[Engine-devel] Problem in ovirt-reports sso

ly pan plysab at gmail.com
Thu Jan 3 18:33:47 UTC 2013


Thanks for the help Oved, you are my savior.

Regards
ly pan

2013/1/4 Oved Ourfalli <ovedo at redhat.com>:
> Hey,
>
> First of all, you forgot to add the EngineSimplePreAuthFilter to the filter chain (you just added the bean).
Indeed this is what is causing the problem...
Now I can browse the reports using 'show report' feature, thanks a lot :)
However when I browse to dashboard, it shows 'Specified page not
found', I think this is not related to this sso topic now, I'll look
into this later.
> See http://gerrit.ovirt.org/#/c/3355/:
>
> * Adding the EngineSimplePreAuthFilter filter to the filter chain for /**:
>
> /**=httpSessionContextIntegrationFilter,multipartRequestWrapperFilter,webAppSecurityFilter,jsCsrfGuardFilter,${bean.loggingFilter},${bean.userPreferencesFilter},${bean.authenticationProcessingFilter},${bean.userPreferencesFilter},${bean.basicProcessingFilter},EngineSimplePreAuthFilter,requestParameterAuthenticationFilter,JIAuthenticationSynchronizer,anonymousProcessingFilter,exceptionTranslationFilter,filterInvocationInterceptor,switchUserProcessingFilter,iPadSupportFilter
>
> You basically defined the pre authentication filter, but it wasn't used in your filter chain.
>
> As for http / https for the jasper server, not sure they should be equal (i.e., both http or both https). I think it should work well even if one is secured while the other isn't.
> First try to add the the Filter to the filter chain, and let's see what happens.
>
> Also, you can set the following options in the EngineSimplePreAuthFilter bean in case of ssl issues (in case you want to skip validation just to see that it works, without the need to troubleshoot exactly what's the problem):
> sslIgnoreCertErrors
> sslIgnoreHostVerification
>
> You set them by adding the lines
>             <property name="sslIgnoreCertErrors" value="true"/>
>             <property name="sslIgnoreHostVerification" value="true"/>
> to the bean definition (in addition to all the other options you used):
>
> So, in your resulting file you should have:
>
> /**=httpSessionContextIntegrationFilter,multipartRequestWrapperFilter,webAppSecurityFilter,jsCsrfGuardFilter,${bean.loggingFilter},${bean.userPreferencesFilter},${bean.authenticationProcessingFilter},${bean.userPreferencesFilter},${bean.basicProcessingFilter},EngineSimplePreAuthFilter,requestParameterAuthenticationFilter,JIAuthenticationSynchronizer,anonymousProcessingFilter,exceptionTranslationFilter,filterInvocationInterceptor,switchUserProcessingFilter,iPadSupportFilter
>
> and also have (if you choose to change the ssl definitions to be more permissive):
>
>     <bean id="EngineSimplePreAuthFilter" class="org.ovirt.authentication.EngineSimplePreAuthFilter">
>         <property name="authenticationManager">
>             <ref bean="authenticationManager"></ref>
>         </property>
>         <property name="servletURL" value="http://localhost/OvirtEngineWeb/ValidateSession"></property>
>         <property name="pollingTimeout" value="60"></property>
>         <property name="trustStorePath" value="/etc/pki/ovirt-engine/.truststore"></property>
>         <property name="trustStorePassword" value=""></property>
>         <property name="sslIgnoreCertErrors" value="true"/>
>         <property name="sslIgnoreHostVerification" value="true"/>
>     </bean>
>
> Also, try looking out for the jasper server log in case of problems.
>
> btw, does the report server work well for you when working with it not through the webadmin? Make sure it does before you bother to troubleshoot the SSO.
>
> Hope it helps,
> Oved
>
>
> ----- Original Message -----
>> From: "ly pan" <plysab at gmail.com>
>> To: "Oved Ourfalli" <ovedo at redhat.com>
>> Cc: engine-devel at ovirt.org
>> Sent: Thursday, January 3, 2013 5:43:25 PM
>> Subject: Re: [Engine-devel] Problem in ovirt-reports sso
>>
>> Thanks for the help, Oved
>>
>> I want to add some info:
>> 1. my environment is fc17, my browser is firefox.
>> 2. I access admin portal using https (rpm has done that for me) while
>> my jasper configuration is http
>>     in db's RedirectServletReportsPage and
>> applicationContext-security-web.xml, every time I browse to
>>     dashboard the browser prompt me with the message about
>>     unencrypted
>> connection in encrypted page.
>>     Should I use https for jasper as well?
>>     If this is the case, what configuration shoud be added?
>>
>> Thanks!
>>
>> ly pan
>>
>>
>> 2013/1/3 Oved Ourfalli <ovedo at redhat.com>:
>> > See comments/questions inline.
>> >
>> > Oved
>> >
>> > ----- Original Message -----
>> >> From: "ly pan" <plysab at gmail.com>
>> >> To: engine-devel at ovirt.org
>> >> Sent: Thursday, January 3, 2013 5:23:32 AM
>> >> Subject: [Engine-devel] Problem in ovirt-reports sso
>> >>
>> >> Hello, I have a reports problem which has got me for many days
>> >> now.
>> >> The reports sso feature is not functioning in my invironment.
>> >> I followed the steps from the wiki page:
>> >> http://www.ovirt.org/How_to_setup_a_oVirt_Reports_development_environment
>> >> http://www.ovirt.org/Features/Design/Reports_Dashboard
>> >> and the patch related to sso:
>> >> http://gerrit.ovirt.org/#change,3355
>> >>
>> >> here is my steps:
>> >> 1. install jasperreports 4.7.0 using the bundled tomcat and the
>> >> existing DB
>> >> 2. modify the db password in ovirt.xml
>> >> 3. import the reports using js-import.sh
>> >> 4. add the EngineSimplePreAuthFilter in
>> >> applicationContext-security-web.xml
>> > Can you share that file with us? (obviously remove sensitive data
>> > from it, such as keystore password).
>> Of course, see the attached files.
>> >
>> >> 5. add Reports.xml to the wenadmin folder and change
>> >> RedirectServletReportsPage in db
>> >> 6. generate a keystore using keytool and update
>> >> EngineSimplePreAuthFilter in applicationContext-security-web.xml
>> > You're supposed to create a trust store, that trusts the
>> > certificate of the oVirt engine. Did you do that?
>> I didn't add the certificate to truststore,my bad. But I changed the
>> trustStore file to the existing /etc/pki/ovirt-engine/.truststore
>> in applicationContext-security-web.xml, nothing changed at all.
>> >
>> >> 7. install the ovirt-dwh rpm package made from source and run
>> >> ovirt-engine-dwh-setup
>> >> 8. start the ovirt-engine service and the tomcat
>> >>
>> >> And all the projects, ovirt-dwh, ovirt-reports, ovirt-engine, is
>> >> build
>> >> from the latest source.
>> >>
>> >> When I browse to the dashboard in webadmin portal,it just shows a
>> >> jasper login page,
>> >> so the sso is not functioning, right?
>> > Can you please attach the jboss logs? (engine.log and server.log).
>> these two logs have no new messages when I browse to the dashboard,I
>> think it is not necesssary...but I'll attach it anyhow,
>> and please skip the earlier log messages about wrong db password.
>> >
>> >> I can login and browse jasper reports in a browser page normally.
>> >> So I try to login in dashboard using reports user, tomcat gives me
>> >> a
>> >> Exception:
>> >>
>> >> "java.lang.IllegalArgumentException: An id is required to lookup a
>> >> FlowDefinition"
>> >>
>> > Not sure if that error is related or not, but hopefully the logs
>> > will point us to the problem.
>> the full stack trace is in the attach file catalina.out from tomcat
>> logs.
>>
>> >
>> >> What might be the problem? Am I missing anything?
>> >> Any help would be appriciated, thanks.
>> >> _______________________________________________
>> >> Engine-devel mailing list
>> >> Engine-devel at ovirt.org
>> >> http://lists.ovirt.org/mailman/listinfo/engine-devel
>> >>
>>



More information about the Engine-devel mailing list