[prev in list] [next in list] [prev in thread] [next in thread]
List: forgerock-openam
Subject: Re: [OpenAM] OpenAM Cookie Scope
From: Bernhard Thalmayr <bernhard.thalmayr () painstakingminds ! com>
Date: 2014-10-28 15:14:38
Message-ID: 544FB2DE.5000501 () painstakingminds ! com
[Download RAW message or body]
I'm pretty sure 'Connection timed out' is unrelated, but 'has no OpenSSO
cookies' means the browser did not send the SSO tracking cookie to
Liferay, e.g. because OpenAM is in a different cookie domain as Liferay
(or OpenAM is configured to use host-based cookies).
Just check the request to Liferay with livehttpheaders plugin and you
will know for sure.
-Bernhard
Am 10/28/14 3:27 PM, schrieb van den Hout, Eric:
> Hi,
>
> Could this scoping also have something to do with our error:
> However when we try to logon to the server, the request times out. In the jboss log \
> we receive a message stating: 2014-10-16 13:31:39,881 INFO [STDOUT] \
> (ajp-**.***.***.**-8009-6) 13:31:39,880 WARN [OpenSSOLoginAction:1038] User is not \
> logged in because he has no OpenSSO cookies 2014-10-16 13:32:09,768 INFO [STDOUT] \
> (ajp-**.***.***.**-8009-7) 13:32:09,759 WARN [OpenSSOLoginAction:593] \
> java.net.ConnectException: Connection timed out
> java.net.ConnectException: Connection timed out
>
> it appears since we installed openAM on a new host.
>
> Cheers, Eric
>
> -----Original Message-----
> From: openam-bounces@forgerock.org [mailto:openam-bounces@forgerock.org] On Behalf \
> Of Bernhard Thalmayr
> Sent: dinsdag 28 oktober 2014 12:32
> To: openam@forgerock.org
> Subject: Re: [OpenAM] OpenAM Cookie Scope
>
> Am 10/28/14 10:41 AM, schrieb Jari Ahonen:
> > Hi,
> >
> > On a related note is there a (simple) way of making the AMAuthCookie (and \
> > possibly also the amlbcookie) scoped to the OpenAM host instead of the cookie \
> > domain ? Those are by default scoped to the OpenAM cookie domain but I don't \
> > think they need to be.
>
> Yes, just remove all cookie domains from the platform setting an OpenAM will issue \
> a host-based cookie.
> -Bernhard
>
> >
> > I admit I haven't looked into this closely but this is something that has come up \
> > in the past with our own deployments.
> > - Jari
> >
> >
> > -----Original Message-----
> > From: openam-bounces@forgerock.org
> > [mailto:openam-bounces@forgerock.org] On Behalf Of Zoltan Tarcsay
> > Sent: Monday, October 27, 2014 5:57 PM
> > To: Users
> > Subject: Re: [OpenAM] OpenAM Cookie Scope
> >
> > I don't think it's possible by tweaking the OpenAM config (remember, OpenAM is a \
> > single sign-on product -- "single" meaning a single point of sign on, not sign-on \
> > for a "single" app...). If you need the cookie to be set for a specific path, \
> > you'll need to handle authentication and setting the cookie from an external app. \
> > E.g. write a JS (or whatever) client to the OpenAM authentication REST API, log \
> > the user in, then take the sessionId and and set the cookie for the correct path. \
> >
> > > On 27 Oct 2014, at 16:45, Nestore Sulcis <nestsulcis@inbox.com> wrote:
> > >
> > > Yes that's what I want to achieve...
> > >
> > > > -----Original Message-----
> > > > From: zoltan.tarcsay@forgerock.com
> > > > Sent: Mon, 27 Oct 2014 16:30:25 +0000
> > > > To: openam@forgerock.org
> > > > Subject: Re: [OpenAM] OpenAM Cookie Scope
> > > >
> > > > That would mean that you'd need a different cookie for each
> > > > application (and OpenAM itself)... Not sure how this could be achieved...
> > > >
> > > > -Zoltan
> > > >
> > > >
> > > >
> > > > > On 27 Oct 2014, at 16:22, Nestore Sulcis <nestsulcis@inbox.com> wrote:
> > > > >
> > > > > Hi
> > > > >
> > > > > I use OpenAM 10.0.0 and I wonder if there's a way to set the scope
> > > > > of the cookies.
> > > > >
> > > > > For example, with the default settings the cookie scope is "/"
> > > > > which means "everything"
> > > > > on the server. What I need to achieve is setting the cookie scope
> > > > > to the specific path of the protected application, for instance
> > > > > "/webapp".
> > > > >
> > > > > ____________________________________________________________
> > > > > FREE 3D MARINE AQUARIUM SCREENSAVER - Watch dolphins, sharks &
> > > > > orcas on your desktop!
> > > > > Check it out at http://www.inbox.com/marineaquarium
> > > > >
> > > > >
> > > > > _______________________________________________
> > > > > OpenAM mailing list
> > > > > OpenAM@forgerock.org
> > > > > https://lists.forgerock.org/mailman/listinfo/openam
> > > >
> > > > _______________________________________________
> > > > OpenAM mailing list
> > > > OpenAM@forgerock.org
> > > > https://lists.forgerock.org/mailman/listinfo/openam
> > >
> > > ____________________________________________________________
> > > Can't remember your password? Do you need a strong and secure password?
> > > Use Password manager! It stores your passwords & protects your account.
> > > Check it out at http://mysecurelogon.com/password-manager
> > >
> > >
> > > _______________________________________________
> > > OpenAM mailing list
> > > OpenAM@forgerock.org
> > > https://lists.forgerock.org/mailman/listinfo/openam
> >
> > _______________________________________________
> > OpenAM mailing list
> > OpenAM@forgerock.org
> > https://lists.forgerock.org/mailman/listinfo/openam
> > _______________________________________________
> > OpenAM mailing list
> > OpenAM@forgerock.org
> > https://lists.forgerock.org/mailman/listinfo/openam
> >
> >
>
>
> --
> Painstaking Minds
> IT-Consulting Bernhard Thalmayr
> Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
> Tel: +49 (0)8062 7769174
> Mobile: +49 (0)176 55060699
>
> bernhard.thalmayr@painstakingminds.com - Solution Architect \
> http://www.xing.com/profile/Bernhard_Thalmayr \
> http://de.linkedin.com/in/bernhardthalmayr
> This e-mail may contain confidential and/or privileged information.If you are not \
> the intended recipient (or have received this email in error) please notify the \
> sender immediately and delete this e-mail. Any unauthorized copying, disclosure or \
> distribution of the material in this e-mail is strictly forbidden. \
> _______________________________________________ OpenAM mailing list
> OpenAM@forgerock.org
> https://lists.forgerock.org/mailman/listinfo/openam
> _______________________________________________
> OpenAM mailing list
> OpenAM@forgerock.org
> https://lists.forgerock.org/mailman/listinfo/openam
>
>
--
Painstaking Minds
IT-Consulting Bernhard Thalmayr
Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
Tel: +49 (0)8062 7769174
Mobile: +49 (0)176 55060699
bernhard.thalmayr@painstakingminds.com - Solution Architect
http://www.xing.com/profile/Bernhard_Thalmayr
http://de.linkedin.com/in/bernhardthalmayr
This e-mail may contain confidential and/or privileged information.If
you are not the intended recipient (or have received this email in
error) please notify the sender immediately and delete this e-mail. Any
unauthorized copying, disclosure or distribution of the material in this
e-mail is strictly forbidden.
_______________________________________________
OpenAM mailing list
OpenAM@forgerock.org
https://lists.forgerock.org/mailman/listinfo/openam
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic