Fix for JAAS Auth in Jetspeed
I’ve finally found a fix for our Jetspeed JAAS Authentication issue with
Weblogic (thanks to help from a BEA consultant).
The problem occurs
when using the JAASSessionValidator in Jetspeed to authenticate through the Weblogic app
server, along with using the struts bridge from the apache portals project. After logging in
as the same user in more than one session (by first logging in, and then opening another
browser to log in again with the same userid), and going from one page to another in the same
mode (view mode, for example), the server throws up this error:Included resource or
file
“/action/edit.jas;jsessionid=C7QZxyGkX0pm6Sp9ckM6vyfxTRJ4p1Tn0Ph3bdz
g3TJQX4pyDxwC!-2002059013” not found from requested resource “/jetspeed/portal/
ns:YTIxMzQ4fGMwfGQwfGVfa3JhPTE9MXxlX3NwYWdlPTE9L2VkaXRfb2JzLmphcztqc2Vzc2lvbmlkP
T1DN1FaeHlHa1gwcG02U3A5Y2tNNnZ5ZnhUUko0cDFUbjBQaDNiZHpnM1RKUVg0cHlEeHdDIS0yMDAyM
DU5MDEzfGVfbW9kZT0xPXZpZXc/”.
This appears to be a
problem with how Jetspeed will rewrite URL’s, and maybe it is more specifically related to the
struts bridge. I say Jetspeed, and not Weblogic, because the problem can be resolved by
telling Weblogic to only use cookies to relay session data instead of also rewriting url’s. So
we fixed this by placing this next configuration into the weblogic.xml file of ALL of our war
files:
<session-descriptor>
<session-param>
<param-name>URLRewritingEnabled</param-name>
<param-value>false</param-value>
</session-param>
</session-descriptor>
At least we found a work around!