GateIn 3.2 recommends using two virtual hosts for security. If the gadget is running on a different domain than the container (the website that 'contains' the app), it is unable to interfere with the portal by modifying code or cookies.
An example would hosting the portal from http://www.sample.com and the gadgets from http://www.samplemodules.com.
To do this, configure a parameter called gadgets.hostName. The value is the path/to/gadgetServer in GadgetRegisteryService:
<component>
<key>org.exoplatform.application.gadget.GadgetRegistryService</key>
<type>org.exoplatform.application.gadget.jcr.GadgetRegistryServiceImpl</type>
<init-params>
<value-param>
<name>gadgets.hostName</name>
<description>Gadget server url</description>
<value>http://localhost:8080/GateInGadgetServer/gadgets/</value>
</value-param>
</init-params>
</component>
It is also possible to have multiple rendering servers. This helps to balance the rendering load across multiple servers.
When deploying on the same server, ensure the gadget initiates before anything that calls it (for example, the webapp GateInGadgets which uses org.exoplatform.application.gadget.GadgetRegister).
In GateIn, the gadget container is using three security files for authentication and authorization gadgets:
key.txt
oauthkey.pem
oauthkey_pub.pem
By default, they are located in:
For JBoss: $JBOSS_HOME/standalone/configuration/gatein/gadgets. This folder is configured by system variables in $JBOSS_HOME/standalone/configuration/gatein/configuration.properties.
For Tomcat: $TOMCAT_HOME/gatein/conf/gadgets. This folder is configured by system variables in $TOMCAT_HOME/gatein/conf/configuration.properties.
gatein.gadgets.securitytokenkeyfile=$\{gatein.conf.dir\}/gadgets/key.txt
gatein.gadgets.signingkeyfile=$\{gatein.conf.dir\}/gadgets/oauthkey.pem
In case you have other files, you can change these variables to point to them.
The key.txt file contains a secret key used to encrypt the security token used for the user authentication. When starting GateIn, this file is read via the gatein.gadgets.securitytokenkeyfile path. In case the key.txt file is not found, GateIn automatically generates a new key.txt one and save it to the gatein.gadgets.securitytokenkeyfile path.
oauthkey.pem and oauthkey_pub.pem are a key pair of RSA cryptography standard. oauthkey.pem is known as a private key and oauthkey_pub.pem is a public key. They are the default keys of the gadget container which OAuth gadgets will use to authorize with external service providers.
These servers have to be on the same domain as the gadget server. You can configure the container in eXoGadgetServer:/WEB-INF/classes/containers/default/container.js.
"gadgets.content-rewrite" : {
"include-urls": ".*",
"exclude-urls": "",
"include-tags": ["link", "script", "embed", "img", "style"],
"expires": "86400",
"proxy-url": "http://localhost:8080/eXoGadgetServer/gadgets/proxy?url=",
"concat-url": "http://localhost:8080/eXoGadgetServer/gadgets/concat?"
},
To allow external gadgets when the server is behind a proxy, add the following code to the beginning of the JVM:
-Dhttp.proxyHost=proxyhostURL -Dhttp.proxyPort=proxyPortNumber -Dhttp.proxyUser=someUserName -Dhttp.proxyPassword=somePassword