Question about saml (Keycloak) authorization issue

426 views
Skip to first unread message

Michał Kuźniarski

unread,
Mar 7, 2022, 11:04:58 AM3/7/22
to cbiop...@googlegroups.com

Hello,

 

We decided to use cbioportal local instance to manage and view data from our clinical tests. It is necessary to run user authorisation for this instance.

During implementation of cbio solution we encounter issues with running user login. We tried unsuccesfully LDAP and KeyCloak solutions.

 

Can You provide Us help in this issue with  user authorization? 

 

Please find some logs below.

Best Regards,
Michal

 

 

During app lunching:

 

root@cbioportal:/opt/cBioPortal/cbioportal-docker-compose# docker logs dd79c347dba8

Using database config:

 

(…)

 

mysqld is alive

Database connection success

Migrating database if necessary...

Everything up to date, nothing to migrate.

Finished.

Running: /bin/sh -c java -Xms2g -Xmx4g -Dauthenticate=saml -Dsession.service.url=http://cbioportal-session:5000/api/sessions/my_portal/ -jar webapp-runner.jar -AmaxHttpHeaderSize=16384 -AconnectionTimeout=20000 --enable-compression /cbioportal-webapp

Connector attributes

property: maxHttpHeaderSize - 16384(OK)

property: connectionTimeout - 20000(OK)

Adding Context  for /cbioportal-webapp

Mar 07, 2022 9:42:10 AM org.apache.coyote.AbstractProtocol init

INFO: Initializing ProtocolHandler ["http-nio-8080"]

Mar 07, 2022 9:42:10 AM org.apache.tomcat.util.net.NioSelectorPool getSharedSelector

INFO: Using a shared selector for servlet write/read

Mar 07, 2022 9:42:10 AM org.apache.catalina.core.StandardService startInternal

INFO: Starting service [Tomcat]

Mar 07, 2022 9:42:10 AM org.apache.catalina.core.StandardEngine startInternal

INFO: Starting Servlet Engine: Apache Tomcat/8.5.61

Mar 07, 2022 9:42:10 AM org.apache.catalina.startup.SetContextPropertiesRule begin

WARNING: [SetContextPropertiesRule]{Context} Setting property 'antiJARLocking' to 'true' did not find a matching property.

Mar 07, 2022 9:42:10 AM org.apache.catalina.startup.ContextConfig getDefaultWebXmlFragment

INFO: No global web.xml found

Mar 07, 2022 9:42:15 AM org.apache.jasper.servlet.TldScanner scanJars

INFO: At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time.

Mar 07, 2022 9:42:15 AM org.apache.catalina.core.ApplicationContext log

INFO: 1 Spring WebApplicationInitializers detected on classpath

SLF4J: Failed to load class "org.slf4j.impl.StaticLoggerBinder".

SLF4J: Defaulting to no-operation (NOP) logger implementation

SLF4J: See http://www.slf4j.org/codes.html#StaticLoggerBinder for further details.

Mar 07, 2022 9:42:15 AM org.apache.catalina.core.ApplicationContext log

INFO: Initializing Spring root WebApplicationContext

Mar 07, 2022 9:42:16 AM org.apache.catalina.core.StandardContext listenerStart

SEVERE: Exception sending context initialized event to listener instance of class [org.springframework.web.context.ContextLoaderListener]

org.springframework.beans.factory.BeanDefinitionStoreException: Invalid bean definition with name 'metadataGeneratorFilter' defined in class path resource [applicationContext-security.xml]: Could not resolve placeholder 'saml.sp.metadata.entitybaseurl' in value "${saml.sp.metadata.entitybaseurl}"; nested exception is java.lang.IllegalArgumentException: Could not resolve placeholder 'saml.sp.metadata.entitybaseurl' in value "${saml.sp.metadata.entitybaseurl}"

        at org.springframework.beans.factory.config.PlaceholderConfigurerSupport.doProcessProperties(PlaceholderConfigurerSupport.java:228)

        at org.springframework.beans.factory.config.PropertyPlaceholderConfigurer.processProperties(PropertyPlaceholderConfigurer.java:211)

        at org.springframework.beans.factory.config.PropertyResourceConfigurer.postProcessBeanFactory(PropertyResourceConfigurer.java:86)

        at org.springframework.context.support.PostProcessorRegistrationDelegate.invokeBeanFactoryPostProcessors(PostProcessorRegistrationDelegate.java:291)

        at org.springframework.context.support.PostProcessorRegistrationDelegate.invokeBeanFactoryPostProcessors(PostProcessorRegistrationDelegate.java:167)

        at org.springframework.context.support.AbstractApplicationContext.invokeBeanFactoryPostProcessors(AbstractApplicationContext.java:706)

        at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:532)

        at org.springframework.web.context.ContextLoader.configureAndRefreshWebApplicationContext(ContextLoader.java:401)

        at org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:292)

        at org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:103)

        at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:4689)

        at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5155)

        at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)

        at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1412)

        at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1402)

        at java.base/java.util.concurrent.FutureTask.run(Unknown Source)

       at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)

        at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)

        at java.base/java.lang.Thread.run(Unknown Source)

Caused by: java.lang.IllegalArgumentException: Could not resolve placeholder 'saml.sp.metadata.entitybaseurl' in value "${saml.sp.metadata.entitybaseurl}"

        at org.springframework.util.PropertyPlaceholderHelper.parseStringValue(PropertyPlaceholderHelper.java:178)

        at org.springframework.util.PropertyPlaceholderHelper.replacePlaceholders(PropertyPlaceholderHelper.java:124)

        at org.springframework.beans.factory.config.PropertyPlaceholderConfigurer$PlaceholderResolvingStringValueResolver.resolveStringValue(PropertyPlaceholderConfigurer.java:230)

        at org.springframework.beans.factory.config.BeanDefinitionVisitor.resolveStringValue(BeanDefinitionVisitor.java:296)

        at org.springframework.beans.factory.config.BeanDefinitionVisitor.resolveValue(BeanDefinitionVisitor.java:217)

        at org.springframework.beans.factory.config.BeanDefinitionVisitor.visitPropertyValues(BeanDefinitionVisitor.java:147)

        at org.springframework.beans.factory.config.BeanDefinitionVisitor.visitBeanDefinition(BeanDefinitionVisitor.java:85)

        at org.springframework.beans.factory.config.BeanDefinitionVisitor.resolveValue(BeanDefinitionVisitor.java:179)

        at org.springframework.beans.factory.config.BeanDefinitionVisitor.visitGenericArgumentValues(BeanDefinitionVisitor.java:165)

        at org.springframework.beans.factory.config.BeanDefinitionVisitor.visitBeanDefinition(BeanDefinitionVisitor.java:90)

        at org.springframework.beans.factory.config.PlaceholderConfigurerSupport.doProcessProperties(PlaceholderConfigurerSupport.java:225)

        ... 18 more

 

----------------------------------------------------------------------------------------------------------------

-- You are connecting to the OncoKB public instance which does not include any therapeutic information.

-- Please consider obtaining a license to support future OncoKB development by following https://docs.cbioportal.org/2.4-integration-with-other-webservices/oncokb-data-access.

-- Thank you.

----------------------------------------------------------------------------------------------------------------

Mar 07, 2022 9:42:16 AM org.apache.catalina.core.StandardContext startInternal

SEVERE: One or more listeners failed to start. Full details will be found in the appropriate container log file

 

SAML xml from keycloak oauth2

 

client-tailored-saml-idp-metadata.xml:

 

Versions:

 

root@cbioportal:/opt/cBioPortal/cbioportal-docker-compose# docker ps

CONTAINER ID   IMAGE                              COMMAND                  CREATED      STATUS          PORTS                                       NAMES

092ee16ea148   cbioportal/cbioportal:3.7.22       "docker-entrypoint.s…"   3 days ago   Up 43 seconds   0.0.0.0:8080->8080/tcp, :::8080->8080/tcp   cbioportal-container

bb5b829669c6   cbioportal/session-service:0.5.0   "/bin/sh -c 'java ${…"   3 days ago   Up 3 days                                                   cbioportal-session-container

6782c1fda697   mysql:5.7                          "docker-entrypoint.s…"   3 days ago   Up 3 days       3306/tcp, 33060/tcp                         cbioportal-database-container

cc65b7ca0ce3   mongo:3.7.9                        "docker-entrypoint.s…"   3 days ago   Up 3 days       27017/tcp                                   cbioportal-session-database-container

 

 

 

 

 

Pim van Nierop

unread,
Mar 8, 2022, 2:30:17 AM3/8/22
to Michał Kuźniarski, cbiop...@googlegroups.com
Hi Michał,

This error should be solved first:
Could not resolve placeholder 'saml.sp.metadata.entitybaseurl' in value "${saml.sp.metadata.entitybaseurl}"

This can be done by adding the property saml.sp.metadata.entitybaseurl as shown in file portal.properties.EXAMPLE. This property is only needed when deploying behind a reverse proxy which does not apply to your situations. However, Spring requires the property to be initialized nevertheless when using SAML authentication. In these cases, the property is initialized to null like so:

saml.sp.metadata.entityBaseURL=#{null}

After this, lets see what problem remains.

All the best, 
Pim

--
You received this message because you are subscribed to the Google Groups "cBioPortal for Cancer Genomics Discussion Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cbioportal+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/cbioportal/AM9P193MB19050B37289AD339EB51501190089%40AM9P193MB1905.EURP193.PROD.OUTLOOK.COM.


--

Pim van Nierop

Software Engineer / cBioPortal specialist


E p...@thehyve.nl

T +31(0)30 700 9713

M +31(0)6 29464525

W thehyve.nl



    

Michał Kuźniarski

unread,
Mar 8, 2022, 4:32:58 AM3/8/22
to Pim van Nierop, cbiop...@googlegroups.com

Hi Pim,


Thank you for your answer.


Mentioned parameter is already set to #{null}, probably problem was within the property name – it contained capital letters - corrected,
Now application is starting but I see 500 error.

 

 

HTTP Status 500 – Internal Server Error

Type Exception Report

Message org.opensaml.saml2.metadata.provider.MetadataProviderException: No IDP was configured, please update included metadata with at least one IDP

Description The server encountered an unexpected condition that prevented it from fulfilling the request.

Exception

javax.servlet.ServletException: org.opensaml.saml2.metadata.provider.MetadataProviderException: No IDP was configured, please update included metadata with at least one IDP

       org.springframework.security.saml.SAMLEntryPoint.commence(SAMLEntryPoint.java:161)

org.springframework.security.web.access.ExceptionTranslationFilter.sendStartAuthentication(ExceptionTranslationFilter.java:212)

org.springframework.security.web.access.ExceptionTranslationFilter.handleSpringSecurityException(ExceptionTranslationFilter.java:184)

org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:140)

org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)

org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:111)

org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)

org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:158)

org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)

org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:63)

org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)

org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:209)

    org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:186)

org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)

org.springframework.security.web.header.HeaderWriterFilter.doHeadersAfter(HeaderWriterFilter.java:92)

org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:77)

org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)

org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)

org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56)

org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)

org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)

org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105)

org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)

org.springframework.security.saml.metadata.MetadataGeneratorFilter.doFilter(MetadataGeneratorFilter.java:87)

org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)

org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:215)

    org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:178)

org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:358)

org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:271)

        com.vlkan.hrrs.servlet.HrrsFilter.doFilter(HrrsFilter.java:85)

        org.apache.catalina.filters.CorsFilter.handleNonCORS(CorsFilter.java:364)

        org.apache.catalina.filters.CorsFilter.doFilter(CorsFilter.java:170)

org.mskcc.cbio.portal.util.RequestBodyGZipFilter.doFilter(RequestBodyGZipFilter.java:72)

org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:358)

org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:271)

Root Cause

org.opensaml.saml2.metadata.provider.MetadataProviderException: No IDP was configured, please update included metadata with at least one IDP

org.springframework.security.saml.metadata.MetadataManager.getDefaultIDP(MetadataManager.java:795)

org.springframework.security.saml.context.SAMLContextProviderImpl.populatePeerEntityId(SAMLContextProviderImpl.java:157)

org.springframework.security.saml.context.SAMLContextProviderImpl.getLocalAndPeerEntity(SAMLContextProviderImpl.java:127)

       org.springframework.security.saml.SAMLEntryPoint.commence(SAMLEntryPoint.java:146)

org.springframework.security.web.access.ExceptionTranslationFilter.sendStartAuthentication(ExceptionTranslationFilter.java:212)

org.springframework.security.web.access.ExceptionTranslationFilter.handleSpringSecurityException(ExceptionTranslationFilter.java:184)

org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:140)

org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)

org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:111)

org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)

org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:158)

org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)

org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:63)

org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)

org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:209)

    org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:186)

org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)

org.springframework.security.web.header.HeaderWriterFilter.doHeadersAfter(HeaderWriterFilter.java:92)

org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:77)

org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)

org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)

org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56)

org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)

org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)

org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105)

org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)

org.springframework.security.saml.metadata.MetadataGeneratorFilter.doFilter(MetadataGeneratorFilter.java:87)

org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)

org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:215)

    org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:178)

org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:358)

org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:271)

        com.vlkan.hrrs.servlet.HrrsFilter.doFilter(HrrsFilter.java:85)

        org.apache.catalina.filters.CorsFilter.handleNonCORS(CorsFilter.java:364)

        org.apache.catalina.filters.CorsFilter.doFilter(CorsFilter.java:170)

org.mskcc.cbio.portal.util.RequestBodyGZipFilter.doFilter(RequestBodyGZipFilter.java:72)

org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:358)

org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:271)

Note The full stack trace of the root cause is available in the server logs.

Apache Tomcat/8.5.61

 

 

 

My portal.properties:

 

Answer from (http) metadata.entityid:

 

 

 

 

Thank you in advance,

Michal

 

 

 

----------------------------------------------------------------------------------------------------------------

-- You are connecting to the OncoKB public instance which does not include any therapeutic information.

-- Please consider obtaining a license to support future OncoKB development by following https://docs.cbioportal.org/2.4-integration-with-other-webservices/oncokb-data-access.

-- Thank you.

 

Pim van Nierop

unread,
Mar 8, 2022, 4:44:18 AM3/8/22
to Michał Kuźniarski, cbiop...@googlegroups.com
HI Michał,

My guess is that there is no file named client-tailored-saml-idp-metadata.xml on the java classpath. This file should be generated by your SAML2 IDP. Can you make sure it exists in the container?

All the best,
Pim

Michał Kuźniarski

unread,
Mar 8, 2022, 5:59:59 AM3/8/22
to Pim van Nierop, cbiop...@googlegroups.com

Hi Pim,


Yes, this file exists inside the container and it contains proper data.

 

root@2cad5513fa3e:/cbioportal-webapp/WEB-INF/classes# pwd

/cbioportal-webapp/WEB-INF/classes

root@2cad5513fa3e:/cbioportal-webapp/WEB-INF/classes# ls -lrt client-tailored-saml-idp-metadata.xml

-rw-r--r-- 1 root root 3774 Mar  3 12:31 client-tailored-saml-idp-metadata.xml

 

 

Thanks,
Michal

Pim van Nierop

unread,
Mar 9, 2022, 1:37:42 AM3/9/22
to Michał Kuźniarski, cbiop...@googlegroups.com
Hi Michał,

Although I cannot spot a problem with your setup from the data you posted, the error that you posted suggests that either the metadata xml is not present or not formatted correctly:

javax.servlet.ServletException: org.opensaml.saml2.metadata.provider.MetadataProviderException: No IDP was configured, please update included metadata with at least one IDP

This error explains that the SAML2 library of spring-security is unable to parse said file. I propose additional investigation in that direction.
All the best,
Pim

Michał Kuźniarski

unread,
Mar 9, 2022, 9:04:21 AM3/9/22
to Pim van Nierop, cbiop...@googlegroups.com

Hi Rim,
You were right, mentioned file was not formatted correctly.
Now it seems to work, I just have to improve Keycloak SAML configuration.


Thank you for help!

 

All the best,

Shixiang Wang (Shawn)

unread,
Sep 19, 2022, 12:07:11 PM9/19/22
to cBioPortal for Cancer Genomics Discussion Group
I got same error, I also confirmed the files exist in container. How should I fix the format problem?
Reply all
Reply to author
Forward
0 new messages