http://ofbiz.116.s1.nabble.com/Basic-Q-Can-ofbiz-run-in-subdir-and-use-HTTP-auth-tp4721322p4721363.html
You are correct, the webserver (reverse proxy) in front of the ofbiz server wil validate the users credentials against ldap and send them in the header to the ofbiz server.
What I don't yet understand is what the options are in ofbiz. Because I've deployed a number of systems this way, and there are many differend methods they handle it.
On some systems, I have apache validating the credentials from the http header once more against ldap, then the application (ofbiz) just accepts that the credentials are validated and couples it to a local user that it creates on the fly.
On some systems I have apache validating the credentials from the http header only to pass it to the application, where the application once more does it's own ldap validation and then couples it to a local user that it creates on the fly if needed.
On other systems I don't need to configure basic auth on the webserver at all (own/nextcloud), the application just checks if the header is presend and logs the user in while validating the ldap credentials itself. etc.
Sry for making it complicated, I'm just trying to understand how the process would actually work.
> Hi Jochen,
>
> Let's slow down.
>
> For Q2, as you mentioned, you have a webserver deployed in front of OFBiz. If so, the authn work is done in the webserver. The requests proxyed to OFBiz are all authened. Right?
>
> My puzzle is why you insist OFBiz has to validate against LDAP, for authorization?
>
>
> -----é®ä»¶å件-----
> å件人: Jochen.Boutens@ [mailto:finalbeta.net
[hidden email]]
> åéæ¶é´: 2018å¹´3æ30æ¥ 1:52
> æ¶ä»¶äºº:
[hidden email]
> 主é¢: Re: Basic Q: Can ofbiz run in subdir and use HTTP auth?
>
>
> Hello Shi,
>
> Thanks for your response. Q1 is clear.
>
> About your response to question 2. You seem to imply that LDAP + Basic auth can be done. But I'm not sure what you are suggesting exaclty.
> The Tomcat SSO you are talking about is this? (
https://tomcat.apache.org/tomcat-8.0-doc/windows-auth-howto.html ) The only refference it makes to Basic auth seems to be that it doesn't work and you need SPNEGO.
> Apero CAS and QAuth2 both require another server (something not in my setup) right?
>
> To be clear, can ofbiz take the basic auth credentials from the header to logon the user? (validating it against ldap, or trusting the servers validation of the basic auth)
>
> On 2018/03/29 08:44:07, Shi Jinghai <
[hidden email]> wrote:
> > Q1:
http://server/ofbiz/> > Yes. It's a simple configuration for both Apache Httd and Nginx.
> >
> > Q2: Http header basic authentication
> > Not sure whether Jacques has completed the new Tomcat SSO. If yes, then it's ready OOTB.
> > For this kind authentication, OFBiz also supports Apereo CAS (by LDAP plugin) and OAuth2 (by passport plugin).
> >
> > Have fun,
> >
> > -----éâ®ä»¶åŽŸä»¶-----
> > Ã¥Ââ件人: Jochen.Boutens@ [mailto:finalbeta.net
[hidden email]]
> > Ã¥Ââéâ¬Âæâ¶éâ´: 2018å¹´3æÅË29æâÂ¥ 15:39
> > æâ¶ä»¶äºº:
[hidden email]
> > 主é¢Ë: Basic Q: Can ofbiz run in subdir and use HTTP auth?
> >
> > Hello, We are exploring functionality of several sollutions. Ofbiz seems to qualify for most tasks.
> >
> > I have two questions I would like to make sure before we begin testing:
> >
> > For integration into our systems we require the the solution to run under a subdirectory of the root of the webserver. (
http://server/ofbiz/).
> > ( The reason for this is that ofbiz will be reverse proxied and that
http://reverseproxy/ is used for something else. A differend domain is not a option because of question two).
> >
> > For integration into our systems we prefer that the application can use authentication data in the http header (Basic Authorization/Http authorization). Our reverse proxy sends the users (LDAP) credentials in the header allowing applications to automatically log the user in.
> >
> > Can these things be done with Ofbiz?
> >
> > Thanks for your responses.
> >
> >
> >
>