Jump to content
We've recently updated our Privacy Statement, available here ×

  • Recommended Architecture to Handle Browser Third Party Cookies Policy

    jpadre

    By jpadre

      • Features: Web Services Version: v8 Product: Visualize.js
     Share

    This article describes how to implement a proxy solution for Visualize.js when browsers are blocking all third-party cookies. There are several possible configurations of proxies and domains or subdomains, depending on your needs. You can deploy the proxy solution using the provided configuration files as a starting point.

    Background

    Apple has decided to block all third-party cookies in Safari, and Google will soon do the same for Chrome. The similar situation with Mozilla Firefox and Microsoft Edge. This issue impacts Jaspersoft customers that have web applications implementing Visualize.js deployed on one domain and JasperReports Server located on another domain or subdomains.

    When users access your web app using Visualize.js, the script needs to store a cookie with a session information for JasperReports Server. However, browsers will no longer allow this cookie because JasperReports Server is on a different domain (or subdomain), and it is considered a third-party cookie.

    converted-image.png.e9d7cc16143b59c171c2616bf44f78a4.png

    Proxy Solution Workaround

    As a short-term solution, Jaspersoft recommends introducing an additional proxy server (similar to a load balancer) so that client (browser) will think that your instance of JasperReports Server appears to be on the same domain (or subdomain) as the Vizualize js web app. The proxy makes the server cookies appear to be from the same (sub)domain and thus allowed by browsers. This configuration is shown in the following diagram:

    converted-image.png.bba5ce2472d61fa365981f0d679b5a58.png

    Proxy Servers

    You can use any web server, proxy server, or load balancer that can be configured to respond in one domain and forward to another domain. Install the proxy server on a physical or virtual machine that is configured to be in the same domain as your web app. It can be on a separate instance that has access to the webapp and backend hostnames, and it proxy forwards where needed.

    Optionally, the proxy can also be installed in a sub-domain of the app’s domain, for example: backend.mywebapp.com.

    Apache HTTP Server Configuration

    Configure your Apache HTTP Server as a proxy with the following contents in the file /etc/httpd/conf.d/jrs-https.conf:

    LoadModule ssl_module         modules/mod_ssl.so
    Listen 443
    NameVirtualHost *:80
    NameVirtualHost mywebapp.com:443
     
    <VirtualHost *:80>
      ServerAdmin admin@mywebapp.com
      RedirectMatch permanent "^/(.*)" "https://mywebapp.com/$1"
     
    </VirtualHost>
     
    <VirtualHost mywebapp.com:443>
        ServerName mywebapp.com
        ServerAlias mywebapp.com
        SSLEngine on    
        SSLCertificateFile /etc/httpd/ssl/mywebapp.com.crt
        SSLCertificateKeyFile /etc/httpd/ssl/mywebapp.com.key
        SSLCertificateChainFile /etc/httpd/ssl/CA.crt
        ServerAdmin admin@mywebapp.com
        AllowEncodedSlashes On
        ProxyRequests     Off
        ProxyPreserveHost On
     
        ProxyPass         /visualize  http://web.backend.example.com:8080/visualize nocanon
        ProxyPassReverse  /visualize  http://web.backend.example.com:8080/visualize
     
        ProxyPass         /jasperserver-pro  http://jrs.backend.example.com:8080/jasperserver-pro nocanon
        ProxyPassReverse  /jasperserver-pro http://jrs.backend.example.com:8080/jasperserver-pro
     
        ProxyTimeout 2400
        ProxyBadHeader Ignore
        ProxyAddHeaders On
        RequestHeader set X-Forwarded-Proto "https"
        RequestHeader set X-Forwarded-Port "443"
    </VirtualHost>
    SSLProtocol         all -SSLv3 -TLSv1 -TLSv1.1
    SSLCipherSuite      ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
    SSLHonorCipherOrder     off
     

    Nginx Web Server Configuration

    Configure your Nginx web server as a proxy with the following contents in the file nginx-ssl.conf:

    events {}
    http {
        server {
            listen 80 default_server;
            listen [::]:80 default_server;
            server_name _;
            return 301 https://$host$request_uri;
        }
     
        server {
     
          listen 443 ssl;
          listen [::]:443 ssl;
          server_name mywebapp.com;
     
          ssl_certificate      /opt/certificates/mywebapp.com.crt;
          ssl_certificate_key  /opt/certificates/mywebapp.com.key;
     
          ssl_session_cache builtin:1000 shared:SSL:10m;
          ssl_protocols  SSLv3 TLSv1 TLSv1.1 TLSv1.2;
          ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
          ssl_prefer_server_ciphers on;
     
          location /visualize {
          }
     
          location /jasperserver-pro {
            proxy_set_header        Host $host;
            proxy_set_header        X-Real-IP $remote_addr;
            proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header        X-Forwarded-Proto $scheme;
     
            proxy_pass          http://jrs.backend.example.com:8080/jasperserver-pro;
            proxy_read_timeout  90;     }}}

     

     Share
    Go to entries

    User Feedback

    Recommended Comments

    There are no comments to display.



    Create an account or sign in to comment

    You need to be a member in order to leave a comment

    Create an account

    Sign up for a new account in our community. It's easy!

    Register a new account

    Sign in

    Already have an account? Sign in here.

    Sign In Now

×
×
  • Create New...

© 2024 Cloud Software Group,
Inc. All rights reserved.

Products

Explore