SAML Authentication: X-CSRF-TOKEN

[Miguel Pellicer]

Hi all!

I have a question about the SAML authentication, I've followed the guide and most of the items look good to me, thank you so much in advance to all the contributors.

Sakai redirects to ADFS, you can log in fine in ADFS, when the client is redirected to Sakai again Tomcat throws this error:

Or this one:

Did anybody face this in the past? I'll take a look in depth tomorrow, but if anyone can throw some light here I'll be really thankful.

Thank you so much

-- 
-----------------------------------------------
Miguel Pellicer
CTO at EDF

Website: https://www.edf.global
LinkedIn: https://www.linkedin.com/in/mpellicer-edf
Office Phone: +34 - 96 381 35 75
Requesting a meeting: https://calendly.com/mpellicer
-----------------------------------------------

[Sam Ottenhoff]

Hi Miguel,

I've never faced this error. Are you testing against master? Have you somehow enabled Tomcat's CSRF filters?

--
You received this message because you are subscribed to the Google Groups "Sakai Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email to sakai-dev+...@apereo.org.
To post to this group, send email to saka...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/sakai-dev/.

[Miguel Pellicer]

I'm using Sakai 12 and I didn't enable any special configuration in Tomcat, which is 8.5. I'll take a look tomorrow, thanks Sam

[Hendrik Steller]

Hi,
just an idea which might or might not help:
Doesn't this integrated-into-Sakai SAML stuff in the login-tool use Spring
Security (we're still using shibd and a custom login servlet)?
Because Spring itself has some CSRF protection feature and I remember running
into an issue in one of my webapps after a Spring upgrade because they changed
the default for the CSRF protection from disabled to enabled.

See point 3 here if you want disable it to see if that changes anything:
http://www.baeldung.com/spring-security-csrf
(This also claims that the changed default was introduced with Spring
Security 4)

Hendrik

On Wednesday, 18 July 2018 15:48:42 CEST Miguel Pellicer wrote:
> Hi all!
>
> I have a question about the SAML authentication, I've followed the guide
> and most of the items look good to me, thank you so much in advance to
> all the contributors.
>
> Sakai redirects to ADFS, you can log in fine in ADFS, when the client is
> redirected to Sakai again Tomcat throws this error:
>

> Or this one:

[Miguel Pellicer]

Thanks Hendrik and Sam,

Sakai 11 uses Spring Security 3.2.9, Sakai 12 uses 3.2.10, the problem I'm facing is just that, the CSRF protection is enabled by default.

Why? Because I'm using some custom 12.x changes that upgrade to Spring security 4, that's why I'm getting this issue. I've disabled the CSRF token and works like a charm, unfortunately, I think this is a really bad idea in general.

Before:

<security:http entry-point-ref="samlEntryPoint" use-expressions="false">         <security:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY"/>         <security:custom-filter before="FIRST" ref="metadataGeneratorFilter"/>         <security:custom-filter after="BASIC_AUTH_FILTER" ref="samlFilter"/>     </security:http>

After:

<!-- Secured pages with SAML as entry point -->     <security:http entry-point-ref="samlEntryPoint" use-expressions="false">         <security:csrf disabled="true"/>         <security:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY"/>         <security:custom-filter before="FIRST" ref="metadataGeneratorFilter"/>         <security:custom-filter after="BASIC_AUTH_FILTER" ref="samlFilter"/>     </security:http>

This means...this is a configuration that may affect Sakai 19 SAML, fortunately, it doesn't affect 12.x

Thank you so much