...
- The main portlet controller loops through each GatewayEntry associated with the portlet.
- Each GatewayEntry runs through each Interceptor associated with it to ensure that the entry is valid
- The main JSP render the gateway portlet (list of external systems to connect to). Each GatewayEntry is rendered on the page, displaying the name, icon and if valid a link to the external system. Invalid external systems display a message describing the issue (such as credentials not being configured).
- The user clicks on the link for the external system they wish to access. By default this opens a new tab that returns a page with a Javascript AJAX handler to request connection information from the handling controller, but there is a portlet preference to replace the existing page.
- The handling controller gathers all of the information stored in the HttpContentRequestImpl parameters configuration (basically a list of form fields and values) and readies them for return to the browser
- All configured Interceptors perform any substitutions on configuration data, such as inserting usernames and passwords.
- All configured IAuthenticationFormModifier modules run. These can add additional parameter fields to the result and may perform additional custom logic (depending upon the implementation). An example of an IAuthenticationFormModifier is a need to contact an external system to get a token that is submitted with the authentication form to the external system. The custom logic can invoke the external system, parse out the token, and add it as a form field or modify the submit URL to include the token.
- If the GatewayEntry is flagged as requiring a secure URL (default true), the URL (proxiedLocation) is checked and altered to /HTTPSUrlRequiredButNotSpecified if it was not secure.
- The controller returns all of the gathered data to the browser (by default a JSON response with caching disabled).
- The Javascript Ajax handler builds an appropriate html form and submits it to the external system. The external system then handles the call and will render whatever page a successful login would render.
...
Because this is a bean, your implementation can be as simple or as complicated as needed. PortletPreferences will be available to your bean.
Security Considerations
- uPortal should use HTTPS for its connections to the browser to insure user passwords are not intercepted in transit to the user's browser
- If using UserPreferencePreInterceptor, the encryption key must be changed from the default (an error message is displayed in the log files if the key is the default value)
- The target URLs to submit to (proxiedLocation) should be HTTPS (required by default)
- The HTTP response including sensitive user information is set to request not caching the response. However the user's passwords are not encrypted in transit other than the encryption used by HTTPS. If greater security is required, you can encrypt the password for the gateway form response and add a javascript library to decrypt it, though this does not add much security since sophisticated users can figure this out.