Always getting 401 when using CAS

[kenneth....@gmail.com]

I've downloaded the 7.17 bundle and it works with the basic http login. However when i configure everything to CAS it always returns 401.

I can see that the redirect to the login works, the cas back end does its thing and i can see where the redirect is sent to owf with the ticket. I believe the ticket is correctly getting processed, and the OZONELOGIN cookie is properly set.... but still end up at a 401 in the page. Am i missing something?

I am attempting to upgrade our environment as we have a requirement to move to java 8. So this is the remaining portion of the migration and it is stopping all progress. Thanks

Kenneth

[Ross Pokorny]

The HTTP 401 status code is only ever used as part of HTTP Basic auth. I
suspect there is still part of the HTTP Basic setup present in your
configuration. Could you post your configuration?

Ross Pokorny

On Thursday, November 10, 2016 2:33:59 PM EST kenneth....@gmail.com
wrote:

[Kenneth Keith]

Ross,

Thanks for the response, here is the relevant security configuration.

<sec:http use-expressions="true" entry-point-ref="casAuthenticationEntryPoint">
        <sec:access-denied-handler error-page="/denied.gsp"/>
        <sec:intercept-url pattern="/j_spring_cas_security_check" access="permitAll()" requires-channel="https"/>
        <sec:intercept-url pattern="/unauthorized.jsp" access="permitAll()"/>
        <sec:intercept-url pattern="/cas*.jsp" requires-channel="https" />
        <sec:intercept-url pattern="/js-lib/ext-*/**" access="permitAll()"/>
        <sec:intercept-url pattern="/themes/common/images/logout/**" access="permitAll()"/>
        <sec:intercept-url pattern="/logout.jsp" access="permitAll()"/>
        <sec:intercept-url pattern="/administration/monitoring" access="hasRole('ROLE_ADMIN')" />
        <sec:intercept-url pattern="/admin/**" access="hasRole('ROLE_ADMIN')" requires-channel="https" />
        <sec:intercept-url pattern="/" access="isAuthenticated()" requires-channel="https" />
        <sec:intercept-url pattern="/**" access="isAuthenticated()" requires-channel="https" />
        <!--<sec:x509 subject-principal-regex="CN=(.*?)," user-service-ref="userService" />-->
        <!-- FILTER THAT CREATES OUR CUSTOM COOKIE -->
        <!--<sec:custom-filter ref="casSingleSignOutFilter" before="CAS_FILTER"/>-->
        <sec:custom-filter ref="casAuthenticationFilter" before="CAS_FILTER" />
        <sec:custom-filter ref="ozoneCookieFilter" after="CAS_FILTER"/>
        <!--<sec:custom-filter ref="requestSingleLogoutFilter" before="LOGOUT_FILTER"/>-->
        <sec:port-mappings>
            <sec:port-mapping http="8080" https="8443"/>
        </sec:port-mappings>
    </sec:http>

I may have discovered another possible issue... However, in order to verify this i need to clone the current master and verify that the code i have is the newest.

--
You received this message because you are subscribed to a topic in the Google Groups "ozoneplatform-users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ozoneplatform-users/NoOXM45WXko/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ozoneplatform-users+unsub...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Kenneth Keith]

Ross,

Ok, so perhaps it is a oversight on my part, however, inside of the SecurityFilters.groovy file there is a line (24) that states the following:

if (!accountService.getLoggedInUserIsUser())

This was the issue. If a administrator is attempting to sign in that does not have both ROLE_ADMIN or ROLE_USER, this will always return a 401. When i added ROLE_USER to the admin account it worked.... So while my logic may be wrong, i believe a user with ROLE_ADMIN should automatically count as ROLE_USER throw permission inheritance. Unless there are issues elsewhere in the application, i would think that changing the if statement to the following will resolve the issue and also prevent any potential break to other application logic.

if (!accountService.getLoggedInUserIsUser()&&!accountService.getLoggedInUserIsAdmin())

Thoughts?

Kenneth

To unsubscribe from this group and all its topics, send an email to ozoneplatform-users+unsubscribe...@googlegroups.com.

[Ross Pokorny]

Kenneth

The decision of whether ROLE_ADMIN should implicitly include ROLE_USER or not
is a fairly arbitrary one. We chose, years ago, that it wouldn't. At this
point it is uncertain how much code in the app relies on that assumption, so
we do not intend to change it.

It is still perplexing that you were getting a 401 and not a 403...

Ross Pokorny

> >> ozoneplatform-u...@googlegroups.com.

[Kenneth Keith]

It was only when i cloned the source and ran the application in debug was i able to zero in. It gave me the hint ("does not have ROLE_USER role, erroring out with 401"), So when i added the role it worked... so it seems as if this would be the reason for always getting a 401 and not a 403. Base on a quick search, it actually looks like there is not much within the application that explicitly checks for the ROLE_ADMIN.

I can understand not wanting to change it or having different thoughts on the meaning of admin vs user. So i'll make the changes in the source as necessary to suit my needs. If you would like for me to contribute my changes, i would be ok with sharing. The only thing i plan to do is adjust the source to allow the admin role to inherit the user role.

> >> ozoneplatform-users+unsub...@googlegroups.com.

> >> For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to a topic in the Google Groups "ozoneplatform-users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ozoneplatform-users/NoOXM45WXko/unsubscribe.

To unsubscribe from this group and all its topics, send an email to ozoneplatform-users+unsub...@googlegroups.com.

[Kenneth Keith]

Interestingly enough, most of this has already been done. Just a few stragglers apparently.

> >> ozoneplatform-users+unsubscribe...@googlegroups.com.

> >> For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to a topic in the Google Groups "ozoneplatform-users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ozoneplatform-users/NoOXM45WXko/unsubscribe.

To unsubscribe from this group and all its topics, send an email to ozoneplatform-users+unsubscribe...@googlegroups.com.

[Ross Pokorny]

Ah, I see now that OWF itself is explicitly returning a 401. That's
technically incorrect I suppose. I will put a bug ticket in for that.

Just so you're aware, it shouldn't be too hard to adjust your security plugin
settings to give admins ROLE_USER as well. I would think that would be easier
than modifying OWF.

Ross Pokorny

> > > >> ozoneplatform-u...@googlegroups.com.

> > > >> For more options, visit https://groups.google.com/d/optout.
> >
> > --
> > You received this message because you are subscribed to a topic in the
> > Google Groups "ozoneplatform-users" group.

> > To unsubscribe from this topic, visit https://groups.google.com/d/
> > topic/ozoneplatform-users/NoOXM45WXko/unsubscribe.
> > To unsubscribe from this group and all its topics, send an email to

> > ozoneplatform-u...@googlegroups.com.

[Kenneth Keith]

Agreed, will have to take a look and see what kind of effort is required to update the user management client.

> > > >> ozoneplatform-users+unsub...@googlegroups.com.

> > > >> For more options, visit https://groups.google.com/d/optout.
> >
> > --
> > You received this message because you are subscribed to a topic in the
> > Google Groups "ozoneplatform-users" group.
> > To unsubscribe from this topic, visit https://groups.google.com/d/
> > topic/ozoneplatform-users/NoOXM45WXko/unsubscribe.
> > To unsubscribe from this group and all its topics, send an email to

> > ozoneplatform-users+unsub...@googlegroups.com.

> > For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to a topic in the Google Groups "ozoneplatform-users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ozoneplatform-users/NoOXM45WXko/unsubscribe.

To unsubscribe from this group and all its topics, send an email to ozoneplatform-users+unsub...@googlegroups.com.

[Kenneth Keith]

Thanks for the assistance/discussion.

> > > >> ozoneplatform-users+unsubscribe...@googlegroups.com.

> > > >> For more options, visit https://groups.google.com/d/optout.
> >
> > --
> > You received this message because you are subscribed to a topic in the
> > Google Groups "ozoneplatform-users" group.
> > To unsubscribe from this topic, visit https://groups.google.com/d/
> > topic/ozoneplatform-users/NoOXM45WXko/unsubscribe.
> > To unsubscribe from this group and all its topics, send an email to

> > ozoneplatform-users+unsubscribe...@googlegroups.com.

> > For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to a topic in the Google Groups "ozoneplatform-users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ozoneplatform-users/NoOXM45WXko/unsubscribe.

To unsubscribe from this group and all its topics, send an email to ozoneplatform-users+unsubscribe...@googlegroups.com.