king
I'm new here

FirstSpirit rich client in combination with reverse proxies

Jump to solution

Dear FirstSpirit community,

we just want to know, whether both FirstSpirit rich clients:

  • FirstSpirit JavaClient
  • FirstSpirit SiteArchitect

are enabled for a communication over a reverse proxy e.g. IBM WebSeal Web Access Manager?

When known problems do exist please let us know Smiley Happy

0 Kudos
1 Solution

Accepted Solutions
isenberg
I'm new here

Yes, FirstSpirit supports reverse proxies. Some of our customers use it over the following web application firewall systems: IBM Webseal, CA Siteminder, Astaro UTM. To have complete transparent support for FirstSpirit, i.e. without any firewall exceptions, the reverse proxy is required to forward the session cookie which is used between client and reverse proxy towards the FirstSpirit backend. In FirstSpirit configuration file fs-server.conf the parameter clientCookieNames must list the name of this cookie. Without forwarding of the cookie, some firewall exception must be added or two files within firstspirit5/web/fs5root enhanced with some Javascript code.

http or https can be used between the reverse proxy and FirstSpirit

For forwarding the SSO authentication of the reverse proxy, a custom FirstSpirit JAAS login module is available which uses mutual https authentication for security (https client certificate on reverse proxy). The username is forwarded as http header by the proxy, for instance as "iv-user" when using Webseal.

URL exceptions, if clientCookieNames is not used in fs-server.conf:

http://fshost.e-spirit.de/jnlp/*

http://fshost.e-spirit.de/servlet/ClientIO/*

http://fshost.e-spirit.de/start/FIRSTspirit.jnlp:

Configuration for Webseal used at one of our customers:


Junction Path: /jctfirstspirit

Destination: https://fsserver.domain:8443

Scripting-Support: no

mutual SSL Auth: yes

Parameter: iv-user

transparent Junction: yes (means, path /jctfirstspirit will be send to backend FirstSpirit)

firstspirit5/conf/fs-server.conf:

URL=https://websealhost.domain/jctfirstspirit

fs.url.hostname=websealhost.domain

fs.url.httpport=443

WEBAPP_ROOT_URL=/jctfirstspirit

WEBAPP_PREVIEW_URL=/jctfirstspirit/fs5preview

WEBAPP_STAGING_URL=/jctfirstspirit/fs5staging

WEBAPP_WEBMON_URL=/jctfirstspirit/fs5webmon

WEBAPP_WEBEDIT5_URL=/jctfirstspirit/fs5webedit

With Webseal you can also use VirtualHost-Junctions so the /jfctfirstspirit path is not required.

View solution in original post

0 Kudos
1 Reply
isenberg
I'm new here

Yes, FirstSpirit supports reverse proxies. Some of our customers use it over the following web application firewall systems: IBM Webseal, CA Siteminder, Astaro UTM. To have complete transparent support for FirstSpirit, i.e. without any firewall exceptions, the reverse proxy is required to forward the session cookie which is used between client and reverse proxy towards the FirstSpirit backend. In FirstSpirit configuration file fs-server.conf the parameter clientCookieNames must list the name of this cookie. Without forwarding of the cookie, some firewall exception must be added or two files within firstspirit5/web/fs5root enhanced with some Javascript code.

http or https can be used between the reverse proxy and FirstSpirit

For forwarding the SSO authentication of the reverse proxy, a custom FirstSpirit JAAS login module is available which uses mutual https authentication for security (https client certificate on reverse proxy). The username is forwarded as http header by the proxy, for instance as "iv-user" when using Webseal.

URL exceptions, if clientCookieNames is not used in fs-server.conf:

http://fshost.e-spirit.de/jnlp/*

http://fshost.e-spirit.de/servlet/ClientIO/*

http://fshost.e-spirit.de/start/FIRSTspirit.jnlp:

Configuration for Webseal used at one of our customers:


Junction Path: /jctfirstspirit

Destination: https://fsserver.domain:8443

Scripting-Support: no

mutual SSL Auth: yes

Parameter: iv-user

transparent Junction: yes (means, path /jctfirstspirit will be send to backend FirstSpirit)

firstspirit5/conf/fs-server.conf:

URL=https://websealhost.domain/jctfirstspirit

fs.url.hostname=websealhost.domain

fs.url.httpport=443

WEBAPP_ROOT_URL=/jctfirstspirit

WEBAPP_PREVIEW_URL=/jctfirstspirit/fs5preview

WEBAPP_STAGING_URL=/jctfirstspirit/fs5staging

WEBAPP_WEBMON_URL=/jctfirstspirit/fs5webmon

WEBAPP_WEBEDIT5_URL=/jctfirstspirit/fs5webedit

With Webseal you can also use VirtualHost-Junctions so the /jfctfirstspirit path is not required.

0 Kudos