Keycloak / SAML IDPSSODescriptor missing as an option

82 views
Skip to first unread message

John Reber

unread,
Jun 18, 2021, 10:13:37 AMJun 18
to cBioPortal for Cancer Genomics Discussion Group
Trying to setup our docker-compose's instance of cbioportal to use Keycloak.

I am using a docker-composed Keycloak.

The documentation states to "Select SAML Metadata IDPSSODescriptor", but that does not appear in the dropdown for our cbioportal realm.

On previous attempts I tried using SAML Metadata SPSSODescriptor to (don't know if that was the correct thing to) and would run into other errors (particularly saml.sp.metadata.entitybaseurl errors related to  Could not resolve placeholder 'saml.sp.metadata.entitybaseurl'), so I deleted the cbioportal Keycloak realm and am starting from scratch.

Any advice on the lack of "SAML Metadata IDPSSODescriptor" as an option?




Keycloak Installtion dropdown.png
From documentation.png

Benjamin Gross

unread,
Jun 18, 2021, 10:20:09 AMJun 18
to John Reber, cBioPortal for Cancer Genomics Discussion Group
Hi John,

This is a little confusing - I think in recent versions of Keycloak, you get the IDP metadata from the Realm Settings page.  In additional, its hard to tell the IDP metadata is a clickable link, but it is:



--
You received this message because you are subscribed to the Google Groups "cBioPortal for Cancer Genomics Discussion Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cbioportal+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/cbioportal/26d10b72-553c-4ce3-9223-3133f6254bf3n%40googlegroups.com.

John Reber

unread,
Jun 18, 2021, 10:31:46 AMJun 18
to cBioPortal for Cancer Genomics Discussion Group

Hi Benjamin,

 First, thanks for the quick response.


So, I should click on that link and cut/paste the displayed XML for client-tailored-saml-idp-metadata.xml?

 

I think that’s where I initially get confused, the documentation says to go to the installation tab and generate from there.  Or am I missing something in my interpretation?

 

Thanks,

John

Benjamin Gross

unread,
Jun 18, 2021, 10:37:21 AMJun 18
to John Reber, cBioPortal for Cancer Genomics Discussion Group
Yes, thats exactly right - you can copy/paste into a new client-tailored-saml-idp-metadata.xml file (or any name you wish) and mount the file according the the docs.

Best,
Benjamin

John Reber

unread,
Jun 18, 2021, 11:12:14 AMJun 18
to cBioPortal for Cancer Genomics Discussion Group
OK, did that.

Now I'm back to an endless loop of the cbioportal-container trying to start over and over due to "cbioportal_container           | org.springframework.beans.factory.BeanDefinitionStoreException: Invalid bean definition with name 'metadataGeneratorFilter' defined in class path resource [applicationContext-security.xml]: Could not resolve placeholder 'saml.sp.metadata.entitybaseurl' in value "${saml.sp.metadata.entitybaseurl}"; nested exception is java.lang.IllegalArgumentException: Could not resolve placeholder 'saml.sp.metadata.entitybaseurl' in value "${saml.sp.metadata.entitybaseurl}"



{"realm":"cbioportal","public_key":"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvhJaOog+4Trx695lFMVZqltq9e2WisY49k5aS+Nsi9Y2LuqB0hhkvbwUhTOGW3ih7JjW4/NiWn07tLQw7qL506+M61RTHOXRDc4GP1ep7OEv3KPpUgFyF7nqdKOk1eK3xrYzPetnm6z7rlDduQB/yZtFenOe1xfwoAAuKcLij2rbVXwpFw/wMU/Bef2BpvlLoo24H640Fu5wYThABmf8EyLFISll6qbzKeBQUwnM2oF5Bq3Ykr1lbEzSQfkjYGEAhju5wceGCL9MHxf5ne6UAlrg+vwlt1qxsw1xoji/X57Ef9tig2AC4Mlm6Qr7HUZb7+/WE3DnUJpBKD0x0MJbmwIDAQAB","token-service":"http://cbioportal.kcc.tju.edu:8081/auth/realms/cbioportal/protocol/openid-connect","account-service":"http://cbioportal.kcc.tju.edu:8081/auth/realms/cbioportal/account","tokens-not-before":0}

I have tried both:
saml.sp.metadata.entityBaseURL=#{null}
#saml.sp.metadata.entityBaseURL=http://cbioportal.kcc.tju.edu:8081.

saml.sp.metadata.entityBaseURL=http://cbioportal.kcc.tju.edu:8081 takes me to my Keycloak server.



Thanks again,
John
docker-startup-error.txt
docker-compose.xml
samlSectionPortalProperties.txt

Benjamin Gross

unread,
Jun 18, 2021, 1:12:45 PMJun 18
to John Reber, cBioPortal for Cancer Genomics Discussion Group
Hi John,

A good way to verify the setting of saml.sp.metadata.enittyBaseURL is to go back to the menu item in your original email and select SAML MetadataSPSSODescriptor.  That will open up the SAML XML metadata for the cBioPortal service.  Just look for any “location” tag and see its value.  The base URL is the portal-host-port combination, for example if location is the following:


the base URL is 


Let me know how it goes.

B


docker-startup-error.txt
docker-compose.xml
samlSectionPortalProperties.txt
PastedGraphic-2.png

John Reber

unread,
Jun 18, 2021, 1:49:00 PMJun 18
to cBioPortal for Cancer Genomics Discussion Group
Hey B,

From SAML Metadata SPSSODescriptor:

So my saml.sp.metadata.entityBaseURL=http://cbioportal.kcc.tju.edu:8081 was correct, but still generated the error.

I then changed saml.sp.metadata.entityBaseURL -> saml.sp.metadata.entitybaseurl (all lowercase) and the cbioportal-container started!!!  That's what I get for copying examples from Windows users :-)

Getting closer.

When I goto the url for cbioportal I am now being redirected to the Keycloak server:
which is generating 404 - Not Found error.

So now I'm sure it's something wrong with my cbioportal configuration within Keycloak.

Incidentally, I'm trying to set this up LDAP.

Thanks again,
J

Benjamin Gross

unread,
Jun 18, 2021, 1:58:34 PMJun 18
to John Reber, cBioPortal for Cancer Genomics Discussion Group
That 404 leads me to believe that KC is not recognizing your instance of cbioportal as a service.  When you look in Metadata SPSSODescriptor, what is the entityID in it?

-- 
You received this message because you are subscribed to the Google Groups "cBioPortal for Cancer Genomics Discussion Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cbioportal+...@googlegroups.com.

John Reber

unread,
Jun 18, 2021, 2:16:54 PMJun 18
to Benjamin Gross, cBioPortal for Cancer Genomics Discussion Group

entityID="cbioportal"

 

Is it because there is no Identity Provider saved in Keycloak for cbioportal.

 

I set-up LDAP under User Federation.

 

I did not see how to add an Identity Providor for LDAP.

 

John

------

John Reber
Systems Development Manager

Philadelphia, PA 19107
T 215-503-4174
John....@jefferson.edu
KimmelCancerCenter.org

http://creative.jefferson.edu/downloads/email/SKCC-USNWR-email-ft.jpg

 

 

From: Benjamin Gross <benjami...@gmail.com>
Date: Friday, June 18, 2021 at 1:58 PM
To: John Reber <John....@jefferson.edu>
Cc: cBioPortal for Cancer Genomics Discussion Group <cbiop...@googlegroups.com>
Subject: Re: [cbioportal] Keycloak / SAML IDPSSODescriptor missing as an option

WARNING:  External Email - This email originated outside of Jefferson.
DO NOT CLICK links or attachments unless you recognize the sender and are expecting the email.



The information contained in this transmission contains privileged and confidential information. It is intended only for the use of the person named above. If you are not the intended recipient, you are hereby notified that any review, dissemination, distribution or duplication of this communication is strictly prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message.

CAUTION: Intended recipients should NOT use email communication for emergent or urgent health care matters.

Benjamin Gross

unread,
Jun 18, 2021, 5:20:56 PMJun 18
to John Reber, cBioPortal for Cancer Genomics Discussion Group
Keycloak is the identity provider until you setup another means, but you should still be able to get to a login page in Keycloak and just fail authentication until you setup LDAP (which you do through the User Federation tab on left margin).

I may have misunderstood your prior email.  Are you ever getting to Keycloak (or a login page in Keycloak) and Keycloak is generating the 404 or is the cBioPortal generating the 404?

John Reber

unread,
Jun 22, 2021, 10:10:17 AMJun 22
to Benjamin Gross, cBioPortal for Cancer Genomics Discussion Group

Hi Banjamin,

 

Sorry, I’m off Mondays.

 

When I go to the url for cbioportaldev (http://cbioportaldev.kcc.tju.edu:8080/), I’m not getting a login page.  I’m going straight to 404 – Not Found for the following url:

 

http://cbioportal.kcc.tju.edu:8081/saml/discovery?entityID=cbioportal&returnIDParam=idp.

 

 

John

------

John Reber
Systems Development Manager

Benjamin Gross

unread,
Jun 22, 2021, 2:10:50 PMJun 22
to John Reber, cBioPortal for Cancer Genomics Discussion Group
No worries John.

The docs have you setup Keycloak running on port 8080 and your instance of cBioPortal on 8081.  I’m not sure what cbioportaldev is, a cBioPortal instance or Keycloak?

Based on your other information, you want to go to the following URL to visit cbioportal:


That 404 makes me think that your cbBioPortal instance is not running properly.  As a sanity check, can you retrieve your saml metadata from your instance of cbioportal by going to:


You should also verify what the following URLs within Keycloak - client setup (assuming cbioportal is at the same host):

-Valid Redirect URIs

-Master SAML Processing

 - Logout Service POST Binding URL

Best,
B

John Reber

unread,
Jun 22, 2021, 2:49:41 PMJun 22
to Benjamin Gross, cBioPortal for Cancer Genomics Discussion Group

Hi B,

 

Thanks for sticking with me.

 

Keycloak is running on http://cbioportal.kcc.tju.edu:8081.

cbioportaldev is running on http://cbioportaldev.kcc.tju.edu:8080                             -> This is our development/testing version of cbioportal, which I’m  testing              keycloak authentication on

 

http://cbioportal.kcc.tju.edu:8081 takes me to the auth screen for keycloak:

 

 

 

 

 

http://cbioportal.kcc.tju.edu:8081/saml/metadata

returns an error

http://cbioportaldev.kcc.tju.edu:8080/saml/metadata brings up:

<?xml version="1.0" encoding="UTF-8"?><md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="cbioportal" entityID="cbioportal"><md:SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"><md:KeyDescriptor use="signing"><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIID2TCCAsGgAwIBAgIEJowr3DANBgkqhkiG9w0BAQsFADCBnDELMAkGA1UEBhMCVVMxFTATBgNV

BAgTDFBlbm5zeWx2YW5pYTEVMBMGA1UEBxMMUGhpbGFkZWxwaGlhMSQwIgYDVQQKExtUaG9tYXMg

SmVmZmVyc29uIFVuaXZlcnNpdHkxJDAiBgNVBAsTG1NpZG5leSBLaW1tZWwgQ2FuY2VyIENlbnRl

cjETMBEGA1UEAxMKSm9obiBSZWJlcjAeFw0yMTA2MTcyMDUzMTBaFw0yMTA5MTUyMDUzMTBaMIGc

MQswCQYDVQQGEwJVUzEVMBMGA1UECBMMUGVubnN5bHZhbmlhMRUwEwYDVQQHEwxQaGlsYWRlbHBo

aWExJDAiBgNVBAoTG1Rob21hcyBKZWZmZXJzb24gVW5pdmVyc2l0eTEkMCIGA1UECxMbU2lkbmV5

IEtpbW1lbCBDYW5jZXIgQ2VudGVyMRMwEQYDVQQDEwpKb2huIFJlYmVyMIIBIjANBgkqhkiG9w0B

AQEFAAOCAQ8AMIIBCgKCAQEAs13KM+htKPNhWv3x2TjDCtMTAmkP509fs+XYSqvMMvST6I9X+HQY

mb83syUpDJPkg6yM6iyJg+29UfuWhH9kFvmqmcH3YGXalb6bSO1sPufYVIq7VFA1nqlD8MhZfNLa

FpUjgkd3jy84nVefeqUggi524UyGc9t87TvhGJEgZZVFyVv0RPAvVGsL0BLttV0XqdvRL0RK8MLp

e9/D9zX8E2Mh3euUasjw2LJwZVfHhsD4aOS4uxON3ZwJ1MKzfv43/J9z5xoXRLNbLlRiJzbRGm8g

S0BGncIF3RABpWZg5GfVeeZir58SKori4b2/QoTGbyRd/UhjMpESllhGtRAiSQIDAQABoyEwHzAd

BgNVHQ4EFgQUnC1FALezNT7OEG8yFXvP+0DAgQwwDQYJKoZIhvcNAQELBQADggEBAB0a6H2lASU+

3g9zp+UTzUjJJklByN8GX8E3OwEOkwZjuvMIDuvHLrc8ciq7GaoUQwPEwsq49ZP7l6Z+B+NU1IZK

n7VPS9Uw2PgM2NtTcXlks8sF9XwlYt5c8Hjuo7rPEQ8a8CVY7rDRUhF/TYQ+LUY0Q8yLblmrpy2q

WzgIFJdUnuxD/fIHAmDEppiXIrRg3nkekDJDXSeX+8U6R9yW+8sDQh2Z2bu5e5YCsQnzyY9SlzuY

l7/X/SgESWhUcSt5L2Lz0HbvfEahfHiaY2nIziJlfKqy9h39BTYBMr5O3eYZYiG+MFUdp/fPFqjJ

/KlFVmfCH49kUBXEny1+fXyOgFg=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:KeyDescriptor use="encryption"><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIID2TCCAsGgAwIBAgIEJowr3DANBgkqhkiG9w0BAQsFADCBnDELMAkGA1UEBhMCVVMxFTATBgNV

BAgTDFBlbm5zeWx2YW5pYTEVMBMGA1UEBxMMUGhpbGFkZWxwaGlhMSQwIgYDVQQKExtUaG9tYXMg

SmVmZmVyc29uIFVuaXZlcnNpdHkxJDAiBgNVBAsTG1NpZG5leSBLaW1tZWwgQ2FuY2VyIENlbnRl

cjETMBEGA1UEAxMKSm9obiBSZWJlcjAeFw0yMTA2MTcyMDUzMTBaFw0yMTA5MTUyMDUzMTBaMIGc

MQswCQYDVQQGEwJVUzEVMBMGA1UECBMMUGVubnN5bHZhbmlhMRUwEwYDVQQHEwxQaGlsYWRlbHBo

aWExJDAiBgNVBAoTG1Rob21hcyBKZWZmZXJzb24gVW5pdmVyc2l0eTEkMCIGA1UECxMbU2lkbmV5

IEtpbW1lbCBDYW5jZXIgQ2VudGVyMRMwEQYDVQQDEwpKb2huIFJlYmVyMIIBIjANBgkqhkiG9w0B

AQEFAAOCAQ8AMIIBCgKCAQEAs13KM+htKPNhWv3x2TjDCtMTAmkP509fs+XYSqvMMvST6I9X+HQY

mb83syUpDJPkg6yM6iyJg+29UfuWhH9kFvmqmcH3YGXalb6bSO1sPufYVIq7VFA1nqlD8MhZfNLa

FpUjgkd3jy84nVefeqUggi524UyGc9t87TvhGJEgZZVFyVv0RPAvVGsL0BLttV0XqdvRL0RK8MLp

e9/D9zX8E2Mh3euUasjw2LJwZVfHhsD4aOS4uxON3ZwJ1MKzfv43/J9z5xoXRLNbLlRiJzbRGm8g

S0BGncIF3RABpWZg5GfVeeZir58SKori4b2/QoTGbyRd/UhjMpESllhGtRAiSQIDAQABoyEwHzAd

BgNVHQ4EFgQUnC1FALezNT7OEG8yFXvP+0DAgQwwDQYJKoZIhvcNAQELBQADggEBAB0a6H2lASU+

3g9zp+UTzUjJJklByN8GX8E3OwEOkwZjuvMIDuvHLrc8ciq7GaoUQwPEwsq49ZP7l6Z+B+NU1IZK

n7VPS9Uw2PgM2NtTcXlks8sF9XwlYt5c8Hjuo7rPEQ8a8CVY7rDRUhF/TYQ+LUY0Q8yLblmrpy2q

WzgIFJdUnuxD/fIHAmDEppiXIrRg3nkekDJDXSeX+8U6R9yW+8sDQh2Z2bu5e5YCsQnzyY9SlzuY

l7/X/SgESWhUcSt5L2Lz0HbvfEahfHiaY2nIziJlfKqy9h39BTYBMr5O3eYZYiG+MFUdp/fPFqjJ

/KlFVmfCH49kUBXEny1+fXyOgFg=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://cbioportal.kcc.tju.edu:8081/saml/SingleLogout"/><md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://cbioportal.kcc.tju.edu:8081/saml/SingleLogout"/><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</md:NameIDFormat><md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://cbioportal.kcc.tju.edu:8081/saml/SSO" index="0" isDefault="true"/><md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="http://cbioportal.kcc.tju.edu:8081/saml/SSO" index="1"/></md:SPSSODescriptor></md:EntityDescriptor>

Benjamin Gross

unread,
Jun 22, 2021, 4:11:42 PMJun 22
to John Reber, cBioPortal for Cancer Genomics Discussion Group
Of course.  Its a good sign that you can get the metadata out of your cbioportal instance, but it doesn’t look correct.  For example I see this:


The location should be a URL to your cbioPortal instance, not Keycloak.  If dev is setup, the SP metadata should have a location like:

http://cbioportaldev.kcc.tju.edu:8080/saml/SingleLogout

Can you verify you have a similar setup:

Keycloak (if you change any of the following settings, you’ll need to re-download SAML Metadata SPSSODescriptor (from that Installation tab):

-Valid Redirect URIs
 
-Master SAML Processing
 
 - Logout Service POST Binding URL

portal.properties

saml.sp.metadata.entityid=cbioportal
saml.sp.metadata.entitybaseurl=http://cbioportaldev.kcc.tju.edu:8080


-B

John Reber

unread,
Jun 23, 2021, 8:51:33 AMJun 23
to Benjamin Gross, cBioPortal for Cancer Genomics Discussion Group

Getting better!  I am now getting the Keycloak login screen, on to getting Keycloak to talk to LDAP

 

 

 

 

 

Thanks for all your help,

Benjamin Gross

unread,
Jun 23, 2021, 9:08:54 AMJun 23
to John Reber, cBioPortal for Cancer Genomics Discussion Group
Great news.  I think I mentioned that you find that via the User Federation tab.  Good luck!
B

John Reber

unread,
Jun 24, 2021, 11:06:07 AMJun 24
to Benjamin Gross, cBioPortal for Cancer Genomics Discussion Group

Hi Benjamin,

 

I have setup LDAP under User Federation

Test Connection and Test authentication both tested successfully

 

 

 

When using "Installation"->SAML Metadata SPSSODescriptor I get

 

cbioportal_container           | SEVERE: Servlet.service() for servlet [jsp] in context with path [] threw exception [org.opensaml.saml2.metadata.provider.MetadataProviderException: No IDP was configured, please update included metadata with at least one IDP] with root cause

 

If I use data from SAML 2.0 Identity Provider Metadata from Realm page for the metadata I get

 

 

 

Events shows the following

 

 

-Valid Redirect URIs

(should be http://cbioportaldev.kcc.tju.edu:8080/*)

 

-Master SAML Processing

(should be http://cbioportaldev.kcc.tju.edu:8080/saml)

 

 - Logout Service POST Binding URL

(should be http://cbioportaldev.kcc.tju.edu:8080/saml/logout)

 

Are set as below:

 

 

 

Portal.properties saml section:

 

saml.sp.metadata.entityid=cbioportal

saml.sp.metadata.wantassertionsigned=true

saml.sp.metadata.entitybaseurl=http://cbioportaldev.kcc.tju.edu:8080

saml.idp.metadata.location=classpath:/client-tailored-saml-idp-metadata.xml

saml.idp.metadata.entityid=http://cbioportal.kcc.tju.edu:8081/auth/realms/cbioportal

saml.keystore.location=classpath:/samlKeystore.jks

saml.keystore.password=XXXXXXX

saml.keystore.private-key.key=secure-key

saml.keystore.private-key.password=XXXXXXX

saml.keystore.default-key=secure-key

saml.idp.comm.binding.settings=defaultBinding

saml.idp.comm.binding.type=

saml.idp.metadata.attribute.email=email

saml.idp.metadata.attribute.role=Role

saml.logout.local=false

saml.custom.userservice.class=org.cbioportal.security.spring.authentication.saml.SAMLUserDetailsServiceImpl

saml.logout.url=/

 

spring_saml_metadata is attached.

 

 

Thanks again for all the pointers,

B

 



spring_saml_metadata.xml

Benjamin Gross

unread,
Jun 28, 2021, 4:48:46 PMJun 28
to John Reber, cBioPortal for Cancer Genomics Discussion Group
HI John,

Sorry for the delayed response, I was out of town late last week.  I’m not very fluent with the ldap setup, but after you set it up, Keycloak should sync up with you directory service (there may be a button you have to press on the settings page to initiate this).  After the sync, you should see the Keycloak user list contains a copy of your directory service user list.  I bring this up because you event log is showing a LOGIN_ERROR due to invalid_user_credentials.  Did you set the proper credentials for this user after the ldap syncing?

I hope this helps.

B
spring_saml_metadata.xml
image001.png
image002.png
image003.png
image004.png
image005.jpg
image006.png
image007.png
image008.jpg
image009.png
image010.png
image011.jpg
image012.jpg
image013.jpg

John Reber

unread,
Jun 29, 2021, 9:17:08 AMJun 29
to Benjamin Gross, cBioPortal for Cancer Genomics Discussion Group

Hi Ben,

 

No problem, apparently my boss was also away 😊

 

So when I look at the Users listed in Keycloak, there are none.  I have tried the “Synchronize changed users” and “Synchronize all users” within LDAP but receive an error:

 

 

Keycloak events show:

 

Auth:

 

Representation

{

  "result": {

    "ignored": false,

    "added": 0,

    "updated": 0,

    "removed": 0,

    "failed": 115839,

    "status": "0 imported users, 0 updated users, 115839 users failed sync! See server log for more details"

  },

  "action": "triggerFullSync"

}

 

 

I look at the keycloak jboss log, there is nothing beyond the initial startup.

 

Is there somewhere else I should be looking for the actual error?

 

Thanks for getting me this far,

John

------

John Reber
Systems Development Manager

Philadelphia, PA 19107
T 215-503-4174
John....@jefferson.edu
KimmelCancerCenter.org

http://creative.jefferson.edu/downloads/email/SKCC-USNWR-email-ft.jpg

 

 

From: Benjamin Gross <benjami...@gmail.com>
Date: Monday, June 28, 2021 at 4:48 PM
To: John Reber <John....@jefferson.edu>
Cc: cBioPortal for Cancer Genomics Discussion Group <cbiop...@googlegroups.com>
Subject: Re: [cbioportal] Keycloak / SAML IDPSSODescriptor missing as an option

WARNING:  External Email - This email originated outside of Jefferson.
DO NOT CLICK links or attachments unless you recognize the sender and are expecting the email.

 

HI John,

John Reber

unread,
Jun 29, 2021, 9:46:05 AMJun 29
to Benjamin Gross, cBioPortal for Cancer Genomics Discussion Group

Hi Ben,

 

A step closer.

 

By turning on “Always Read Value From LDAP” in LDAP Mappers username, I was able to populate Users in Keycloak.

 

I am now able to login (also tested with wrong password and login failed), but not seeing any studies.  Now getting “There are no studies matching your filter”, which I’m guessing is something with my groups setting.

 

Thanks again for getting me this far,

Benjamin Gross

unread,
Jun 29, 2021, 9:57:10 AMJun 29
to John Reber, cBioPortal for Cancer Genomics Discussion Group
Great news.

Ok, no studies matching your filter could indicate one of two things - 

1) authorities are not properly getting to the cbioportal website - check that the keycloak mappers are properly configured.
2) authorities are getting to the cbioportal website, but the study in question did not get importer into the database property.  If you turn off authentication in portal.properties, can you get to the study when visiting the website?

For 1), you can install a saml plugin into your browser and see what saml package (email/role), is delivered from keycloak back to the browser or turnoff the security library logging on the backend of cBioPortal.  You can find more information about this here:


Let me know how it goes.

B

John Reber

unread,
Jun 30, 2021, 8:45:54 AMJun 30
to Benjamin Gross, cBioPortal for Cancer Genomics Discussion Group

 

Hi Ben,

 

With authentication set to false, I can see the studies and select them and cbioportal acts as expected.

 

With saml enabled:

When I select a study I get the “Oops. There was an error retrieving data.”:

 

{"req":{"method":"POST","url":"http://cbioportaldev.kcc.tju.edu:8080/api/session/custom_data/fetch","data":["jefferson_fmi_research_pmi"],"headers":{"content-type":"application/json"}},"xhr":{},"text":"<!doctype html><html lang=\"en\"><head><title>HTTP Status 500 – Internal Server Error</title><style type=\"text/css\">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 500 – Internal Server Error</h1><hr class=\"line\" /><p><b>Type</b> Exception Report</p><p><b>Message</b> Request processing failed; nested exception is org.springframework.web.client.HttpClientErrorException$BadRequest: 400 Bad Request: [{&quot;timestamp&quot;:1624978288478,&quot;status&quot;:400,&quot;error&quot;:&quot;Bad Request&quot;,&quot;exception&quot;:&quot;org.springframework.web.method.annotation.MethodArgumentTypeMismatchException&quot;,&quot;message&quot;:&quot;valid types are: main_session, virtual_study, group, comparison_session, settings&quot;,&quot;path&quot;:&quot;&#47;api&#47;sessions&#47;my_portal&#47;custom_data&#47;query&#47;fetch&quot;}]</p><p><b>Description</b> The server encountered an unexpected condition that prevented it from fulfilling the request.</p><p><b>Exception</b></p><pre>org.springframework.web.util.NestedServletException: Request processing failed; nested exception is org.springframework.web.client.HttpClientErrorException$BadRequest: 400 Bad Request: [{&quot;timestamp&quot;:1624978288478,&quot;status&quot;:400,&quot;error&quot;:&quot;Bad Request&quot;,&quot;exception&quot;:&quot;org.springframework.web.method.annotation.MethodArgumentTypeMismatchException&quot;,&quot;message&quot;:&quot;valid types are: main_session, virtual_study, group, comparison_session, settings&quot;,&quot;path&quot;:&quot;&#47;api&#47;sessions&#47;my_portal&#47;custom_data&#47;query&#47;fetch&quot;}]\n\torg.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:1014)\n\torg.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:909)\n\tjavax.servlet.http.HttpServlet.service(HttpServlet.java:652)\n\torg.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:883)\n\tjavax.servlet.http.HttpServlet.service(HttpServlet.java:733)\n\torg.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)\n\torg.mskcc.cbio.portal.util.XssFilter.doFilter(XssFilter.java:65)\n\torg.cbioportal.web.util.ResettableHttpServletRequestFilter.doFilter(ResettableHttpServletRequestFilter.java:29)\n\torg.apache.catalina.filters.HttpHeaderSecurityFilter.doFilter(HttpHeaderSecurityFilter.java:126)\n\torg.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:320)\n\torg.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:126)\n\torg.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:90)\n\torg.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)\n\torg.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:118)\n\torg.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)\n\torg.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:137)\n\torg.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)\n\torg.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:111)\n\torg.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)\n\torg.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:158)\n\torg.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)\n\torg.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:63)\n\torg.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)\n\torg.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:200)\n\torg.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)\n\torg.springframework.security.web.header.HeaderWriterFilter.doHeadersAfter(HeaderWriterFilter.java:92)\n\torg.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:77)\n\torg.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)\n\torg.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)\n\torg.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56)\n\torg.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)\n\torg.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)\n\torg.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105)\n\torg.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)\n\torg.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:215)\n\torg.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:178)\n\torg.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:358)\n\torg.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:271)\n\tcom.vlkan.hrrs.servlet.HrrsFilter.doFilter(HrrsFilter.java:85)\n\torg.apache.catalina.filters.CorsFilter.handleNonCORS(CorsFilter.java:364)\n\torg.apache.catalina.filters.CorsFilter.doFilter(CorsFilter.java:170)\n\torg.mskcc.cbio.portal.util.RequestBodyGZipFilter.doFilter(RequestBodyGZipFilter.java:72)\n\torg.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:358)\n\torg.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:271)\n</pre><p><b>Root Cause</b></p><pre>org.springframework.web.client.HttpClientErrorException$BadRequest: 400 Bad Request: [{&quot;timestamp&quot;:1624978288478,&quot;status&quot;:400,&quot;error&quot;:&quot;Bad Request&quot;,&quot;exception&quot;:&quot;org.springframework.web.method.annotation.MethodArgumentTypeMismatchException&quot;,&quot;message&quot;:&quot;valid types are: main_session, virtual_study, group, comparison_session, settings&quot;,&quot;path&quot;:&quot;&#47;api&#47;sessions&#47;my_portal&#47;custom_data&#47;query&#47;fetch&quot;}]\n\torg.springframework.web.client.HttpClientErrorException.create(HttpClientErrorException.java:101)\n\torg.springframework.web.client.DefaultResponseErrorHandler.handleError(DefaultResponseErrorHandler.java:170)\n\torg.springframework.web.client.DefaultResponseErrorHandler.handleError(DefaultResponseErrorHandler.java:112)\n\torg.springframework.web.client.ResponseErrorHandler.handleError(ResponseErrorHandler.java:63)\n\torg.springframework.web.client.RestTemplate.handleResponse(RestTemplate.java:782)\n\torg.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:740)\n\torg.springframework.web.client.RestTemplate.execute(RestTemplate.java:674)\n\torg.springframework.web.client.RestTemplate.exchange(RestTemplate.java:612)\n\torg.cbioportal.web.SessionServiceController.fetchCustomProperties(SessionServiceController.java:472)\n\torg.cbioportal.web.SessionServiceController$$FastClassBySpringCGLIB$$6b4f2f08.invoke(&lt;generated&gt;)\n\torg.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:218)\n\torg.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:771)\n\torg.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:163)\n\torg.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:749)\n\torg.springframework.aop.framework.adapter.MethodBeforeAdviceInterceptor.invoke(MethodBeforeAdviceInterceptor.java:56)\n\torg.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186)\n\torg.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:749)\n\torg.springframework.aop.aspectj.AspectJAfterAdvice.invoke(AspectJAfterAdvice.java:47)\n\torg.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186)\n\torg.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:749)\n\torg.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:95)\n\torg.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186)\n\torg.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:749)\n\torg.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:691)\n\torg.cbioportal.web.SessionServiceController$$EnhancerBySpringCGLIB$$2076c637.fetchCustomProperties(&lt;generated&gt;)\n\tjava.base&#47;jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)\n\tjava.base&#47;jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)\n\tjava.base&#47;jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)\n\tjava.base&#47;java.lang.reflect.Method.invoke(Unknown Source)\n\torg.springframework.web.method.support.InvocableHandlerMethod.doInvoke(InvocableHandlerMethod.java:190)\n\torg.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:138)\n\torg.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:105)\n\torg.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandlerMethod(RequestMappingHandlerAdapter.java:879)\n\torg.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:793)\n\torg.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:87)\n\torg.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:1040)\n\torg.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:943)\n\torg.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:1006)\n\torg.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:909)\n\tjavax.servlet.http.HttpServlet.service(HttpServlet.java:652)\n\torg.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:883)\n\tjavax.servlet.http.HttpServlet.service(HttpServlet.java:733)\n\torg.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)\n\torg.mskcc.cbio.portal.util.XssFilter.doFilter(XssFilter.java:65)\n\torg.cbioportal.web.util.ResettableHttpServletRequestFilter.doFilter(ResettableHttpServletRequestFilter.java:29)\n\torg.apache.catalina.filters.HttpHeaderSecurityFilter.doFilter(HttpHeaderSecurityFilter.java:126)\n\torg.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:320)\n\torg.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:126)\n\torg.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:90)\n\torg.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)\n\torg.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:118)\n\torg.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)\n\torg.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:137)\n\torg.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)\n\torg.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:111)\n\torg.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)\n\torg.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:158)\n\torg.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)\n\torg.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:63)\n\torg.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)\n\torg.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:200)\n\torg.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)\n\torg.springframework.security.web.header.HeaderWriterFilter.doHeadersAfter(HeaderWriterFilter.java:92)\n\torg.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:77)\n\torg.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)\n\torg.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)\n\torg.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56)\n\torg.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)\n\torg.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)\n\torg.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105)\n\torg.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)\n\torg.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:215)\n\torg.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:178)\n\torg.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:358)\n\torg.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:271)\n\tcom.vlkan.hrrs.servlet.HrrsFilter.doFilter(HrrsFilter.java:85)\n\torg.apache.catalina.filters.CorsFilter.handleNonCORS(CorsFilter.java:364)\n\torg.apache.catalina.filters.CorsFilter.doFilter(CorsFilter.java:170)\n\torg.mskcc.cbio.portal.util.RequestBodyGZipFilter.doFilter(RequestBodyGZipFilter.java:72)\n\torg.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:358)\n\torg.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:271)\n</pre><p><b>Note</b> The full stack trace of the root cause is available in the server logs.</p><hr class=\"line\" /><h3>Apache Tomcat/8.5.61</h3></body></html>","statusText":"","statusCode":500,"status":500,"statusType":5,"info":false,"ok":false,"redirect":false,"clientError":false,"serverError":true,"error":{"status":500,"method":"POST","url":"http://cbioportaldev.kcc.tju.edu:8080/api/session/custom_data/fetch"},"created":false,"accepted":false,"noContent":false,"badRequest":false,"unauthorized":false,"notAcceptable":false,"forbidden":false,"notFound":false,"unprocessableEntity":false,"headers":{"access-control-allow-origin":"*","access-control-expose-headers":"total-count,sample-count","cache-control":"no-cache, no-store, max-age=0, must-revalidate","connection":"close","content-encoding":"gzip","content-language":"en","content-type":"text/html;charset=utf-8","date":"Tue, 29 Jun 2021 14:51:28 GMT","expires":"0","pragma":"no-cache","transfer-encoding":"Identity","vary":"accept-encoding","x-content-type-options":"nosniff","x-frame-options":"DENY","x-xss-protection":"1; mode=block"},"header":{"access-control-allow-origin":"*","access-control-expose-headers":"total-count,sample-count","cache-control":"no-cache, no-store, max-age=0, must-revalidate","connection":"close","content-encoding":"gzip","content-language":"en","content-type":"text/html;charset=utf-8","date":"Tue, 29 Jun 2021 14:51:28 GMT","expires":"0","pragma":"no-cache","transfer-encoding":"Identity","vary":"accept-encoding","x-content-type-options":"nosniff","x-frame-options":"DENY","x-xss-protection":"1; mode=block"},"type":"text/html","charset":"utf-8","links":{},"body":null,"url":"http://cbioportaldev.kcc.tju.edu:8080/study/summary?id=jefferson_fmi_research_pmi"}

 

 

Also in the logging from docker-compose up is an error about Bas Request:

 

cbioportal_container           | INFO: Error parsing HTTP request header

cbioportal_container           |  Note: further occurrences of HTTP request parsing errors will be logged at DEBUG level.

cbioportal_container           | java.lang.IllegalArgumentException: Invalid character found in method name [0x160x030x010x020x000x010x000x010xfc0x030x03!0xfa*F0xa2ft0xb60x8ftI0xd7]. HTTP method names must be tokens

cbioportal_container           |        at org.apache.coyote.http11.Http11InputBuffer.parseRequestLine(Http11InputBuffer.java:431)

cbioportal_container           |        at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:503)

cbioportal_container           |        at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)

cbioportal_container           |        at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:831)

cbioportal_container           |        at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1634)

cbioportal_container           |        at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)

cbioportal_container           |        at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)

cbioportal_container           |        at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)

cbioportal_container           |        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)

cbioportal_container           |        at java.base/java.lang.Thread.run(Unknown Source)

cbioportal_container           |

cbioportal_container           | Jun 30, 2021 12:42:01 PM org.apache.catalina.core.StandardWrapperValve invoke

cbioportal_container           | SEVERE: Servlet.service() for servlet [api] in context with path [] threw exception [Request processing failed; nested exception is org.springframework.web.client.HttpClientErrorException$BadRequest: 400 Bad Request: [{"timestamp":1625056920827,"status":400,"error":"Bad Request","exception":"org.springframework.web.method.annotation.MethodArgumentTypeMismatchException","message":"valid types are: main_session, virtual_study, group, comparison_session, settings","path":"/api/sessions/my_portal/custom_data/query/fetch"}]] with root cause

cbioportal_container           | org.springframework.web.client.HttpClientErrorException$BadRequest: 400 Bad Request: [{"timestamp":1625056920827,"status":400,"error":"Bad Request","exception":"org.springframework.web.method.annotation.MethodArgumentTypeMismatchException","message":"valid types are: main_session, virtual_study, group, comparison_session, settings","path":"/api/sessions/my_portal/custom_data/query/fetch"}]

cbioportal_container           |        at org.springframework.web.client.HttpClientErrorException.create(HttpClientErrorException.java:101)

cbioportal_container           |        at org.springframework.web.client.DefaultResponseErrorHandler.handleError(DefaultResponseErrorHandler.java:170)

cbioportal_container           |        at org.springframework.web.client.DefaultResponseErrorHandler.handleError(DefaultResponseErrorHandler.java:112)

cbioportal_container           |        at org.springframework.web.client.ResponseErrorHandler.handleError(ResponseErrorHandler.java:63)

cbioportal_container           |        at org.springframework.web.client.RestTemplate.handleResponse(RestTemplate.java:782)

cbioportal_container           |        at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:740)

cbioportal_container           |        at org.springframework.web.client.RestTemplate.execute(RestTemplate.java:674)

cbioportal_container           |        at org.springframework.web.client.RestTemplate.exchange(RestTemplate.java:612)

cbioportal_container           |        at org.cbioportal.web.SessionServiceController.fetchCustomProperties(SessionServiceController.java:472)

cbioportal_container           |        at org.cbioportal.web.SessionServiceController$$FastClassBySpringCGLIB$$6b4f2f08.invoke(<generated>)

cbioportal_container           |        at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:218)

cbioportal_container           |        at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:771)

cbioportal_container           |        at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:163)

cbioportal_container           |        at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:749)

cbioportal_container           |        at org.springframework.aop.framework.adapter.MethodBeforeAdviceInterceptor.invoke(MethodBeforeAdviceInterceptor.java:56)

cbioportal_container           |        at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186)

cbioportal_container           |        at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:749)

cbioportal_container           |        at org.springframework.aop.aspectj.AspectJAfterAdvice.invoke(AspectJAfterAdvice.java:47)

cbioportal_container           |        at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186)

cbioportal_container           |        at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:749)

cbioportal_container           |        at org.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:95)

cbioportal_container           |        at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186)

cbioportal_container           |        at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:749)

cbioportal_container           |        at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:691)

cbioportal_container           |        at org.cbioportal.web.SessionServiceController$$EnhancerBySpringCGLIB$$279490a2.fetchCustomProperties(<generated>)

cbioportal_container           |        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

cbioportal_container           |        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)

cbioportal_container           |        at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)

cbioportal_container           |        at java.base/java.lang.reflect.Method.invoke(Unknown Source)

cbioportal_container           |        at org.springframework.web.method.support.InvocableHandlerMethod.doInvoke(InvocableHandlerMethod.java:190)

cbioportal_container           |        at org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:138)

cbioportal_container           |        at org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:105)

cbioportal_container           |        at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandlerMethod(RequestMappingHandlerAdapter.java:879)

cbioportal_container           |        at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:793)

cbioportal_container           |        at org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:87)

cbioportal_container           |        at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:1040)

cbioportal_container           |        at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:943)

cbioportal_container           |        at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:1006)

cbioportal_container           |        at org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:909)

cbioportal_container           |        at javax.servlet.http.HttpServlet.service(HttpServlet.java:652)

cbioportal_container           |        at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:883)

cbioportal_container           |        at javax.servlet.http.HttpServlet.service(HttpServlet.java:733)

cbioportal_container           |        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)

cbioportal_container           |        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)

cbioportal_container           |        at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)

cbioportal_container           |        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)

cbioportal_container           |        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)

cbioportal_container           |        at org.mskcc.cbio.portal.util.XssFilter.doFilter(XssFilter.java:65)

cbioportal_container           |        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)

cbioportal_container           |        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)

cbioportal_container           |        at org.cbioportal.web.util.ResettableHttpServletRequestFilter.doFilter(ResettableHttpServletRequestFilter.java:29)

cbioportal_container           |        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)

cbioportal_container           |        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)

cbioportal_container           |        at org.apache.catalina.filters.HttpHeaderSecurityFilter.doFilter(HttpHeaderSecurityFilter.java:126)

cbioportal_container           |        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)

cbioportal_container           |        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)

cbioportal_container           |        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:320)

cbioportal_container           |        at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:126)

cbioportal_container           |        at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:90)

cbioportal_container           |        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)

cbioportal_container           |        at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:118)

cbioportal_container           |        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)

cbioportal_container           |        at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:137)

cbioportal_container           |        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)

cbioportal_container           |        at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:111)

cbioportal_container           |        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)

cbioportal_container           |        at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:158)

cbioportal_container           |        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)

cbioportal_container           |        at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:63)

cbioportal_container           |        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)

cbioportal_container           |        at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:200)

cbioportal_container           |        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)

cbioportal_container           |        at org.springframework.security.web.header.HeaderWriterFilter.doHeadersAfter(HeaderWriterFilter.java:92)

cbioportal_container           |        at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:77)

cbioportal_container           |        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)

cbioportal_container           |        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)

cbioportal_container           |        at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56)

cbioportal_container           |        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)

cbioportal_container           |        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)

cbioportal_container           |        at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105)

cbioportal_container           |        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)

cbioportal_container           |        at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:215)

cbioportal_container           |        at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:178)

cbioportal_container           |        at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:358)

cbioportal_container           |        at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:271)

cbioportal_container           |        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)

cbioportal_container           |        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)

cbioportal_container           |        at com.vlkan.hrrs.servlet.HrrsFilter.doFilter(HrrsFilter.java:85)

cbioportal_container           |        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)

cbioportal_container           |        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)

cbioportal_container           |        at org.apache.catalina.filters.CorsFilter.handleNonCORS(CorsFilter.java:364)

cbioportal_container           |        at org.apache.catalina.filters.CorsFilter.doFilter(CorsFilter.java:170)

cbioportal_container           |        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)

cbioportal_container           |        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)

cbioportal_container           |        at org.mskcc.cbio.portal.util.RequestBodyGZipFilter.doFilter(RequestBodyGZipFilter.java:72)

cbioportal_container           |        at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:358)

cbioportal_container           |        at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:271)

cbioportal_container           |        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)

cbioportal_container           |        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)

cbioportal_container           |        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199)

cbioportal_container           |        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97)

cbioportal_container           |        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:544)

cbioportal_container           |        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:143)

cbioportal_container           |        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)

cbioportal_container           |        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78)

cbioportal_container           |        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)

cbioportal_container           |        at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:616)

cbioportal_container           |        at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)

cbioportal_container           |        at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:831)

cbioportal_container           |        at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1634)

cbioportal_container           |        at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)

cbioportal_container           |        at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)

cbioportal_container           |        at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)

cbioportal_container           |        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)

cbioportal_container           |        at java.base/java.lang.Thread.run(Unknown Source)

cbioportal_container           |

cbioportal_container           | WARNING: An illegal reflective access operation has occurred

cbioportal_container           | WARNING: Illegal reflective access by org.apache.ibatis.ognl.AccessibleObjectHandlerPreJDK9 (file:/cbioportal-webapp/WEB-INF/lib/mybatis-3.5.6.jar) to method java.util.stream.ReferencePipeline.distinct()

cbioportal_container           | WARNING: Please consider reporting this to the maintainers of org.apache.ibatis.ognl.AccessibleObjectHandlerPreJDK9

cbioportal_container           | WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations

cbioportal_container           | WARNING: All illegal access operations will be denied in a future release

Attached is SAML-tracer.

 

 

 

Went through all the steps in Authenticating Users via SAML, except OpenID steps at the end.  Is OpenID required to be active?     Is there documentation on the necessary keycloak mappers?

 

 

John

------

John Reber
Systems Development Manager

Philadelphia, PA 19107
T 215-503-4174
John....@jefferson.edu
KimmelCancerCenter.org

 

 

From: Benjamin Gross <benjami...@gmail.com>
Date: Tuesday, June 29, 2021 at 9:57 AM
To: John Reber <John....@jefferson.edu>
Cc: cBioPortal for Cancer Genomics Discussion Group <cbiop...@googlegroups.com>
Subject: Re: [cbioportal] Keycloak / SAML IDPSSODescriptor missing as an option

Great news.

 

Ok, no studies matching your filter could indicate one of two things - 

 

1) authorities are not properly getting to the cbioportal website - check that the keycloak mappers are properly configured.

2) authorities are getting to the cbioportal website, but the study in question did not get importer into the database property.  If you turn off authentication in portal.properties, can you get to the study when visiting the website?

 

For 1), you can install a saml plugin into your browser and see what saml package (email/role), is delivered from keycloak back to the browser or turnoff the security library logging on the backend of cBioPortal.  You can find more information about this here:

 

 

Let me know how it goes.

 

B



On Jun 29, 2021, at 9:45 AM, John Reber <John....@jefferson.edu> wrote:

 

Hi Ben,

 

A step closer.

 

By turning on “Always Read Value From LDAP” in LDAP Mappers username, I was able to populate Users in Keycloak.

 

I am now able to login (also tested with wrong password and login failed), but not seeing any studies.  Now getting “There are no studies matching your filter”, which I’m guessing is something with my groups setting.

 

Thanks again for getting me this far,

John

------

John Reber
Systems Development Manager

SAML-tracer-export-2021-06-29T17 11 45.216Z.json

Benjamin Gross

unread,
Jun 30, 2021, 9:57:01 AMJun 30
to John Reber, cBioPortal for Cancer Genomics Discussion Group
This message is a little misleading.  I think the issue is probably permissions.  I would double-check that you’ve properly assigned the role to the user and that the role list mapper is configured:

https://docs.cbioportal.org/2.2-authorization-and-authentication/authenticating-and-authorizing-users-via-keycloak#map-saml-assertion-attributes 

I think the SAML - browser plugin could be helpful here - it will show you the saml package being delivered from KC to the browser (which will indicate if anything is missing like email or roles).

I would confirm this first…and you don’t need any OpenID setup.

B

On Jun 30, 2021, at 8:45 AM, John Reber <John....@jefferson.edu> wrote:

 
Hi Ben,
 
SAML-tracer-export-2021-06-29T17 11 45.216Z.json
image001.jpg
image002.jpg
image003.png
image004.png
image005.jpg
image006.png
image007.png
image008.png
image009.png
image010.jpg
image011.png
image012.png
image013.jpg
image014.png
image015.png
image016.jpg
image017.jpg
image018.jpg

John Reber

unread,
Jul 6, 2021, 10:57:59 AMJul 6
to cBioPortal for Cancer Genomics Discussion Group, Benjamin Gross

Hi Benjamin,

 

Sorry, still at a loss with Keycloak.

 

As far as I can tell, the mappers are set-up correctly.

 

I created a new KC on the same server just to eliminate any network issues.

 

I can login and see the studies I’m authorized to see. 

 

As soon as I select a study SAML tracer seems to point to this as the error:

 

POST http://cbioportaldev.kcc.tju.edu:8080/api/session/custom_data/fetch HTTP/1.1

Host: cbioportaldev.kcc.tju.edu:8080

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:89.0) Gecko/20100101 Firefox/89.0

Accept: */*

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referer: http://cbioportaldev.kcc.tju.edu:8080/study?id=jefferson_fmi_research_pmi

Content-Type: application/json

Content-Length: 30

Origin: http://cbioportaldev.kcc.tju.edu:8080 Connection: keep-alive

Cookie: JSESSIONID=31424202A2D7E4048EA7F0479F785339

 

HTTP/1.1 500

Access-Control-Allow-Origin: *

Access-Control-Expose-Headers: total-count,sample-count

X-Frame-Options: DENY

X-Content-Type-Options: nosniff

X-XSS-Protection: 1; mode=block

Cache-Control: no-cache, no-store, max-age=0, must-revalidate

Pragma: no-cache

Expires: 0 vary: accept-encoding

Content-Encoding: gzip Content-Type: text/html;charset=utf-8

Content-Language: en

Transfer-Encoding: chunked

Date: Tue, 06 Jul 2021 14:41:36 GMT

Connection: close

 

 

 

This is what cBioportal displays:

 

cBioPortal Logo

Oops. There was an error retrieving data.

Return to homepage

Please contact us at cbioportal at googlegroups dot com.

Copy-paste the error log below and provide a click-by-click description of how you arrived at the error.

{"req":{"method":"POST","url":"http://cbioportaldev.kcc.tju.edu:8080/api/session/custom_data/fetch","data":["jefferson_fmi_research_pmi"],"headers":{"content-type":"application/json"}},"xhr":{},"text":"<!doctype html><html lang=\"en\"><head><title>HTTP Status 500 – Internal Server Error</title><style type=\"text/css\">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 500 – Internal Server Error</h1><hr class=\"line\" /><p><b>Type</b> Exception Report</p><p><b>Message</b> Request processing failed; nested exception is org.springframework.web.client.HttpClientErrorException$BadRequest: 400 Bad Request: [{&quot;timestamp&quot;:1625582496505,&quot;status&quot;:400,&quot;error&quot;:&quot;Bad Request&quot;,&quot;exception&quot;:&quot;org.springframework.web.method.annotation.MethodArgumentTypeMismatchException&quot;,&quot;message&quot;:&quot;valid types are: main_session, virtual_study, group, comparison_session, settings&quot;,&quot;path&quot;:&quot;&#47;api&#47;sessions&#47;my_portal&#47;custom_data&#47;query&#47;fetch&quot;}]</p><p><b>Description</b> The server encountered an unexpected condition that prevented it from fulfilling the request.</p><p><b>Exception</b></p><pre>org.springframework.web.util.NestedServletException: Request processing failed; nested exception is org.springframework.web.client.HttpClientErrorException$BadRequest: 400 Bad Request: [{&quot;timestamp&quot;:1625582496505,&quot;status&quot;:400,&quot;error&quot;:&quot;Bad Request&quot;,&quot;exception&quot;:&quot;org.springframework.web.method.annotation.MethodArgumentTypeMismatchException&quot;,&quot;message&quot;:&quot;valid types are: main_session, virtual_study, group, comparison_session, settings&quot;,&quot;path&quot;:&quot;&#47;api&#47;sessions&#47;my_portal&#47;custom_data&#47;query&#47;fetch&quot;}]\n\torg.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:1014)\n\torg.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:909)\n\tjavax.servlet.http.HttpServlet.service(HttpServlet.java:652)\n\torg.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:883)\n\tjavax.servlet.http.HttpServlet.service(HttpServlet.java:733)\n\torg.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)\n\torg.mskcc.cbio.portal.util.XssFilter.doFilter(XssFilter.java:65)\n\torg.cbioportal.web.util.ResettableHttpServletRequestFilter.doFilter(ResettableHttpServletRequestFilter.java:29)\n\torg.apache.catalina.filters.HttpHeaderSecurityFilter.doFilter(HttpHeaderSecurityFilter.java:126)\n\torg.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:320)\n\torg.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:126)\n\torg.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:90)\n\torg.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)\n\torg.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:118)\n\torg.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)\n\torg.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:137)\n\torg.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)\n\torg.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:111)\n\torg.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)\n\torg.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:158)\n\torg.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)\n\torg.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:63)\n\torg.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)\n\torg.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:200)\n\torg.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)\n\torg.springframework.security.web.header.HeaderWriterFilter.doHeadersAfter(HeaderWriterFilter.java:92)\n\torg.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:77)\n\torg.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)\n\torg.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)\n\torg.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56)\n\torg.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)\n\torg.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)\n\torg.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105)\n\torg.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)\n\torg.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:215)\n\torg.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:178)\n\torg.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:358)\n\torg.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:271)\n\tcom.vlkan.hrrs.servlet.HrrsFilter.doFilter(HrrsFilter.java:85)\n\torg.apache.catalina.filters.CorsFilter.handleNonCORS(CorsFilter.java:364)\n\torg.apache.catalina.filters.CorsFilter.doFilter(CorsFilter.java:170)\n\torg.mskcc.cbio.portal.util.RequestBodyGZipFilter.doFilter(RequestBodyGZipFilter.java:72)\n\torg.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:358)\n\torg.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:271)\n</pre><p><b>Root Cause</b></p><pre>org.springframework.web.client.HttpClientErrorException$BadRequest: 400 Bad Request: [{&quot;timestamp&quot;:1625582496505,&quot;status&quot;:400,&quot;error&quot;:&quot;Bad Request&quot;,&quot;exception&quot;:&quot;org.springframework.web.method.annotation.MethodArgumentTypeMismatchException&quot;,&quot;message&quot;:&quot;valid types are: main_session, virtual_study, group, comparison_session, settings&quot;,&quot;path&quot;:&quot;&#47;api&#47;sessions&#47;my_portal&#47;custom_data&#47;query&#47;fetch&quot;}]\n\torg.springframework.web.client.HttpClientErrorException.create(HttpClientErrorException.java:101)\n\torg.springframework.web.client.DefaultResponseErrorHandler.handleError(DefaultResponseErrorHandler.java:170)\n\torg.springframework.web.client.DefaultResponseErrorHandler.handleError(DefaultResponseErrorHandler.java:112)\n\torg.springframework.web.client.ResponseErrorHandler.handleError(ResponseErrorHandler.java:63)\n\torg.springframework.web.client.RestTemplate.handleResponse(RestTemplate.java:782)\n\torg.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:740)\n\torg.springframework.web.client.RestTemplate.execute(RestTemplate.java:674)\n\torg.springframework.web.client.RestTemplate.exchange(RestTemplate.java:612)\n\torg.cbioportal.web.SessionServiceController.fetchCustomProperties(SessionServiceController.java:472)\n\torg.cbioportal.web.SessionServiceController$$FastClassBySpringCGLIB$$6b4f2f08.invoke(&lt;generated&gt;)\n\torg.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:218)\n\torg.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:771)\n\torg.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:163)\n\torg.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:749)\n\torg.springframework.aop.framework.adapter.MethodBeforeAdviceInterceptor.invoke(MethodBeforeAdviceInterceptor.java:56)\n\torg.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186)\n\torg.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:749)\n\torg.springframework.aop.aspectj.AspectJAfterAdvice.invoke(AspectJAfterAdvice.java:47)\n\torg.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186)\n\torg.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:749)\n\torg.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:95)\n\torg.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186)\n\torg.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:749)\n\torg.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:691)\n\torg.cbioportal.web.SessionServiceController$$EnhancerBySpringCGLIB$$e06d5aa6.fetchCustomProperties(&lt;generated&gt;)\n\tjdk.internal.reflect.GeneratedMethodAccessor319.invoke(Unknown Source)\n\tjava.base&#47;jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)\n\tjava.base&#47;java.lang.reflect.Method.invoke(Unknown Source)\n\torg.springframework.web.method.support.InvocableHandlerMethod.doInvoke(InvocableHandlerMethod.java:190)\n\torg.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:138)\n\torg.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:105)\n\torg.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandlerMethod(RequestMappingHandlerAdapter.java:879)\n\torg.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:793)\n\torg.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:87)\n\torg.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:1040)\n\torg.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:943)\n\torg.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:1006)\n\torg.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:909)\n\tjavax.servlet.http.HttpServlet.service(HttpServlet.java:652)\n\torg.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:883)\n\tjavax.servlet.http.HttpServlet.service(HttpServlet.java:733)\n\torg.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)\n\torg.mskcc.cbio.portal.util.XssFilter.doFilter(XssFilter.java:65)\n\torg.cbioportal.web.util.ResettableHttpServletRequestFilter.doFilter(ResettableHttpServletRequestFilter.java:29)\n\torg.apache.catalina.filters.HttpHeaderSecurityFilter.doFilter(HttpHeaderSecurityFilter.java:126)\n\torg.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:320)\n\torg.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:126)\n\torg.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:90)\n\torg.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)\n\torg.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:118)\n\torg.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)\n\torg.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:137)\n\torg.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)\n\torg.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:111)\n\torg.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)\n\torg.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:158)\n\torg.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)\n\torg.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:63)\n\torg.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)\n\torg.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:200)\n\torg.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)\n\torg.springframework.security.web.header.HeaderWriterFilter.doHeadersAfter(HeaderWriterFilter.java:92)\n\torg.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:77)\n\torg.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)\n\torg.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)\n\torg.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56)\n\torg.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)\n\torg.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)\n\torg.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105)\n\torg.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)\n\torg.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:215)\n\torg.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:178)\n\torg.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:358)\n\torg.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:271)\n\tcom.vlkan.hrrs.servlet.HrrsFilter.doFilter(HrrsFilter.java:85)\n\torg.apache.catalina.filters.CorsFilter.handleNonCORS(CorsFilter.java:364)\n\torg.apache.catalina.filters.CorsFilter.doFilter(CorsFilter.java:170)\n\torg.mskcc.cbio.portal.util.RequestBodyGZipFilter.doFilter(RequestBodyGZipFilter.java:72)\n\torg.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:358)\n\torg.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:271)\n</pre><p><b>Note</b> The full stack trace of the root cause is available in the server logs.</p><hr class=\"line\" /><h3>Apache Tomcat/8.5.61</h3></body></html>","statusText":"","statusCode":500,"status":500,"statusType":5,"info":false,"ok":false,"redirect":false,"clientError":false,"serverError":true,"error":{"status":500,"method":"POST","url":"http://cbioportaldev.kcc.tju.edu:8080/api/session/custom_data/fetch"},"created":false,"accepted":false,"noContent":false,"badRequest":false,"unauthorized":false,"notAcceptable":false,"forbidden":false,"notFound":false,"unprocessableEntity":false,"headers":{"access-control-allow-origin":"*","access-control-expose-headers":"total-count,sample-count","cache-control":"no-cache, no-store, max-age=0, must-revalidate","connection":"close","content-encoding":"gzip","content-language":"en","content-type":"text/html;charset=utf-8","date":"Tue, 06 Jul 2021 14:41:36 GMT","expires":"0","pragma":"no-cache","transfer-encoding":"chunked","vary":"accept-encoding","x-content-type-options":"nosniff","x-frame-options":"DENY","x-xss-protection":"1; mode=block"},"header":{"access-control-allow-origin":"*","access-control-expose-headers":"total-count,sample-count","cache-control":"no-cache, no-store, max-age=0, must-revalidate","connection":"close","content-encoding":"gzip","content-language":"en","content-type":"text/html;charset=utf-8","date":"Tue, 06 Jul 2021 14:41:36 GMT","expires":"0","pragma":"no-cache","transfer-encoding":"chunked","vary":"accept-encoding","x-content-type-options":"nosniff","x-frame-options":"DENY","x-xss-protection":"1; mode=block"},"type":"text/html","charset":"utf-8","links":{},"body":null,"url":"http://cbioportaldev.kcc.tju.edu:8080/study/summary?id=jefferson_fmi_research_pmi"}

 

 

 

Do I need a specific version of Keycloak?

Does ssh need to be running on either/both KC and the portal?

Is straight LDAP authentication going away in the near future?

 

John

------

John Reber
Systems Development Manager

http://creative.jefferson.edu/downloads/email/SKCC-USNWR-email-ft.jpg

 

 

From: Benjamin Gross <benjami...@gmail.com>
Date: Wednesday, June 30, 2021 at 9:57 AM
To: John Reber <John....@jefferson.edu>
Cc: cBioPortal for Cancer Genomics Discussion Group <cbiop...@googlegroups.com>
Subject: Re: [cbioportal] Keycloak / SAML IDPSSODescriptor missing as an option

WARNING:  External Email - This email originated outside of Jefferson.
DO NOT CLICK links or attachments unless you recognize the sender and are expecting the email.

 

This message is a little misleading.  I think the issue is probably permissions.  I would double-check that you’ve properly assigned the role to the user and that the role list mapper is configured:

 

https://docs.cbioportal.org/2.2-authorization-and-authentication/authenticating-and-authorizing-users-via-keycloak#map-saml-assertion-attributes 

 

I think the SAML - browser plugin could be helpful here - it will show you the saml package being delivered from KC to the browser (which will indicate if anything is missing like email or roles).

 

I would confirm this first…and you don’t need any OpenID setup.

 

B

On Jun 30, 2021, at 8:45 AM, John Reber <John....@jefferson.edu> wrote:

 

 

Hi Ben,

 

With authentication set to false, I can see the studies and select them and cbioportal acts as expected.

 

With saml enabled:

When I select a study I get the “Oops. There was an error retrieving data.”:

 

{"req":{"method":"POST","url":"http://cbioportaldev.kcc.tju.edu:8080/api/session/custom_data/fetch","data":["jefferson_fmi_research_pmi"],"headers":{"content-type":"application/json"}},"xhr":{},"text":"<!doctype html><html lang=\"en\"><head><title>HTTP Status 500 – Internal Server Error</title><style type=\"text/css\">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 500 – Internal Server Error</h1><hr class=\"line\" /><p><b>Type</b> Exception Report</p><p><b>Message</b> Request processing failed; nested exception is org.springframework.web.client.HttpClientErrorException$BadRequest: 400 Bad Request: [{&quot;timestamp&quot;:1624978288478,&quot;status&quot;:400,&quot;error&quot;:&quot;Bad Request&quot;,&quot;exception&quot;:&quot;org.springframework.web.method.annotation.MethodArgumentTypeMismatchException&quot;,&quot;message&quot;:&quot;valid types are: main_session, virtual_study, group, comparison_session, settings&quot;,&quot;path&quot;:&quot;&#47;api&#47;sessions&#47;my_portal&#47;custom_data&#47;query&#47;fetch&quot;}]</p><p><b>Description</b> The server encountered an unexpected condition that prevented it from fulfilling the request.</p><p><b>Exception</b></p><pre>org.springframework.web.util.NestedServletException: Request processing failed; nested exception is org.springframework.web.client.HttpClientErrorException$BadRequest: 400 Bad Request: [{&quot;timestamp&quot;:1624978288478,&quot;status&quot;:400,&quot;error&quot;:&quot;Bad Request&quot;,&quot;exception&quot;:&quot;org.springframework.web.method.annotation.MethodArgumentTypeMismatchException&quot;,&quot;message&quot;:&quot;valid types are: main_session, virtual_study, group, comparison_session, settings&quot;,&quot;path&quot;:&quot;&#47;api&#47;sessions&#47;my_portal&#47;custom_data&#47;query&#47;fetch&quot;}]\n\torg.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:1014)\n\torg.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:909)\n\tjavax.servlet.http.HttpServlet.service(HttpServlet.java:652)\n\torg.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:883)\n\tjavax.servlet.http.HttpServlet.service(HttpServlet.java:733)\n\torg.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)\n\torg.mskcc.cbio.portal.util.XssFilter.doFilter(XssFilter.java:65)\n\torg.cbioportal.web.util.ResettableHttpServletRequestFilter.doFilter(ResettableHttpServletRequestFilter.java:29)\n\torg.apache.catalina.filters.HttpHeaderSecurityFilter.doFilter(HttpHeaderSecurityFilter.java:126)\n\torg.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:320)\n\torg.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:126)\n\torg.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:90)\n\torg.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)\n\torg.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:118)\n\torg.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)\n\torg.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:137)\n\torg.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)\n\torg.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:111)\n\torg.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)\n\torg.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:158)\n\torg.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)\n\torg.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:63)\n\torg.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)\n\torg.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:200)\n\torg.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)\n\torg.springframework.security.web.header.HeaderWriterFilter.doHeadersAfter(HeaderWriterFilter.java:92)\n\torg.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:77)\n\torg.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)\n\torg.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)\n\torg.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56)\n\torg.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)\n\torg.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)\n\torg.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105)\n\torg.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)\n\torg.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:215)\n\torg.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:178)\n\torg.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:358)\n\torg.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:271)\n\tcom.vlkan.hrrs.servlet.HrrsFilter.doFilter(HrrsFilter.java:85)\n\torg.apache.catalina.filters.CorsFilter.handleNonCORS(CorsFilter.java:364)\n\torg.apache.catalina.filters.CorsFilter.doFilter(CorsFilter.java:170)\n\torg.mskcc.cbio.portal.util.RequestBodyGZipFilter.doFilter(RequestBodyGZipFilter.java:72)\n\torg.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:358)\n\torg.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:271)\n</pre><p><b>Root Cause</b></p><pre>org.springframework.web.client.HttpClientErrorException$BadRequest: 400 Bad Request: [{&quot;timestamp&quot;:1624978288478,&quot;status&quot;:400,&quot;error&quot;:&quot;Bad Request&quot;,&quot;exception&quot;:&quot;org.springframework.web.method.annotation.MethodArgumentTypeMismatchException&quot;,&quot;message&quot;:&quot;valid types are: main_session, virtual_study, group, comparison_session, settings&quot;,&quot;path&quot;:&quot;&#47;api&#47;sessions&#47;my_portal&#47;custom_data&#47;query&#47;fetch&quot;}]\n\torg.springframework.web.client.HttpClientErrorException.create(HttpClientErrorException.java:101)\n\torg.springframework.web.client.DefaultResponseErrorHandler.handleError(DefaultResponseErrorHandler.java:170)\n\torg.springframework.web.client.DefaultResponseErrorHandler.handleError(DefaultResponseErrorHandler.java:112)\n\torg.springframework.web.client.ResponseErrorHandler.handleError(ResponseErrorHandler.java:63)\n\torg.springframework.web.client.RestTemplate.handleResponse(RestTemplate.java:782)\n\torg.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:740)\n\torg.springframework.web.client.RestTemplate.execute(RestTemplate.java:674)\n\torg.springframework.web.client.RestTemplate.exchange(RestTemplate.java:612)\n\torg.cbioportal.web.SessionServiceController.fetchCustomProperties(SessionServiceController.java:472)\n\torg.cbioportal.web.SessionServiceController$$FastClassBySpringCGLIB$$6b4f2f08.invoke(&lt;generated&gt;)\n\torg.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:218)\n\torg.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:771)\n\torg.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:163)\n\torg.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:749)\n\torg.springframework.aop.framework.adapter.MethodBeforeAdviceInterceptor.invoke(MethodBeforeAdviceInterceptor.java:56)\n\torg.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186)\n\torg.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:749)\n\torg.springframework.aop.aspectj.AspectJAfterAdvice.invoke(AspectJAfterAdvice.java:47)\n\torg.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186)\n\torg.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:749)\n\torg.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:95)\n\torg.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186)\n\torg.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:749)\n\torg.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:691)\n\torg.cbioportal.web.SessionServiceController$$EnhancerBySpringCGLIB$$2076c637.fetchCustomProperties(&lt;generated&gt;)\n\tjava.base&#47;jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)\n\tjava.base&#47;jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)\n\tjava.base&#47;jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)\n\tjava.base&#47;java.lang.reflect.Method.invoke(Unknown Source)\n\torg.springframework.web.method.support.InvocableHandlerMethod.doInvoke(InvocableHandlerMethod.java:190)\n\torg.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:138)\n\torg.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:105)\n\torg.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandlerMethod(RequestMappingHandlerAdapter.java:879)\n\torg.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:793)\n\torg.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:87)\n\torg.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:1040)\n\torg.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:943)\n\torg.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:1006)\n\torg.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:909)\n\tjavax.servlet.http.HttpServlet.service(HttpServlet.java:652)\n\torg.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:883)\n\tjavax.servlet.http.HttpServlet.service(HttpServlet.java:733)\n\torg.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)\n\torg.mskcc.cbio.portal.util.XssFilter.doFilter(XssFilter.java:65)\n\torg.cbioportal.web.util.ResettableHttpServletRequestFilter.doFilter(ResettableHttpServletRequestFilter.java:29)\n\torg.apache.catalina.filters.HttpHeaderSecurityFilter.doFilter(HttpHeaderSecurityFilter.java:126)\n\torg.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:320)\n\torg.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:126)\n\torg.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:90)\n\torg.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)\n\torg.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:118)\n\torg.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)\n\torg.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:137)\n\torg.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)\n\torg.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:111)\n\torg.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)\n\torg.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:158)\n\torg.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)\n\torg.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:63)\n\torg.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)\n\torg.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:200)\n\torg.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)\n\torg.springframework.security.web.header.HeaderWriterFilter.doHeadersAfter(HeaderWriterFilter.java:92)\n\torg.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:77)\n\torg.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)\n\torg.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)\n\torg.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56)\n\torg.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)\n\torg.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)\n\torg.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105)\n\torg.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)\n\torg.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:215)\n\torg.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:178)\n\torg.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:358)\n\torg.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:271)\n\tcom.vlkan.hrrs.servlet.HrrsFilter.doFilter(HrrsFilter.java:85)\n\torg.apache.catalina.filters.CorsFilter.handleNonCORS(CorsFilter.java:364)\n\torg.apache.catalina.filters.CorsFilter.doFilter(CorsFilter.java:170)\n\torg.mskcc.cbio.portal.util.RequestBodyGZipFilter.doFilter(RequestBodyGZipFilter.java:72)\n\torg.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:358)\n\torg.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:271)\n</pre><p><b>Note</b> The full stack trace of the root cause is available in the server logs.</p><hr class=\"line\" /><h3>Apache Tomcat/8.5.61</h3></body></html>","statusText":"","statusCode":500,"status":500,"statusType":5,"info":false,"ok":false,"redirect":false,"clientError":false,"serverError":true,"error":{"status":500,"method":"POST","url":"http://cbioportaldev.kcc.tju.edu:8080/api/session/custom_data/fetch"},"created":false,"accepted":false,"noContent":false,"badRequest":false,"unauthorized":false,"notAcceptable":false,"forbidden":false,"notFound":false,"unprocessableEntity":false,"headers":{"access-control-allow-origin":"*","access-control-expose-headers":"total-count,sample-count","cache-control":"no-cache, no-store, max-age=0, must-revalidate","connection":"close","content-encoding":"gzip","content-language":"en","content-type":"text/html;charset=utf-8","date":"Tue, 29 Jun 2021 14:51:28 GMT","expires":"0","pragma":"no-cache","transfer-encoding":"Identity","vary":"accept-encoding","x-content-type-options":"nosniff","x-frame-options":"DENY","x-xss-protection":"1; mode=block"},"header":{"access-control-allow-origin":"*","access-control-expose-headers":"total-count,sample-count","cache-control":"no-cache, no-store, max-age=0, must-revalidate","connection":"close","content-encoding":"gzip","content-language":"en","content-type":"text/html;charset=utf-8","date":"Tue, 29 Jun 2021 14:51:28 GMT","expires":"0","pragma":"no-cache","transfer-encoding":"Identity","vary":"accept-encoding","x-content-type-options":"nosniff","x-frame-options":"DENY","x-xss-protection":"1; mode=block"},"type":"text/html","charset":"utf-8","links":{},"body":null,"url":"http://cbioportaldev.kcc.tju.edu:8080/study/summary?id=jefferson_fmi_research_pmi"}

 

 

Also in the logging from docker-compose up is an error about Bad Request:

 

 

From: Benjamin Gross <benjami...@gmail.com>
Date: Tuesday, June 29, 2021 at 9:57 AM
To: John Reber <John....@jefferson.edu>
Cc: cBioPortal for Cancer Genomics Discussion Group <cbiop...@googlegroups.com>
Subject: Re: [cbioportal] Keycloak / SAML IDPSSODescriptor missing as an option

Great news.

 

Ok, no studies matching your filter could indicate one of two things - 

 

1) authorities are not properly getting to the cbioportal website - check that the keycloak mappers are properly configured.

2) authorities are getting to the cbioportal website, but the study in question did not get importer into the database property.  If you turn off authentication in portal.properties, can you get to the study when visiting the website?

 

For 1), you can install a saml plugin into your browser and see what saml package (email/role), is delivered from keycloak back to the browser or turnoff the security library logging on the backend of cBioPortal.  You can find more information about this here:

 

 

Let me know how it goes.

 

B

 

On Jun 29, 2021, at 9:45 AM, John Reber <John....@jefferson.edu> wrote:

 

Hi Ben,

 

A step closer.

 

By turning on “Always Read Value From LDAP” in LDAP Mappers username, I was able to populate Users in Keycloak.

 

I am now able to login (also tested with wrong password and login failed), but not seeing any studies.  Now getting “There are no studies matching your filter”, which I’m guessing is something with my groups setting.

 

Thanks again for getting me this far,

John

------

John Reber
Systems Development Manager

John

------

John Reber
Systems Development Manager

John

------

John Reber
Systems Development Manager

 

 

From: Benjamin Gross <benjami...@gmail.com>
Date: Wednesday, June 23, 2021 at 9:09 AM
To: John Reber <
John....@jefferson.edu>
Cc: cBioPortal for Cancer Genomics Discussion Group <
cbiop...@googlegroups.com>
Subject: Re: [cbioportal] Keycloak / SAML IDPSSODescriptor missing as an option

Great news.  I think I mentioned that you find that via the User Federation tab.  Good luck!

B

 

 

On Jun 23, 2021, at 8:51 AM, John Reber <John....@jefferson.edu> wrote:

 

Getting better!  I am now getting the Keycloak login screen, on to getting Keycloak to talk to LDAP

 

 

 

 

 

Thanks for all your help,

John

------

John Reber
Systems Development Manager

John

------

John Reber
Systems Development Manager

John

------

John Reber
Systems Development Manager

 

 

From: cbiop...@googlegroups.com <cbiop...@googlegroups.com> on behalf of Benjamin Gross <benjami...@gmail.com>
Date: Friday, June 18, 2021 at 5:21 PM
To: John Reber <
John....@jefferson.edu>
Cc: cBioPortal for Cancer Genomics Discussion Group <
cbiop...@googlegroups.com>
Subject: Re: [cbioportal] Keycloak / SAML IDPSSODescriptor missing as an option

Keycloak is the identity provider until you setup another means, but you should still be able to get to a login page in Keycloak and just fail authentication until you setup LDAP (which you do through the User Federation tab on left margin).

 

I may have misunderstood your prior email.  Are you ever getting to Keycloak (or a login page in Keycloak) and Keycloak is generating the 404 or is the cBioPortal generating the 404?

On Jun 18, 2021, at 2:16 PM, John Reber <John....@jefferson.edu> wrote:

 

entityID="cbioportal"

 

Is it because there is no Identity Provider saved in Keycloak for cbioportal.

 

I set-up LDAP under User Federation.

 

I did not see how to add an Identity Providor for LDAP.

 

John

------

John Reber
Systems Development Manager

Benjamin Gross

unread,
Jul 6, 2021, 11:20:38 AMJul 6
to John Reber, cBioPortal for Cancer Genomics Discussion Group
Hi John,


When I view the plugin as I’m logging into a password protected portal, I can see the following SAML getting delivered from KC to cBioPortal.  I’ve highlighted the attributes that correspond to the mappers setup in KC.  What do you see in the SAML package delivered to cBioPortal?

-B

John Reber

unread,
Jul 6, 2021, 12:02:23 PMJul 6
to Benjamin Gross, cBioPortal for Cancer Genomics Discussion Group

<saml:Attribute FriendlyName="givenName" Name="urn:oid:2.5.4.42"

 

<saml:Attribute FriendlyName="email" Name="email"Thanks for hani

 

 

 

I’m seeing multiple attributes with the name “Role”:

 

            </saml:Attribute>

            <saml:Attribute Name="Role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">

                <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"

                    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">uma_authorization</saml:AttributeValue>

            </saml:Attribute>

            <saml:Attribute Name="Role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">

                <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"

                    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">jefferson_fmi_research_pmi</saml:AttributeValue>

            </saml:Attribute>

            <saml:Attribute Name="Role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">

                <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"

                    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">manage-account</saml:AttributeValue>

            </saml:Attribute>

            <saml:Attribute Name="Role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">

                <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"

                    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">offline_access</saml:AttributeValue>

            </saml:Attribute>

            <saml:Attribute Name="Role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">

                <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"

                    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">default-roles-cbioportal</saml:AttributeValue>

            </saml:Attribute>

            <saml:Attribute Name="Role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">

                <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"

                    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">view-profile</saml:AttributeValue>

            </saml:Attribute>

            <saml:Attribute Name="Role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">

                <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"

                    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">jefferson_fmi_xml</saml:AttributeValue>

            </saml:Attribute>

            <saml:Attribute Name="Role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">

                <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"

                    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">manage-account-

 

Full output attached.

 

Thanks for hangin in there,

SAMLChromeExport.json

Benjamin Gross

unread,
Jul 6, 2021, 12:04:59 PMJul 6
to John Reber, cBioPortal for Cancer Genomics Discussion Group
Do you have a session service setup?
SAMLChromeExport.json
image001.jpg
image002.png
image003.png