > # first site
> > <VirtualHost *:80>
> > ServerName www.site1.com
> > ProxyPass /release/ !
> > RedirectPermanent /release/ http://www.site2.com/release/
> >
> > ProxyPass /opencms/ !
> > RedirectPermanent /opencms/ http://www.site1.com/
> >
> > ProxyPass /resources/ !
> > ProxyPass /export/ !
> >
> > ProxyPass / http://localhost:8081/opencms/
> > ProxyPassReverse / http://localhost:8081/opencms/
> > </VirtualHost>
> >
> > #second site
> > <VirtualHost *:80>
> > ServerName site2.com
> >
> > ProxyPass /opencms/ !
> > RedirectPermanent /opencms/ http://site2.com/
> >
> > ProxyPass /resources/ !
> > ProxyPass /export/ !
> >
> > ProxyPass / http://localhost:8082/opencms/
> > ProxyPassReverse / http://localhost:8082/opencms/
> > </VirtualHost>
> >
> >
> >
> > _______________________________________________
> > This mail is send to you from the opencms-dev mailing list To
> > change your list options, or to unsubscribe from the list,
> > please visit http://mail.opencms.org/mailman/listinfo/opencms-dev
> >
> >
>
>
>
> _______________________________________________
> This mail is send to you from the opencms-dev mailing list
> To change your list options, or to unsubscribe from the list, please visit
> http://mail.opencms.org/mailman/listinfo/opencms-dev
More information about the opencms-dev
mailing list