Cybersecurity
DevOps Cloud
IT Operations Cloud
Authors:
Jency Flawrence
Sahana Mathias
Problem Statement: Single sign-on by using Formfill with Autosubmit enabled fails if the submit or the login button requires execution of a JavaScript function before submitting the form data to the Web server. The classic example for such forms is HP Service Manager login form.
Solution: You must configure a form fill policy, which includes all the required Javascripts in the Functions to keep section and includes the function call associated with the Submit button in the Statements to Execute of the form fill policy:
function_name(arguments); //eg. tpzDrillTable('','Login','0','listdetail');
where "function_name" is the Java script statement to be executed on clicking "Submit" button. You can find this statement in the "onclick" attribute of the "Submit" button
This function calls the onclick action of the Submit button in the form and ensures that the form is submitted to the Web server after the Javascript is executed.
The following sections explain why form fill fails when a regular form fill policy is configured for the HTML form that contains complicated JavaScript. This section also describes the procedure to configure the form fill policy for such complex forms.
Consider the sample login form from HP Service Manager which contains a embedded JavaScript that gets executed when the Login button is clicked:
The code for this form is given below.
Please note that the code contains only some illustrative functions which would be required to explain Formfill and do not reflect the exact code of the HP Service Manager Login form.
NOTE: In the above code, the highlighted section indicates that when the Login button is clicked the onclick action calls a JavaScript function.
In Linux Access Gateway, you can configure a form fill policy to submit the form in the following ways:
function LAGSubmitForm()
{
executeJavaScript();
}
LAGSubmitForm();
where executeJavaScript(); is the function which executes the JS/VB script statements configured in the "Statements to execute". If Statements to be executed are present then you can also find the function definition for executeJavaScript() like,
executeJavaScript()where form[0] is the single form present in the HTML page and submit" is the default action associated with the Form’s submit button to submit this form to webserver automatically. This approach will work for forms with default action of the "Submit" button as POSTing the form data.
{
document.forms[0].submit();
}
For example, these touch files help proper Formfill of complex login forms by CRM applications or TWC applications. When the touch files are present form fill does not perform HTML parsing, just as the case is with manual submitting though Autosubmit option is enabled. All the fields in the original HTML form are populated with the values configured in the form fill policy and the form data is sent to the Web browser.
However, one of the limitation with this approach is that functions configured in the Functions to keep section fail to get executed as Linux Access Gateway does not process HTML to include the function LAGSubmitForm()to perform autosubmit. To workaround the issue, the statement document.forms[0].submit(); must be added to the Statements to execute section. This statement ensures that the form is submitted properly with the assumption that the default action of the Submit button is POST for the form[0].
The following section explains the process that takes place when a client requests for a form which is configured with a regular form fill policy.
When a regular Formfill policy is configured with Autosubmit enabled, the LAGSubmitForm() function gets included to the form on runtime. But the LAGSubmitForm() function calls the default submit action of the form that is to POST the data to the Web server. But the submit action for the sample login form in Section 1.1, "Sample Login Form with JavaScript," on page 1 requires a Javascript function to be executed. This function in turn submits the form data to the Web server. Since, the Javascript is not executed using the regular Formfill policy, posting of the form data fails
The following is the POST request sent to the browser
row=&__x=&thread=0&event=0&transaction=0&type=detail&focus=var/user.id&focu
sContents=testuser1&focusId=X2&focusReadOnly=&start=&count=&more=&tablename=&
window=&close=&_blankFields=&_uncheckedBoxes=&formchanged=&formname=login.pro
mpt.g&_multiSelection=&_multiSelection_tableId=&clientWidth=1473&var/user.i
d=testuser1&var/old.password=novell081&var/L.language=en&0=Login&3=Cancel
However, the browser expects to receive the following POST request and does not auto submit the form:
row=&__x=&thread=0&event=0&transaction=0&type=detail&focus=var/user.id&focu
sContents=testuser1&focusId=X2&focusReadOnly=null&start=&count=&more=&tablena
me=&window=&close=&_blankFields=&_uncheckedBoxes=&formchanged=&formname=login
.prompt.g&_multiSelection=&_multiSelection_tableId=&clientWidth=1217&var/us
er.id=testuser1&var/old.password=novell081&var/L.language=en
Note the difference in POST requests sent to the browser. In the first case, the POST request has &0=Login&3=Cancel appended, which causes the login to fail.
In order for the browser to send the proper POST data, Linux Access Gateway must add the following Javascript statement to the Statements to Execute:
tpzDrillTable('','Login','0','listdetail');
For Formfill to work for the sample login form one must do the following modifications:
The following procedure describes the steps to configure the form fill policy with Java or VBScript functions.
Please note that all the Input Field Value are illustrative and have to be substituted with the actual values from the original form.
function dvdRegisterSelect()
function enableAll()
function verify(f, bSubmitToSelf)
function printThisView()
function tpzDrillTable(a,b,c,d)()
tpzDrillTable ('','Login','0','listdetail');
touch /var/novell/.enableInPlaceSilentFill
When this touch file is used, the Linux Access Gateway does not generate a new page if autosubmit is enabled, but fills the page received from the Web server and hides the text/password/unspecified type fields. Form-Fill issues for CRM applications and teaming and conferencing applications are resolved with this touch file.
However, when this touch file is used, the Debug Submit and JS Functions to Keep options of the Form Fill policy do not work.
touch /var/novell/.enableInPlaceSilentFillNew
This touch file is to be used to fill forms with complex JavaScript or VBScripts. You must use this touch file along with the .enableInPlaceSilentFill file.
/etc/init.d/novell-vmc stop
/etc/init.d/novell-vmc start