Groups keyboard shortcuts have been updated
Dismiss
See shortcuts
HTTPS and OKTA or KeyCloak
71 views
Skip to first unread message
Abhishek Reddy
Sep 25, 2024, 9:48:25 AM9/25/24
to cBioPortal for Cancer Genomics Discussion Group
Hello Everyone,
I would like to get some help around the possible ways to enable HTTPS and OKTA integration for the application.
1) I tried using nginx to redirect the UI to HTTPS but facing the below problem.
{"req":{"method":"POST","url":"//cbioportal-dev.uswe2.aws.test.com/api/studies/tags/fetch","data":["lgg_ucsf_2014"],"headers":{"accept":"application/json","content-type":"application/json"}},"xhr":{},"text":"Invalid CORS request","statusText":"","statusCode":403,"status":403,"statusType":4,"info":false,"ok":false,"redirect":false,"clientError":true,"serverError":false,"error":{"status":403,"method":"POST","url":"//cbioportal-dev.uswe2.aws.test.com/api/studies/tags/fetch"},"created":false,"accepted":false,"noContent":false,"badRequest":false,"unauthorized":false,"notAcceptable":false,"forbidden":true,"notFound":false,"unprocessableEntity":false,"headers":{"access-control-allow-credentials":"true","access-control-allow-headers":"Origin, Content-Type, Authorization, X-Requested-With","access-control-allow-methods":"GET, POST, OPTIONS","access-control-allow-origin":"*","cache-control":"no-cache, no-store, max-age=0, must-revalidate","connection":"keep-alive","date":"Sun, 22 Sep 2024 00:19:39 GMT","expires":"0","pragma":"no-cache","server":"nginx/1.18.0 (Ubuntu)","transfer-encoding":"chunked","vary":"Origin, Access-Control-Request-Method, Access-Control-Request-Headers","x-content-type-options":"nosniff","x-frame-options":"DENY","x-xss-protection":"0","content-type":null},"header":{"access-control-allow-credentials":"true","access-control-allow-headers":"Origin, Content-Type, Authorization, X-Requested-With","access-control-allow-methods":"GET, POST, OPTIONS","access-control-allow-origin":"*","cache-control":"no-cache, no-store, max-age=0, must-revalidate","connection":"keep-alive","date":"Sun, 22 Sep 2024 00:19:39 GMT","expires":"0","pragma":"no-cache","server":"nginx/1.18.0 (Ubuntu)","transfer-encoding":"chunked","vary":"Origin, Access-Control-Request-Method, Access-Control-Request-Headers","x-content-type-options":"nosniff","x-frame-options":"DENY","x-xss-protection":"0","content-type":null},"type":"","links":{},"body":null,"url":"https://cbioportal-dev.uswe2.aws.test.com/"}
my nginx default config :
server {
listen 80;
server_name cbioportal-dev.uswe2.aws.test.com;
return 301 https://$host$request_uri; # Redirect HTTP to HTTPS
}
server {
listen 443 ssl;
server_name cbioportal-dev.uswe2.aws.test.com;
ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
ssl_dhparam /etc/ssl/certs/dhparam.pem; # Optional
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers HIGH:!aNULL:!MD5;
location / {
proxy_pass http://localhost:8080;
# Authentication (if needed)
auth_basic "Restricted Content";
auth_basic_user_file /etc/nginx/.htpasswd;
# Proxy headers
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# CORS headers with specified origin
set $cors_origin "https://cbioportal-dev.uswe2.aws.test.com";
if ($http_origin ~* (https?://cbioportal-dev.uswe2.aws.test.com)) {
set $cors_origin $http_origin;
}
add_header 'Access-Control-Allow-Origin' $cors_origin always;
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS' always;
add_header 'Access-Control-Allow-Headers' 'Origin, Content-Type, Authorization, X-Requested-With' always;
add_header 'Access-Control-Allow-Credentials' 'true' always;
if ($request_method = OPTIONS) {
add_header 'Access-Control-Allow-Origin' $cors_origin;
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'Origin, Content-Type, Authorization, X-Requested-With';
add_header 'Access-Control-Allow-Credentials' 'true';
return 204;
}
}
}
Any ideas for fixing this problem or any other way to have the https enabled? Please suggest!
my nginx default config :
server {
listen 80;
server_name cbioportal-dev.uswe2.aws.test.com;
return 301 https://$host$request_uri; # Redirect HTTP to HTTPS
}
server {
listen 443 ssl;
server_name cbioportal-dev.uswe2.aws.test.com;
ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
ssl_dhparam /etc/ssl/certs/dhparam.pem; # Optional
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers HIGH:!aNULL:!MD5;
location / {
proxy_pass http://localhost:8080;
# Authentication (if needed)
auth_basic "Restricted Content";
auth_basic_user_file /etc/nginx/.htpasswd;
# Proxy headers
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# CORS headers with specified origin
set $cors_origin "https://cbioportal-dev.uswe2.aws.test.com";
if ($http_origin ~* (https?://cbioportal-dev.uswe2.aws.test.com)) {
set $cors_origin $http_origin;
}
add_header 'Access-Control-Allow-Origin' $cors_origin always;
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS' always;
add_header 'Access-Control-Allow-Headers' 'Origin, Content-Type, Authorization, X-Requested-With' always;
add_header 'Access-Control-Allow-Credentials' 'true' always;
if ($request_method = OPTIONS) {
add_header 'Access-Control-Allow-Origin' $cors_origin;
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'Origin, Content-Type, Authorization, X-Requested-With';
add_header 'Access-Control-Allow-Credentials' 'true';
return 204;
}
}
}
Any ideas for fixing this problem or any other way to have the https enabled? Please suggest!
2) I need to enable OKTA authentication for the application - is that possible?
I am having some hard time setting up keycloak - facing the below error.
cbioportal-container | Error starting ApplicationContext. To display the condition evaluation report re-run your application with 'debug' enabled.
cbioportal-container | 2024-09-23T19:38:30.365Z ERROR 131 --- [ main] o.s.b.d.LoggingFailureAnalysisReporter :
cbioportal-container |
cbioportal-container | ***************************
cbioportal-container | APPLICATION FAILED TO START
cbioportal-container | ***************************
cbioportal-container |
cbioportal-container | Description:
cbioportal-container |
cbioportal-container | Parameter 1 of method samlFilterChain in org.cbioportal.security.config.Saml2SecurityConfig required a bean of type 'org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrationRepository' that could not be found.
cbioportal-container |
cbioportal-container |
cbioportal-container | Action:
cbioportal-container |
cbioportal-container | Consider defining a bean of type 'org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrationRepository' in your configuration.
cbioportal-container |
cbioportal-container | spring_datasource_username=cbio_user
cbioportal-container | spring_datasource_password=somepassword
cbioportal-container | spring_datasource_url=jdbc:mysql://cbioportal-database:3306/cbioportal
cbioportal-container | mysqladmin: [Warning] Using a password on the command line interface can be insecure.
cbioportal-container | mysqld is alive
cbioportal-container | Database connection success
cbioportal-container | Migrating database if necessary...
cbioportal-container | Everything up to date, nothing to migrate.
cbioportal-container | Finished.
cbioportal-container | Running: /bin/sh -c rm -rf /cbioportal-webapp/lib/servlet-api-2.5.jar && java -Xms2g -Xmx4g -cp '/cbioportal-webapp:/cbioportal-webapp/lib/*' org.cbioportal.PortalApplication --spring.config.location=cbioportal-webapp/application.properties --session.service.url=http://cbioportal-session:5000/api/sessions/my_portal/
Did anyone faced the same problem? i am trying to install docker based application.
Please let me know if anyone has any suggestions for me.
cbioportal-container | Error starting ApplicationContext. To display the condition evaluation report re-run your application with 'debug' enabled.
cbioportal-container | 2024-09-23T19:38:30.365Z ERROR 131 --- [ main] o.s.b.d.LoggingFailureAnalysisReporter :
cbioportal-container |
cbioportal-container | ***************************
cbioportal-container | APPLICATION FAILED TO START
cbioportal-container | ***************************
cbioportal-container |
cbioportal-container | Description:
cbioportal-container |
cbioportal-container | Parameter 1 of method samlFilterChain in org.cbioportal.security.config.Saml2SecurityConfig required a bean of type 'org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrationRepository' that could not be found.
cbioportal-container |
cbioportal-container |
cbioportal-container | Action:
cbioportal-container |
cbioportal-container | Consider defining a bean of type 'org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrationRepository' in your configuration.
cbioportal-container |
cbioportal-container | spring_datasource_username=cbio_user
cbioportal-container | spring_datasource_password=somepassword
cbioportal-container | spring_datasource_url=jdbc:mysql://cbioportal-database:3306/cbioportal
cbioportal-container | mysqladmin: [Warning] Using a password on the command line interface can be insecure.
cbioportal-container | mysqld is alive
cbioportal-container | Database connection success
cbioportal-container | Migrating database if necessary...
cbioportal-container | Everything up to date, nothing to migrate.
cbioportal-container | Finished.
cbioportal-container | Running: /bin/sh -c rm -rf /cbioportal-webapp/lib/servlet-api-2.5.jar && java -Xms2g -Xmx4g -cp '/cbioportal-webapp:/cbioportal-webapp/lib/*' org.cbioportal.PortalApplication --spring.config.location=cbioportal-webapp/application.properties --session.service.url=http://cbioportal-session:5000/api/sessions/my_portal/
Did anyone faced the same problem? i am trying to install docker based application.
Please let me know if anyone has any suggestions for me.
Thanks in advance!
Abhishek
jagn...@gmail.com
Sep 26, 2024, 8:47:24 AM9/26/24
to cBioPortal for Cancer Genomics Discussion Group
HI Abhishek,
To enable HTTPS, we need to route the port 443 to port 80 (or other cBioPortal port). A SSL certificate created by a Certificate Authority has to be installed as well in the reverse proxy such as nginx.
Please note the below instructions from cbioportal deployment documentation.
In the case that you are running cBioPortal behind a reverse proxy that handles the SSL certificates (such as nginx or traefik), you will have to also specify saml.sp.metadata.entitybaseurl. This should point to https://host.example.come:443. This setting is required such that cBioPortal uses the Spring SAML library appropriately for creating redirects back into cBioPortal.
As you are also using Keycloak, you can integrate OKTA with keycloak and then use OKTA with cBioPortal.
My suggestion would be to add support for SSL initially with Keycloak. Once that is successfully implemented, you can integrate Keycloak and OKTA.
thanks
Jag
Reply all
Reply to author
Forward
0 new messages