Introduction

Lets start by saying that L****** and Microsoft Web Access just don't get along. The current working implementation has a few (major) problems:

• The solution uses pickup.response which is VERY insecure
• When using IE, MOWA Light Access Mode is activated (not good)
• When a user clicks on "Log out" from MOWA, it also kills their L****** session (IE only)

We managed to work around all three of these issues, and it is stable enough that I am ready to share it with you nice folks.

Prerequisites

1. MOWA 2007 - duh!
2. MOWA using forms based authentication. This means that you should have a login "page" that you go to, instead of a popup from your browser prompting you for credentials.
3. Access to the MOWA server. We will need to copy a file there, and comment out a line of source code in a minute
4. Access to the L****** server

Setup L******

Download the attached files from this post and save them someplace where you can edit them.

Open up the file "mowa.properties", and change the following entries:

• mowa.hostname
• mowa.pickup.remoteurl*

* - This needs to match the path that we move the pickup.html file to in a few minutes

Copy these files into the $CP_ROOT/webapps/cpipconnector/WEB-INF/config/ directory.

Next, change the following configman properties: (using configman -s property value)

1. mowa.host (ex: oi.clayton.edu)
2. mowa.permission (ex: Mowa)
3. mowa.port (ex: 443)
4. mowa.protocol (ex: https)
5. mowa.sso.permission (ex: MOWA_SSO)
6. mowa.url (ex: https://oi.clayton.edu:443/owa
7. es.systems*

* - Append es.systems with the name 'mowa'. But be careful not to overwrite the existing entries.

For additional explaination (no matter how terse), take a gander at pgs. 5.64 in the "L****** platform installation guide" documentation (Version F).

Next, lets add "mowa.properties" to the cpipconnector.properties file so CPIP knows that MOWA is in use. To do this change the following value to the variable below:

1. property.files=mowa.properties

(we had other values set to this property.files - which is fine, just separate them with commas)

To apply these changes, you must summon the infamous "stopcp ; startcp"

Slight Change on MOWA Server

Next, on the server, copy over the "pickup.html" file attached to this article, and copy it over to the public path "${mowa.hostname}/owa/auth/pickup.html". This means that when you go to this URL in your browser (substituting in your own MOWA hostname), you should see the Javascript file. Make sure you don't have to login first to access it.

Now, to fix the logout issue:

When you click on "Log out" in MOWA you are redirected from "logoff.owa", to "./auth/logoff.aspx" (the session is expired here). The culprit seems to be in the source of "logoff.aspx" starting on line 60:

    function chkAuth() {
       if (a_fCAC) {
            try {
                document.execCommand("ClearAuthenticationCache","false");
            } catch (e) {
            } 
       }

       LogoffMime();
    }
 window.onload = chkAuth;
 document.execCommand()

The only thing that might look terrible to you (if you know Javascript) is document.execCommand. This is a proprietary Microsoft call (big surprise there!) to a function of Internet Explorer. For more information on it, check out this link

It is a Internet Explorer specific call that DELETES cookies from the browser cache, instead of setting them to null, or expiring them. This is a security problem, but Internet Explorer is the only browser that has implemented this feature - meaning it is the only browser affected.

If we comment out line 66 where this call is made, the session will expire, as normal, but the cookies will not be removed. The result would be identical in Internet Explorer as it is in any other browser which is what we want.

In fact, that is what the uPortal Ja-Sig group recommends (though for MOWA 2003) here

The Payoff

Now its time to test. This guide skipped a few steps, making an assumption that you had a MOWA GCF/CPIP connector somewhat implemented. You will still need to give users permissions, and copy over the icon, etc.