Hey,
First of all, you forgot to add the EngineSimplePreAuthFilter to the filter chain (you
just added the bean).
See
http://gerrit.ovirt.org/#/c/3355/:
* Adding the EngineSimplePreAuthFilter filter to the filter chain for /**:
/**=httpSessionContextIntegrationFilter,multipartRequestWrapperFilter,webAppSecurityFilter,jsCsrfGuardFilter,${bean.loggingFilter},${bean.userPreferencesFilter},${bean.authenticationProcessingFilter},${bean.userPreferencesFilter},${bean.basicProcessingFilter},EngineSimplePreAuthFilter,requestParameterAuthenticationFilter,JIAuthenticationSynchronizer,anonymousProcessingFilter,exceptionTranslationFilter,filterInvocationInterceptor,switchUserProcessingFilter,iPadSupportFilter
You basically defined the pre authentication filter, but it wasn't used in your filter
chain.
As for http / https for the jasper server, not sure they should be equal (i.e., both http
or both https). I think it should work well even if one is secured while the other
isn't.
First try to add the the Filter to the filter chain, and let's see what happens.
Also, you can set the following options in the EngineSimplePreAuthFilter bean in case of
ssl issues (in case you want to skip validation just to see that it works, without the
need to troubleshoot exactly what's the problem):
sslIgnoreCertErrors
sslIgnoreHostVerification
You set them by adding the lines
<property name="sslIgnoreCertErrors" value="true"/>
<property name="sslIgnoreHostVerification"
value="true"/>
to the bean definition (in addition to all the other options you used):
So, in your resulting file you should have:
/**=httpSessionContextIntegrationFilter,multipartRequestWrapperFilter,webAppSecurityFilter,jsCsrfGuardFilter,${bean.loggingFilter},${bean.userPreferencesFilter},${bean.authenticationProcessingFilter},${bean.userPreferencesFilter},${bean.basicProcessingFilter},EngineSimplePreAuthFilter,requestParameterAuthenticationFilter,JIAuthenticationSynchronizer,anonymousProcessingFilter,exceptionTranslationFilter,filterInvocationInterceptor,switchUserProcessingFilter,iPadSupportFilter
and also have (if you choose to change the ssl definitions to be more permissive):
<bean id="EngineSimplePreAuthFilter"
class="org.ovirt.authentication.EngineSimplePreAuthFilter">
<property name="authenticationManager">
<ref bean="authenticationManager"></ref>
</property>
<property name="servletURL"
value="http://localhost/OvirtEngineWeb/ValidateSession"></property>
<property name="pollingTimeout"
value="60"></property>
<property name="trustStorePath"
value="/etc/pki/ovirt-engine/.truststore"></property>
<property name="trustStorePassword"
value=""></property>
<property name="sslIgnoreCertErrors" value="true"/>
<property name="sslIgnoreHostVerification"
value="true"/>
</bean>
Also, try looking out for the jasper server log in case of problems.
btw, does the report server work well for you when working with it not through the
webadmin? Make sure it does before you bother to troubleshoot the SSO.
Hope it helps,
Oved
----- Original Message -----
From: "ly pan" <plysab(a)gmail.com>
To: "Oved Ourfalli" <ovedo(a)redhat.com>
Cc: engine-devel(a)ovirt.org
Sent: Thursday, January 3, 2013 5:43:25 PM
Subject: Re: [Engine-devel] Problem in ovirt-reports sso
Thanks for the help, Oved
I want to add some info:
1. my environment is fc17, my browser is firefox.
2. I access admin portal using https (rpm has done that for me) while
my jasper configuration is http
in db's RedirectServletReportsPage and
applicationContext-security-web.xml, every time I browse to
dashboard the browser prompt me with the message about
unencrypted
connection in encrypted page.
Should I use https for jasper as well?
If this is the case, what configuration shoud be added?
Thanks!
ly pan
2013/1/3 Oved Ourfalli <ovedo(a)redhat.com>:
> See comments/questions inline.
>
> Oved
>
> ----- Original Message -----
>> From: "ly pan" <plysab(a)gmail.com>
>> To: engine-devel(a)ovirt.org
>> Sent: Thursday, January 3, 2013 5:23:32 AM
>> Subject: [Engine-devel] Problem in ovirt-reports sso
>>
>> Hello, I have a reports problem which has got me for many days
>> now.
>> The reports sso feature is not functioning in my invironment.
>> I followed the steps from the wiki page:
>>
http://www.ovirt.org/How_to_setup_a_oVirt_Reports_development_environment
>>
http://www.ovirt.org/Features/Design/Reports_Dashboard
>> and the patch related to sso:
>>
http://gerrit.ovirt.org/#change,3355
>>
>> here is my steps:
>> 1. install jasperreports 4.7.0 using the bundled tomcat and the
>> existing DB
>> 2. modify the db password in ovirt.xml
>> 3. import the reports using js-import.sh
>> 4. add the EngineSimplePreAuthFilter in
>> applicationContext-security-web.xml
> Can you share that file with us? (obviously remove sensitive data
> from it, such as keystore password).
Of course, see the attached files.
>
>> 5. add Reports.xml to the wenadmin folder and change
>> RedirectServletReportsPage in db
>> 6. generate a keystore using keytool and update
>> EngineSimplePreAuthFilter in applicationContext-security-web.xml
> You're supposed to create a trust store, that trusts the
> certificate of the oVirt engine. Did you do that?
I didn't add the certificate to truststore,my bad. But I changed the
trustStore file to the existing /etc/pki/ovirt-engine/.truststore
in applicationContext-security-web.xml, nothing changed at all.
>
>> 7. install the ovirt-dwh rpm package made from source and run
>> ovirt-engine-dwh-setup
>> 8. start the ovirt-engine service and the tomcat
>>
>> And all the projects, ovirt-dwh, ovirt-reports, ovirt-engine, is
>> build
>> from the latest source.
>>
>> When I browse to the dashboard in webadmin portal,it just shows a
>> jasper login page,
>> so the sso is not functioning, right?
> Can you please attach the jboss logs? (engine.log and server.log).
these two logs have no new messages when I browse to the dashboard,I
think it is not necesssary...but I'll attach it anyhow,
and please skip the earlier log messages about wrong db password.
>
>> I can login and browse jasper reports in a browser page normally.
>> So I try to login in dashboard using reports user, tomcat gives me
>> a
>> Exception:
>>
>> "java.lang.IllegalArgumentException: An id is required to lookup a
>> FlowDefinition"
>>
> Not sure if that error is related or not, but hopefully the logs
> will point us to the problem.
the full stack trace is in the attach file catalina.out from tomcat
logs.
>
>> What might be the problem? Am I missing anything?
>> Any help would be appriciated, thanks.
>> _______________________________________________
>> Engine-devel mailing list
>> Engine-devel(a)ovirt.org
>>
http://lists.ovirt.org/mailman/listinfo/engine-devel
>>