Fix for JAAS Auth in Jetspeed
I’ve finally found a fix for our Jetspeed JAAS Authentication issue with Weblogic (thanks to help from a BEA consultant).
The problem occurs when using the JAASSessionValidator in Jetspeed to authenticate through the Weblogic app server, along with using the struts bridge from the apache portals project. After logging in as the same user in more than one session (by first logging in, and then opening another browser to log in again with the same userid), and going from one page to another in the same mode (view mode, for example), the server throws up this error:Included resource or
file “/action/edit.jas;jsessionid=C7QZxyGkX0pm6Sp9ckM6vyfxTRJ4p1Tn0Ph3bdz
g3TJQX4pyDxwC!-2002059013” not found from requested resource “/jetspeed/portal/
ns:YTIxMzQ4fGMwfGQwfGVfa3JhPTE9MXxlX3NwYWdlPTE9L2VkaXRfb2JzLmphcztqc2Vzc2lvbmlkP
T1DN1FaeHlHa1gwcG02U3A5Y2tNNnZ5ZnhUUko0cDFUbjBQaDNiZHpnM1RKUVg0cHlEeHdDIS0yMDAyM
DU5MDEzfGVfbW9kZT0xPXZpZXc/”.
This appears to be a problem with how Jetspeed will rewrite URL’s, and maybe it is more specifically related to the struts bridge. I say Jetspeed, and not Weblogic, because the problem can be resolved by telling Weblogic to only use cookies to relay session data instead of also rewriting url’s. So we fixed this by placing this next configuration into the weblogic.xml file of ALL of our war files:
<session-descriptor>
<session-param>
<param-name>URLRewritingEnabled</param-name>
<param-value>false</param-value>
</session-param>
</session-descriptor>
At least we found a work around!