locked
Sign a Unsigned URL RRS feed

  • Question

  • This question may have been asked previously, but I have not seen it.   Here is my problem.  I have an UAG hosted Web App calling data from another server using either Active-X or Java, I am not sure.  The problem is that the call is coming in on a unsigned UAG URL, meaning it does not have the uniquesig.  Typically I have used AppWrap to resolve this but it's not working with UAG. 
    So, I am looking for any unsigned link which would have the .com/appxtender/ part of the URL and replace the /appxtender/ part with the signed URL which is /uniquesig_goes_here/uniquesig0/appxtender/

    The appwrap I am using looks like this:
    <APP_WRAP ver="3.0" id="RemoteAccess_HTTP.xml">
    <MANIPULATION>
    <MANIPULATION_PER_APPLICATION>
    <APPLICATION_TYPE>OtherWeb</APPLICATION_TYPE>
    <DATA_CHANGE>
    <URL case_sensitive="false">.*\.com/appxtender/.*</URL>
    <SAR>
    <SEARCH>"/appxtender/</SEARCH>
    <REPLACE>"/uniquesig7354670313c0e773cdb41ee61f0e16a8/uniquesig0/appxtender/</REPLACE>
    </SAR>
    </DATA_CHANGE>
    </MANIPULATION_PER_APPLICATION>
    </MANIPULATION>
    </APP_WRAP>

    I have also tried the manual URL replacement using the same parameters:
    URL: .*\.com/appxtender/.*
    To URL: \.com/uniquesig7354670313c0e773cdb41ee61f0e16a8/uniquesig0/appxtender/.*
    Type: Rerouting
    Server: X.X.X.X
    Port:80

    After every attempt, I am getting an error message indicating that the request failed because the URL contains an invalid signature and the signature listed is not signed.

    I also have a manual URL replacement for the default page to automatically send the users to the logon page if the simply browse to the URL.  That looks like this:

    URL: .*/
    To URL: /appxtender/login.aspx
    Type: Redirect
    Server: X.X.X.X
    Port:80


    Finally, and oddly, if I browse to the URL manually first, http://http80.url.com, then try the unsigned link, http://http80.url.com/appxtender/... it works like a charm. 

    I am using UAG 2010 Update 2 on a Portcullis appliance. The App is a simple web app nothing complicated other than the fact that the data url is called from a source of code that can not be signed by UAG.

    Any help or direction would be greatly appreciated.

     

    Tuesday, January 11, 2011 6:10 PM

Answers

  • So, I found a solution to this.  I created a new app using the Applicaiton Specific Hostname, deleted the AppWrap and Manual URL Replacement settings.  In the web settings tab, and I am not sure I needed this, I added the /appxtender/ entry in the paths section.

     

    This seems to have resolved my issues.  Thanks for the help.

     

    • Marked as answer by JGBoake Wednesday, January 12, 2011 4:42 PM
    Wednesday, January 12, 2011 4:41 PM

All replies

  • Hi Amigo. In the Manual URL replacement there is no need to include the signature. Just specify the path. There is another thing that you have to take into account. Manual URL replacement will only work if the request is a relative path, i.e, it doesn't include a host name (/path/request vs. http://host/path/request). In the second case it will not work. Try to install an HTTP debugger (like Fiddler) in the client side and review the requests. If the request includes the hostame there is an alternative that is declaring the application as a client/server application instead of a web application

    Hope it helps


    // Raúl - I love this game
    Tuesday, January 11, 2011 8:31 PM
  • It does use the http://host/path/request format because the data is not on the same server. My app runs on httP://url.something.com and there is a piece of unsigned code that requests data from http://host.com/appxtender/path/request.  All I really need is for the all data with the /appxtender/ in the URL path to be allowed through the UAG portal. Sounds easy, I know, it's just not working the way I expect.
    Tuesday, January 11, 2011 8:42 PM
  • Hi Amigo. If the published applications contains a link to hhtp://host/... and this link comes in a regular html tag or javascript the you can publish a second application for the http://host.. This way UAG will sign the application on the fly (you can un check the "add portal link" to not have an icon for the application in the portal). This is a more simple way than extending the appwrap. However, if the link comes in a coded or binary object (activeX, Java application...) then UAG will not be able to identify the link in any way. The first step is (sorry for repeating) to identify where the call comes from and you can do that with an HTTP debugger at the client side.

    Hope it helps


    // Raúl - I love this game
    Tuesday, January 11, 2011 9:34 PM
  • Let me try to explain a bit more.  I have Site.company.com, which is a single site URL, where you log in to the UAG log in page and it opens the app, using Java and Active-X plugin.  When you are running the app and try to open a document, it goes to Site2.company.com, which I have set up as a seperate UAG trunk, but HTTP only, not https.  The URL is a long string of ID, Password and doucument name, but basically looks like this: http://site2.company.com/appxtender/opendoc.aspx?user=userid&password=userpass&document=nameoffiletoopen.  The URL is unsigned, by which I mean it has no /uniquesig123456789/uniquesig0 section of the URL.  If I simply copy and past the unique signature in to the URL so it looks like this: http://site2.company.com/uniquesig123456789/uniquesig0/appxtender/opendoc.aspx?user=userid&password=userpass&document=nameoffiletoopen the URL opens the document properly.  If I simply browse to http://site2.company.com, then browse to http://site2.company.com/appxtender/opendoc.aspx?user=userid&password=userpass&document=nameoffiletoopen it also works fine.  So what I need to happen is for the UAG to look for the unsigned URL, and then to either simply accept it, or to sign the URL so it is acceptible.

    Clear as mud yeah?

    Wednesday, January 12, 2011 2:42 PM
  • Yes, very clear :(

    Are site1 and site2 the internal names of the servers or the public names of the trunks?

    What template have you used for the web applicaction publishing? The "applicaton specific hostname" or the "portal hostname"?


    // Raúl - I love this game
    Wednesday, January 12, 2011 2:58 PM
  • Site1 and site2 are the external trunks names.  It just so happens that Site2 is available both externally and internally.  The template used was Other Web Application (Portal Name). 
    Wednesday, January 12, 2011 3:18 PM
  • So, I found a solution to this.  I created a new app using the Applicaiton Specific Hostname, deleted the AppWrap and Manual URL Replacement settings.  In the web settings tab, and I am not sure I needed this, I added the /appxtender/ entry in the paths section.

     

    This seems to have resolved my issues.  Thanks for the help.

     

    • Marked as answer by JGBoake Wednesday, January 12, 2011 4:42 PM
    Wednesday, January 12, 2011 4:41 PM