From 8c48558d09067c8a5b880c3b93ca5bda28a686f5 Mon Sep 17 00:00:00 2001
From: Frederic Mercier <f.mercier@fr.ibm.com>
Date: Fri, 21 Mar 2025 17:49:41 +0100
Subject: [PATCH] fixes in EntraID article

1) remove accessTokenInLtpaCookie="true" from openIdWebSecurity.xml
- This is to fix a problem affecting enterprise users (users related to the intranet such as f.mercier@fr.ibm.com)
For those users, after logging in the Business Console, the page does not load completely: only the tab menu is visible (Home, Library, Work, Administration)
- This problem does not affect other users (eg. fred-odmuser@ibmodmdev.onmicrosoft.com)

2) remove the two custom authFilters from webSecurity.xml
- This is to fix a problem affecting the page displayed in RES console when clicking "Retrieve HTDS Description File > View (or Download)"
- a popup gets displayed in the new tab (prompting the user to enter Basic Auth credentials)
- This is only happening if ODM in deployed using ingress, and not if routes are used
- With this change, a token is automatically retrieved to authenticate the user in HTDS
---
 .../AzureAD/templates/openIdWebSecurity.xml   |  2 +-
 .../AzureAD/templates/webSecurity.xml         | 36 +------------------
 .../openIdWebSecurity.xml                     |  2 +-
 .../webSecurity.xml                           | 34 ------------------
 4 files changed, 3 insertions(+), 71 deletions(-)

diff --git a/authentication/AzureAD/templates/openIdWebSecurity.xml b/authentication/AzureAD/templates/openIdWebSecurity.xml
index 0362a326..b7cf4a27 100644
--- a/authentication/AzureAD/templates/openIdWebSecurity.xml
+++ b/authentication/AzureAD/templates/openIdWebSecurity.xml
@@ -5,7 +5,7 @@
 
   <!-- Open ID Connect -->
   <!-- Client with inbound propagation set to supported -->
-  <openidConnectClient authFilterRef="browserAuthFilter" id="odm" scope="openid" accessTokenInLtpaCookie="true"
+  <openidConnectClient authFilterRef="browserAuthFilter" id="odm" scope="openid"
                        clientId="AZUREAD_CLIENT_ID" clientSecret="AZUREAD_CLIENT_SECRET" tokenReuse="true"
                        signatureAlgorithm="RS256" inboundPropagation="supported"
                        jwkEndpointUrl="${ServerHost}/discovery/v2.0/keys"
diff --git a/authentication/AzureAD/templates/webSecurity.xml b/authentication/AzureAD/templates/webSecurity.xml
index 5703fd06..0320212e 100644
--- a/authentication/AzureAD/templates/webSecurity.xml
+++ b/authentication/AzureAD/templates/webSecurity.xml
@@ -32,39 +32,5 @@
 
 <variable name="odm.rtsAdministrators.user1" value="${user1}"/>
 <variable name="odm.resAdministrators.user1" value="${user1}"/>
-<variable name="odm.resExecutors.user1" value="${user1}"/>  
-
-<authFilter id="browserAuthFilter">
-        <requestHeader id="allowBasicAuth" matchType="notContain" name="Authorization" value="Basic" />
-        <requestUrl id="ds1" matchType="notContain" urlPattern="DecisionService/rest"/>
-        <!-- RES console -->
-        <requestUrl id="res1" matchType="notContain" urlPattern="/res/auth"/>
-        <requestUrl id="res2" matchType="notContain" urlPattern="/res/repositoryService"/>
-        <requestUrl id="res3" matchType="notContain" urlPattern="/res/api"/>
-        <!-- Enterprise console -->
-        <requestUrl id="ec1" matchType="notContain" urlPattern="/teamserver/rts-sync"/>
-        <requestUrl id="ec2" matchType="notContain" urlPattern="/teamserver/remoting"/>
-        <requestUrl id="ec3" matchType="notContain" urlPattern="/teamserver/servlet/SessionServlet"/>
-        <!-- Business console -->
-        <requestUrl id="bc1" matchType="notContain" urlPattern="/decisioncenter/rts-sync"/>
-        <requestUrl id="bc2" matchType="notContain" urlPattern="/decisioncenter/remoting"/>
-        <requestUrl id="bc3" matchType="notContain" urlPattern="/decisioncenter/servlet/SessionServlet"/>
-        <!-- Decision Center API -->
-        <requestUrl id="dcapi" matchType="notContain" urlPattern="/decisioncenter-api/v1/" />
-        <!-- Decision Runner -->
-        <requestUrl id="dr1" matchType="notContain" urlPattern="/DecisionRunner/api"/>
-        <requestUrl id="dr2" matchType="notContain" urlPattern="/DecisionRunner/apiauth"/>
-        <requestUrl id="dr3" matchType="notContain" urlPattern="/DecisionRunner/serverinfo"/>
-        <!-- SSP (DVS) -->
-        <requestUrl id="tg1" matchType="notContain" urlPattern="/testing/sspService"/>
-        <requestUrl id="tg2" matchType="notContain" urlPattern="/testing/serverinfo"/>
-</authFilter>
-
-<!-- Note: The apiAuthFilter should be complementary to the browserAuthFilter -->
-<authFilter id="apiAuthFilter">
-        <!-- This line is to support OIDC and BA by detecting the header -->
-        <requestHeader id="allowBasicAuth" matchType="contains" name="Authorization" value="Bearer" />
-        <requestUrl id="apiurl" matchType="contains" urlPattern="/DecisionService/rest|/res/api|/res/auth|/res/repositoryService|/teamserver/rts-sync|/teamserver/remoting|/teamserver/servlet/SessionServlet|/decisioncenter/rts-sync|/decisioncenter/remoting|/decisioncenter/servlet/SessionServlet|/decisioncenter-api/v1|/DecisionRunner/api|/DecisionRunner/apiauth|/DecisionRunner/serverinfo|/testing/sspService|/testing/serverinfo"/>
-</authFilter>
-  
+<variable name="odm.resExecutors.user1" value="${user1}"/>    
 </server>
diff --git a/authentication/AzureAD/templates_for_privatekeyjwt/openIdWebSecurity.xml b/authentication/AzureAD/templates_for_privatekeyjwt/openIdWebSecurity.xml
index 66a2a1b3..6e1e62ac 100644
--- a/authentication/AzureAD/templates_for_privatekeyjwt/openIdWebSecurity.xml
+++ b/authentication/AzureAD/templates_for_privatekeyjwt/openIdWebSecurity.xml
@@ -5,7 +5,7 @@
 
   <!-- Open ID Connect -->
   <!-- Client with inbound propagation set to supported -->
-  <openidConnectClient authFilterRef="browserAuthFilter" id="odm" scope="openid" accessTokenInLtpaCookie="true"
+  <openidConnectClient authFilterRef="browserAuthFilter" id="odm" scope="openid"
                        clientId="AZUREAD_CLIENT_ID" tokenEndpointAuthMethod="private_key_jwt" keyAliasName="myodmcompany" sslRef="odmDefaultSSLConfig"
                        signatureAlgorithm="RS256" inboundPropagation="supported"
                        jwkEndpointUrl="${ServerHost}/discovery/v2.0/keys"
diff --git a/authentication/AzureAD/templates_for_privatekeyjwt/webSecurity.xml b/authentication/AzureAD/templates_for_privatekeyjwt/webSecurity.xml
index 5703fd06..edd88dac 100644
--- a/authentication/AzureAD/templates_for_privatekeyjwt/webSecurity.xml
+++ b/authentication/AzureAD/templates_for_privatekeyjwt/webSecurity.xml
@@ -33,38 +33,4 @@
 <variable name="odm.rtsAdministrators.user1" value="${user1}"/>
 <variable name="odm.resAdministrators.user1" value="${user1}"/>
 <variable name="odm.resExecutors.user1" value="${user1}"/>  
-
-<authFilter id="browserAuthFilter">
-        <requestHeader id="allowBasicAuth" matchType="notContain" name="Authorization" value="Basic" />
-        <requestUrl id="ds1" matchType="notContain" urlPattern="DecisionService/rest"/>
-        <!-- RES console -->
-        <requestUrl id="res1" matchType="notContain" urlPattern="/res/auth"/>
-        <requestUrl id="res2" matchType="notContain" urlPattern="/res/repositoryService"/>
-        <requestUrl id="res3" matchType="notContain" urlPattern="/res/api"/>
-        <!-- Enterprise console -->
-        <requestUrl id="ec1" matchType="notContain" urlPattern="/teamserver/rts-sync"/>
-        <requestUrl id="ec2" matchType="notContain" urlPattern="/teamserver/remoting"/>
-        <requestUrl id="ec3" matchType="notContain" urlPattern="/teamserver/servlet/SessionServlet"/>
-        <!-- Business console -->
-        <requestUrl id="bc1" matchType="notContain" urlPattern="/decisioncenter/rts-sync"/>
-        <requestUrl id="bc2" matchType="notContain" urlPattern="/decisioncenter/remoting"/>
-        <requestUrl id="bc3" matchType="notContain" urlPattern="/decisioncenter/servlet/SessionServlet"/>
-        <!-- Decision Center API -->
-        <requestUrl id="dcapi" matchType="notContain" urlPattern="/decisioncenter-api/v1/" />
-        <!-- Decision Runner -->
-        <requestUrl id="dr1" matchType="notContain" urlPattern="/DecisionRunner/api"/>
-        <requestUrl id="dr2" matchType="notContain" urlPattern="/DecisionRunner/apiauth"/>
-        <requestUrl id="dr3" matchType="notContain" urlPattern="/DecisionRunner/serverinfo"/>
-        <!-- SSP (DVS) -->
-        <requestUrl id="tg1" matchType="notContain" urlPattern="/testing/sspService"/>
-        <requestUrl id="tg2" matchType="notContain" urlPattern="/testing/serverinfo"/>
-</authFilter>
-
-<!-- Note: The apiAuthFilter should be complementary to the browserAuthFilter -->
-<authFilter id="apiAuthFilter">
-        <!-- This line is to support OIDC and BA by detecting the header -->
-        <requestHeader id="allowBasicAuth" matchType="contains" name="Authorization" value="Bearer" />
-        <requestUrl id="apiurl" matchType="contains" urlPattern="/DecisionService/rest|/res/api|/res/auth|/res/repositoryService|/teamserver/rts-sync|/teamserver/remoting|/teamserver/servlet/SessionServlet|/decisioncenter/rts-sync|/decisioncenter/remoting|/decisioncenter/servlet/SessionServlet|/decisioncenter-api/v1|/DecisionRunner/api|/DecisionRunner/apiauth|/DecisionRunner/serverinfo|/testing/sspService|/testing/serverinfo"/>
-</authFilter>
-  
 </server>