You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@rave.apache.org by jc...@apache.org on 2012/01/09 16:22:40 UTC
svn commit: r1229198 -
/incubator/rave/site/trunk/content/rave/documentation/configure-locked-domain.mdtext
Author: jcian
Date: Mon Jan 9 15:22:39 2012
New Revision: 1229198
URL: http://svn.apache.org/viewvc?rev=1229198&view=rev
Log:
Adding locked domain configuration documentation.
Added:
incubator/rave/site/trunk/content/rave/documentation/configure-locked-domain.mdtext
- copied, changed from r1229162, incubator/rave/site/trunk/content/rave/documentation/configure-ssl.mdtext
Copied: incubator/rave/site/trunk/content/rave/documentation/configure-locked-domain.mdtext (from r1229162, incubator/rave/site/trunk/content/rave/documentation/configure-ssl.mdtext)
URL: http://svn.apache.org/viewvc/incubator/rave/site/trunk/content/rave/documentation/configure-locked-domain.mdtext?p2=incubator/rave/site/trunk/content/rave/documentation/configure-locked-domain.mdtext&p1=incubator/rave/site/trunk/content/rave/documentation/configure-ssl.mdtext&r1=1229162&r2=1229198&rev=1229198&view=diff
==============================================================================
--- incubator/rave/site/trunk/content/rave/documentation/configure-ssl.mdtext (original)
+++ incubator/rave/site/trunk/content/rave/documentation/configure-locked-domain.mdtext Mon Jan 9 15:22:39 2012
@@ -1,4 +1,4 @@
-Title: Configuring Rave for SSL
+Title: Configuring Shindig Locked Domain Support in Rave
Notice: Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements. See the NOTICE file
distributed with this work for additional information
@@ -20,182 +20,105 @@ Notice: Licensed to the Apache Softwa
To follow these instructions you'll need a working copy of Rave up and running under Tomcat 6. Please see the [Installing Rave][1] page for instructions on how to get up and running.
-These instructions are written assuming a Tomcat installation path of /temp/tomcat so you may want to use that path for testing while you follow these instructions.
+## Enabling Locked Domain Support in Rave
-Also note that these instructions were written and tested using Tomcat running on Windows. Tomcat on other platforms *should* be exaclty the same except for startup scripts (.bat vs .sh) and file locations (c:\ vs /).
+These instructions demonstrate how to get Shindig locked domain support up and running in Rave. Locked domains take advantage of the web browsers domain-based sandboxing policies to isolate gadgets from each other and the main container page. The Shindig mailing list is a good source of information for more details regarding locked domains.
-## Enabling SSL in Tomcat
+Enabling locked domain support within Rave is achieved via a combination of DNS and Shindig configuration changes. To fully support locked domain in a production environment you'll likely need to setup and configure your locked domain with wildcard DNS (otherwise you'd have to create manual DNS entries for every single gadget that you want to run on a locked domain). For the purposes of experimenting with locked domain however just adding entries to the "hosts" file for the gadgets on a default Rave page should be sufficient. The Shindig configuration changes required are enabling locked domain support in the top level Shindig configuration and then configuring the individual Shindig container via the container.js file.
-These instructions demonstrate how to get Tomcat 6 running over SSL using a self signed certificate.
+The sample locked domain we'll use here will be "-locked.gadgets.example.com".
- - Copy the default cacerts file to /temp/tomcat (this allows you to not have to pollute your real cacerts file with test certs).
-
- cp "%JAVA_HOME%/jre/lib/security/cacerts" "/temp/tomcat/custom-cacerts"
-
- - Generate a self signed certificate that you'll use with Tomcat.
-
- "%JAVA_HOME%\bin\keytool" -genkey -alias tomcat -keyalg RSA -validity 365 -storepass changeit -keystore /temp/tomcat/custom-cacerts
-
- What is your first and last name?
- [Unknown]: rave-server.example.com
- What is the name of your organizational unit?
- [Unknown]: example unit
- What is the name of your organization?
- [Unknown]: example organization
- What is the name of your City or Locality?
- [Unknown]: example city
- What is the name of your State or Province?
- [Unknown]: example state
- What is the two-letter country code for this unit?
- [Unknown]: US
- Is CN=rave-server.example.com, OU=example unit, O=example organization, L=example city, ST=example state, C=US correct?
- [no]: yes
-
- Enter key password for <tomcat>
- (RETURN if same as keystore password):
-
- - Edit Tomcats startup.bat file to get the JVM to use our alternate cacerts file. It is important for the JVM to trust our self signed certificate because Rave makes HTTP requests to Shindig to fetch gadget metadata, and if those requests are over SSL then the JVM must trust the certificate being used for the SSL communication.
-
- (added the following line above the "call "%EXECUTABLE%" start ..." line)
-
- set JAVA_OPTS=%JAVA_OPTS% -Djavax.net.ssl.trustStore=c:\temp\tomcat\custom-cacerts
-
- - Edit Tomcats server.xml to enable an SSL listener on port 443 using our alternate cacerts file. By default Tomcat looks for a certificate with the alias "tomcat" which is what we used to create our self signed certificate.
-
- (did a search and replace of 8443 with 443)
- (uncommented the HTTPS connector and configured it to use our custom cacerts file)
-
- <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
- maxThreads="150" scheme="https" secure="true"
- keystoreFile="c:\temp\tomcat\custom-cacerts" keystorePass="changeit"
- clientAuth="false" sslProtocol="TLS" />
-
- - Startup Tomcat and verify that Rave still runs properly on http://localhost:8080/portal/
-
- - Make sure you can access the Rave login page at https://rave-server.example.com/portal
-
- Note - if you already have an authenticated session open in your browser you'll probably need to close and re-open your browser to access the login page.
- Also note that the rest of Rave wont work over SSL yet.
-
-## Configure Rave and Shindig to run over SSL.
-
- - Edit the /temp/tomcat/webapps/portal/WEB-INF/classes/portal.properties file to configure Rave to use SSL.
-
- (updated the following values at the top of the portal.properties config file with)
-
- portal.opensocial_engine.protocol=https
- portal.opensocial_engine.root=rave-server.example.com
- portal.opensocial_engine.gadget_path=/gadgets
-
- - Edit the /temp/tomcat/webapps/ROOT/WEB-INF/classes/rave.shindig.properties and /temp/tomcat/webapps/ROOT/WEB-INF/classes/containers/default/container.js files to configure Shindig to use SSL.
-
- Note - there may be other ways to get Shindig to use SSL but this method does work.
- Also note - the changes to container.js are a search and replace of http:// with https://
-
- (updated the following values at the top of the rave.shindig.properties config file with)
-
- shindig.host=rave-server.example.com
- shindig.port=
- shindig.contextroot=
-
- - Startup Tomcat and verify that Rave runs properly on https://rave-server.example.com/portal
+The default locked domain implementation within Shindig generates locked domain URL's by taking a hash of the gadget specification URL and pre-pending it onto the configured locked domain suffix. Here are the locked domain entries that were added to my local "hosts" file to support the default gadgets on a Rave page at the time this documentation was written:
+
+ 127.0.0.1 v6fvvlv3hm7kt7oj96mug1uvrdke6kpg-locked.gadgets.example.com
+ 127.0.0.1 76r748j1k68i8t7v35r0oakjtb0uvpr3-locked.gadgets.example.com
+ 127.0.0.1 tqfbbnhq7v3nah5ifshpfrg5i9elegum-locked.gadgets.example.com
+ 127.0.0.1 fdtj4i7cslo8149tjpt9778jodkds1is-locked.gadgets.example.com
+
+For the Shindig configuration changes please refer to the patch generated from my local changes below. With these changes in place you should be able to fire up Rave, access the default page as one of the sample users and see the locked domains being utilized in the gadget iframe URL's.
## Complete diff of modified files follows
<blockquote>
-diff -r tomcat-vanilla\bin\startup.bat tomcat\bin\startup.bat
-<br>56c56,57
-<br><
-<br>---
-<br>>
-<br>> set JAVA_OPTS=%JAVA_OPTS% -Djavax.net.ssl.trustStore=c:\temp\tomcat\custom-cacerts
-<br>
-<br>diff -r tomcat-vanilla\conf\server.xml tomcat\conf\server.xml
-<br>71c71
-<br>< redirectPort="8443" />
-<br>---
-<br>> redirectPort="443" />
-<br>77c77
-<br>< redirectPort="8443" />
-<br>---
-<br>> redirectPort="443" />
-<br>79c79
-<br>< <!-- Define a SSL HTTP/1.1 Connector on port 8443
-<br>---
-<br>> <!-- Define a SSL HTTP/1.1 Connector on port 443
-<br>83,84c83
-<br>< <!--
-<br>< <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
-<br>---
-<br>> <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
-<br>85a85
-<br>> keystoreFile="c:\temp\tomcat\custom-cacerts" keystorePass="changeit"
-<br>87d86
-<br>< -->
-<br>90c89
-<br>< <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
-<br>---
-<br>> <Connector port="8009" protocol="AJP/1.3" redirectPort="443" />
-<br>
-<br>diff -r tomcat-vanilla\webapps\portal\WEB-INF\classes\portal.properties tomcat\webapps\portal\WEB-INF\classes\portal.properties
-<br>25,26c25,26
-<br>< portal.opensocial_engine.protocol=http
-<br>< portal.opensocial_engine.root=localhost:8080
-<br>---
-<br>> portal.opensocial_engine.protocol=https
-<br>> portal.opensocial_engine.root=rave-server.example.com
-<br>
-<br>diff -r tomcat-vanilla\webapps\ROOT\WEB-INF\classes\containers\default\container.js tomcat\webapps\ROOT\WEB-INF\classes\containers\default\container.js
-<br>10c10
-<br>< * http://www.apache.org/licenses/LICENSE-2.0
-<br>---
-<br>> * https://www.apache.org/licenses/LICENSE-2.0
-<br>78c78
-<br>< "gadgets.jsUriTemplate" : "http://%host%${CONTEXT_ROOT}/gadgets/js/%js%",
-<br>---
-<br>> "gadgets.jsUriTemplate" : "https://%host%${CONTEXT_ROOT}/gadgets/js/%js%",
-<br>86c86
-<br>< "gadgets.uri.js.host" : "http://www.example.com/",
-<br>---
-<br>> "gadgets.uri.js.host" : "https://www.example.com/",
-<br>99c99
-<br>< "gadgets.osDataUri" : "http://%host%${CONTEXT_ROOT}/rpc",
-<br>---
-<br>> "gadgets.osDataUri" : "https://%host%${CONTEXT_ROOT}/rpc",
-<br>106,107c106,107
-<br>< //"defaultShindigTestHost": "http://${SERVER_HOST}:${SERVER_PORT}",
-<br>< "defaultShindigTestHost":"http://%authority%",
-<br>---
-<br>> //"defaultShindigTestHost": "https://${SERVER_HOST}:${SERVER_PORT}",
-<br>> "defaultShindigTestHost":"https://%authority%",
-<br>154c154
-<br>< "urlTemplate" : "http://localhost${CONTEXT_ROOT}/gadgets/profile?{var}",
-<br>---
-<br>> "urlTemplate" : "https://localhost${CONTEXT_ROOT}/gadgets/profile?{var}",
-<br>159c159
-<br>< "urlTemplate" : "http://localhost${CONTEXT_ROOT}/gadgets/canvas?{var}",
-<br>---
-<br>> "urlTemplate" : "https://localhost${CONTEXT_ROOT}/gadgets/canvas?{var}",
-<br>260c260
-<br>< "path" : "http://%host%${CONTEXT_ROOT}/rpc",
-<br>---
-<br>> "path" : "https://%host%${CONTEXT_ROOT}/rpc",
-<br>262c262
-<br>< "invalidatePath" : "http://%host%${CONTEXT_ROOT}/rpc",
-<br>---
-<br>> "invalidatePath" : "https://%host%${CONTEXT_ROOT}/rpc",
-<br>290c290
-<br>< "endPoints" : [ "http://%host%${CONTEXT_ROOT}/rpc" ]
-<br>---
-<br>> "endPoints" : [ "https://%host%${CONTEXT_ROOT}/rpc" ]
+<br>Index: rave-project/rave-shindig/src/main/webapp/WEB-INF/classes/containers/default/container.js
+<br>===================================================================
+<br>--- rave-project/rave-shindig/src/main/webapp/WEB-INF/classes/containers/default/container.js (revision 1228369)
+<br>+++ rave-project/rave-shindig/src/main/webapp/WEB-INF/classes/containers/default/container.js (revision )
+<br>@@ -59,15 +59,15 @@
+<br> "gadgets.parent" : null,
+<br>
+<br> // Should all gadgets be forced on to a locked domain?
+<br>-"gadgets.uri.iframe.lockedDomainRequired" : false,
+<br>+"gadgets.uri.iframe.lockedDomainRequired" : true,
+<br>
+<br> // DNS domain on which gadgets should render.
+<br> // Default Uri config: these must be overridden - specified here for testing purposes
+<br>-"gadgets.uri.iframe.unlockedDomain": "${Cur['defaultShindigTestAuthority']}",
+<br>+"gadgets.uri.iframe.unlockedDomain": "localhost:8080",
+<br> // When setting up the server to enable locked domains, you should set this to something that does not
+<br> // attempt to use the authority at all. Ideally it would be another hostname that points to this server.
+<br> // Example: unlockedDomain="shindig.example.com" lockedDomainSuffix="-locked.gadgets.example.com"
+<br>-"gadgets.uri.iframe.lockedDomainSuffix": "${Cur['defaultShindigTestAuthority']}",
+<br>+"gadgets.uri.iframe.lockedDomainSuffix": "-locked.gadgets.example.com:8080",
+<br>
+<br> // Origins for CORS requests and/or Referer validation
+<br> // Indicate a set of origins or an entry with * to indicate that all origins are allowed
+<br>@@ -84,11 +84,8 @@
+<br> // jsUriTemplate will have %host% and %js% substituted.
+<br> // No locked domain special cases, but jsUriTemplate must
+<br> // never conflict with a lockedDomainSuffix.
+<br>-"gadgets.jsUriTemplate" : "http://%host%${CONTEXT_ROOT}/gadgets/js/%js%",
+<br>+"gadgets.jsUriTemplate" : "http://${Cur['gadgets.uri.iframe.unlockedDomain']}{CONTEXT_ROOT}/gadgets/js/%js%",
+<br>
+<br>-"gadgets.uri.js.host" : "http://www.example.com/",
+<br>-"gadgets.uri.js.path" : "${CONTEXT_ROOT}/gadgets/js",
+<br>-
+<br> // Callback URL. Scheme relative URL for easy switch between https/http.
+<br> "gadgets.uri.oauth.callbackTemplate" : "//%host%${CONTEXT_ROOT}/gadgets/oauthcallback",
+<br>
+<br>@@ -124,16 +121,16 @@
+<br> "defaultShindigProxyConcatAuthority":"%authority%",
+<br>
+<br> // Default Js Uri config: also must be overridden.
+<br>-"gadgets.uri.js.host": "//${Cur['defaultShindigTestAuthority']}",
+<br>+"gadgets.uri.js.host": "//${Cur['gadgets.uri.iframe.unlockedDomain']}",
+<br> "gadgets.uri.js.path": "${CONTEXT_ROOT}/gadgets/js",
+<br>
+<br> // Default concat Uri config; used for testing.
+<br>-"gadgets.uri.concat.host" : "${Cur['defaultShindigProxyConcatAuthority']}",
+<br>+"gadgets.uri.concat.host" : "${Cur['gadgets.uri.iframe.unlockedDomain']}",
+<br> "gadgets.uri.concat.path" : "${CONTEXT_ROOT}/gadgets/concat",
+<br> "gadgets.uri.concat.js.splitToken" : "false",
+<br>
+<br> // Default proxy Uri config; used for testing.
+<br>-"gadgets.uri.proxy.host" : "${Cur['defaultShindigProxyConcatAuthority']}",
+<br>+"gadgets.uri.proxy.host" : "${Cur['gadgets.uri.iframe.unlockedDomain']}",
+<br> "gadgets.uri.proxy.path" : "${CONTEXT_ROOT}/gadgets/proxy",
+<br>
+<br> //Enables/Disables feature administration
+<br>@@ -153,7 +150,7 @@
+<br> // Note: /proxy is an open proxy. Be careful how you expose this!
+<br> // Note: Here // is replaced with the current protocol http/https
+<br> //"proxyUrl" : "//%host%${CONTEXT_ROOT}/gadgets/proxy?container=%container%%rewriteMime%&refresh=%refresh%&gadget=%gadget%/%rawurl%",
+<br>- "proxyUrl" : "//%host%${CONTEXT_ROOT}/gadgets/proxy?container=%container%&refresh=%refresh%&url=%url%%rewriteMime%",
+<br>+ "proxyUrl" : "//${Cur['gadgets.uri.iframe.unlockedDomain']}${CONTEXT_ROOT}/gadgets/proxy?container=%container%&refresh=%refresh%&url=%url%%rewriteMime%",
+<br> "jsonProxyUrl" : "//%host%${CONTEXT_ROOT}/gadgets/makeRequest"
+<br> },
+<br> "views" : {
+<br>Index: rave-project/rave-shindig/src/main/resources/rave.shindig.properties
+<br>===================================================================
+<br>--- rave-project/rave-shindig/src/main/resources/rave.shindig.properties (revision 1228398)
+<br>+++ rave-project/rave-shindig/src/main/resources/rave.shindig.properties (revision )
+<br>@@ -96,7 +96,7 @@
+<br> shindig.signing.viewer-access-tokens-enabled=false
+<br>
+<br> # If enabled here, configuration values can be found in container configuration files.
+<br>-shindig.locked-domain.enabled=false
+<br>+shindig.locked-domain.enabled=true
+<br>
+<br> # TODO: This needs to be moved to container configuration.
+<br> shindig.content-rewrite.only-allow-excludes=false
<br>
-<br>diff -r tomcat-vanilla\webapps\ROOT\WEB-INF\classes\rave.shindig.properties tomcat\webapps\ROOT\WEB-INF\classes\rave.shindig.properties
-<br>24,25c24,25
-<br>< shindig.host=localhost
-<br>< shindig.port=8080
-<br>---
-<br>> shindig.host=rave-server.example.com
-<br>> shindig.port=
</blockquote>
[1]: installing.html
\ No newline at end of file