cbioportal https

[Harika Gannu]

Hi,

I'm currently working on integrating cBioPortal with Keycloak as the identity provider. Here's what I've tried and the issues encountered:

1. Initial Attempt:

• I tried running cBioPortal over HTTP while Keycloak runs over HTTPS.

• This setup failed due to CORS policy issues and protocol mismatch (HTTP vs HTTPS).

2. Updated Setup:

To resolve the protocol mismatch, I attempted to set up cBioPortal over HTTPS using Apache with mod_auth_mellon for SAML integration with Keycloak.

However, after redirection, the portal briefly loads then throws several errors: 

{"req":{"method":"POST","url":"//servername/api/studies/tags/fetch","data":["lgg_ucsf_2014","msk_impact_2017"],"headers":{"accept":"application/json","content-type":"application/json"}},"xhr":{},"text":"Invalid CORS request","statusText":"","statusCode":403,"status":403,"statusType":4,"info":false,"ok":false,"redirect":false,"clientError":true,"serverError":false,"error":{"status":403,"method":"POST","url":"//servername/api/studies/tags/fetch"},"created":false,"accepted":false,"noContent":false,"badRequest":false,"unauthorized":false,"notAcceptable":false,"forbidden":true,"notFound":false,"unprocessableEntity":false,"headers":{"cache-control":"private, max-age=0, must-revalidate, no-cache, no-store, max-age=0, must-revalidate","connection":"Keep-Alive","date":"Fri, 11 Apr 2025 18:02:08 GMT","expires":"0","keep-alive":"timeout=5, max=97","pragma":"no-cache","server":"Apache/2.4.62 (Red Hat Enterprise Linux) OpenSSL/3.2.2","transfer-encoding":"chunked","vary":"Origin,Access-Control-Request-Method,Access-Control-Request-Headers","x-content-type-options":"nosniff","x-frame-options":"DENY","x-xss-protection":"0","content-type":null},"header":{"cache-control":"private, max-age=0, must-revalidate, no-cache, no-store, max-age=0, must-revalidate","connection":"Keep-Alive","date":"Fri, 11 Apr 2025 18:02:08 GMT","expires":"0","keep-alive":"timeout=5, max=97","pragma":"no-cache","server":"Apache/2.4.62 (Red Hat Enterprise Linux) OpenSSL/3.2.2","transfer-encoding":"chunked","vary":"Origin,Access-Control-Request-Method,Access-Control-Request-Headers","x-content-type-options":"nosniff","x-frame-options":"DENY","x-xss-protection":"0","content-type":null},"type":"","links":{},"body":null,"url":https://servername/}

 

"{\"req\":{\"method\":\"GET\",\"url\":\"//servrename/api/info\",\"headers\":{\"accept\":\"application/json\"}},\"xhr\":{},\"text\":\"<!DOCTYPE HTML PUBLIC \\\"-//IETF//DTD HTML 2.0//EN\\\">\\n<html><head>\\n<title>500 Internal Server Error</title>\\n</head><body>\\n<h1>Internal Server Error</h1>\\n<p>The server encountered an internal error or\\nmisconfiguration and was unable to complete\\nyour request.</p>\\n<p>Please contact the server administrator at \\n a...@abc.edu to inform them of the time this error occurred,\\n and the actions you performed just before this error.</p>\\n<p>More information about this error may be available\\nin the server error log.</p>\\n</body></html>\\n\",\"statusText\":\"Internal Server Error\",\"statusCode\":500,\"status\":500,\"statusType\":5,\"info\":false,\"ok\":false,\"redirect\":false,\"clientError\":false,\"serverError\":true,\"error\":{\"status\":500,\"method\":\"GET\",\"url\":\"//servername/api/info\"},\"created\":false,\"accepted\":false,\"noContent\":false,\"badRequest\":false,\"unauthorized\":false,\"notAcceptable\":false,\"forbidden\":false,\"notFound\":false,\"unprocessableEntity\":false,\"headers\":{\"access-control-allow-credentials\":\"true\",\"access-control-allow-headers\":\"Content-Type, Authorization, X-Requested-With, Accept\",\"access-control-allow-methods\":\"GET, POST, OPTIONS, DELETE, PUT\",\"access-control-allow-origin\":\"https://servername",\"connection\":\"close\",\"conten-length\":\"531\",\"content-type\":\"text/html; charset=iso-8859-1\",\"date\":\"Fri, 11 Apr 2025 18:09:21 GMT\",\"server\":\"Apache/2.4.62 (Red Hat Enterprise Linux) OpenSSL/3.2.2\"},\"header\":{\"access-control-allow-credentials\":\"true\",\"access-control-allow-headers\":\"Content-Type, Authorization, X-Requested-With, Accept\",\"access-control-allow-methods\":\"GET, POST, OPTIONS, DELETE, PUT\",\"access-control-allow-origin\":\"https://servername",\"connection\":\"close\",\"conten-length\":\"531\",\"content-type\":\"text/html; charset=iso-8859-1\",\"date\":\"Fri, 11 Apr 2025 18:09:21 GMT\",\"server\":\"Apache/2.4.62 (Red Hat Enterprise Linux) OpenSSL/3.2.2\"},\"type\":\"text/html\",\"charset\":\"iso-8859-1\",\"links\":{},\"body\":null}\n\n\n{\"req\":{\"method\":\"GET\",\"url\":\"//servername/api/cancer-types\",\"headers\":{\"accept\":\"application/json\"}},\"xhr\":{},\"text\":\"<!DOCTYPE HTML PUBLIC \\\"-//IETF//DTD HTML 2.0//EN\\\">\\n<html><head>\\n<title>500 Internal Server Error</title>\\n</head><body>\\n<h1>Internal Server Error</h1>\\n<p>The server encountered an internal error or\\nmisconfiguration and was unable to complete\\nyour request.</p>\\n<p>Please contact the server administrator at \\n a...@abc.edu to inform them of the time this error occurred,\\n and the actions you performed just before this error.</p>\\n<p>More information about this error may be available\\nin the server error log.</p>\\n</body></html>\\n\",\"statusText\":\"Internal Server Error\",\"statusCode\":500,\"status\":500,\"statusType\":5,\"info\":false,\"ok\":false,\"redirect\":false,\"clientError\":false,\"serverError\":true,\"error\":{\"status\":500,\"method\":\"GET\",\"url\":\"//servername/api/cancer-types\"},\"created\":false,\"accepted\":false,\"noContent\":false,\"badRequest\":false,\"unauthorized\":false,\"notAcceptable\":false,\"forbidden\":false,\"notFound\":false,\"unprocessableEntity\":false,\"headers\":{\"access-control-allow-credentials\":\"true\",\"access-control-allow-headers\":\"Content-Type, Authorization, X-Requested-With, Accept\",\"access-control-allow-methods\":\"GET, POST, OPTIONS, DELETE, PUT\",\"access-control-allow-origin\":\"https://servername",\"connection\":\"close\",\"conten-length\":\"531\",\"content-type\":\"text/html; charset=iso-8859-1\",\"date\":\"Fri, 11 Apr 2025 18:09:21 GMT\",\"server\":\"Apache/2.4.62 (Red Hat Enterprise Linux) OpenSSL/3.2.2\"},\"header\":{\"access-control-allow-credentials\":\"true\",\"access-control-allow-headers\":\"Content-Type, Authorization, X-Requested-With, Accept\",\"access-control-allow-methods\":\"GET, POST, OPTIONS, DELETE, PUT\",\"access-control-allow-origin\":\"https://servername",\"connection\":\"close\",\"conten-length\":\"531\",\"content-type\":\"text/html; charset=iso-8859-1\",\"date\":\"Fri, 11 Apr 2025 18:09:21 GMT\",\"server\":\"Apache/2.4.62 (Red Hat Enterprise Linux) OpenSSL/3.2.2\"},\"type\":\"text/html\",\"charset\":\"iso-8859-1\",\"links\":{},\"body\":null}"

I would like to find out any error resolution or steps to setup cbioportal to run on https,  Idp will be keycloak after cbio running on https.

Thanks,

Harika

[Benjamin Gross]

Hi Harika,

Thank you for your email.  I’ve never worked with mod_auth_mellon before, but from what I’ve googled, it looks like its main purpose is to allow an apache server to communicate SAML with an Identity Provider.  However, the cBioPortal contains the Spring Security framework which already has this ability.  Maybe we can step back for a moment.  How have you deployed your instance of the cBioPortal? Is it via the docker-compose deployment?  Also, I imagine you referred to the following document to setup Keycloak integration with the cBioPortal.   If so, how far did you get?

Note, it refers do an older version of Keycloak.  It should work with a newer version of keycloak, but the UI screenshots may not be accurate.  You can find older version of keycloak here: https://www.keycloak.org/downloads-archive

Having said this, if it was a CORS issue where you got stuck, depending on your configuration, there are various ways you can set CORS headers.  For examples, using our docker-compose file, you can set Access-Control-Allow-Origin via an environment property:

SECURITY_CORS_ALLOWED_ORIGINS=<allowed origins here, or “*">

Let me know.

-Benjamin

--
You received this message because you are subscribed to the Google Groups "cBioPortal for Cancer Genomics Discussion Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cbioportal+...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/cbioportal/63da5e97-2388-41a0-8d75-d92f485c6310n%40googlegroups.com.

[Harika Gannu]

Yes, I have deployed cBioPortal using Docker Compose (version 6). Based on recommendations from previous posts, I am using Keycloak version 16.1.1, which is confirmed to be compatible.

To enable HTTPS, I’ve configured Apache with mod_auth_mellon. However, if cBioPortal has built-in support for HTTPS via its Spring Security framework, I would appreciate it if you could share any documentation or steps to configure it that way.

Once cBioPortal is running over HTTPS, I plan to integrate it with Keycloak(https) 16.1.1 as the identity provider.

[Benjamin Gross]

Hi Harika,

No cBioPortal does not have built in support for https.  It can speak SAML directly to Keycloak.

I see a reference to a CORS error in the snippet you have provided.  I’m guessing Apache is acting as a reverse proxy to the cBioPortal?  If load Apache is has a different domain than the cBioPortal, this will cause the CORS error.  That is the cBioPortal is rejecting the request from Apache because it did not allow the origin, the source of the request.  Since you are running cBioPortal via Docker Compose, I think you can try to set CORS header via an environment variable to Spring Security.

Bring down docker-compose and add the following line to the docker-compose.yml file (environment section, line 8) and then restart docker-compose.

SECURITY_CORS_ALLOWED_ORIGINS=*

Let me know if this works.

-Benjamin

To view this discussion visit https://groups.google.com/d/msgid/cbioportal/f9188dbf-d8b9-4d1f-be58-4b94d107f001n%40googlegroups.com.

[Harika Gannu]

Thanks, Benjamin. Setting SECURITY_CORS_ALLOWED_ORIGINS=* worked — cBioPortal is now running at https://test.edu.

I'm now trying to integrate cBioPortal (running on HTTPS) with Keycloak 16.1.1. However, I'm encountering an issue with the Valid Redirect URIs setting in Keycloak.

When I set the redirect URI as https://test.edu/*, I get the following error:

error=invalid_redirect_uri

But if I change it to http://test.edu/*, it works.

I'm not sure why the HTTPS URI fails, but I suspect it may be related to how the cBioPortal container is configured in docker-compose. Here's the relevant portion:

command: /bin/sh -c "rm -rf /cbioportal-webapp/lib/servlet-api-2.5.jar && java -Xms2g -Xmx4g -cp '/cbioportal-webapp:/cbioportal-webapp/lib/' org.cbioportal.PortalApplication --spring.config.location=cbioportal-webapp/application.properties --authenticate=saml --session.service.url=http://cbioportal-session:5001/api/sessions/my_portal/ --clickhouse_mode=${APP_CLICKHOUSE_MODE:-false} --spring.profiles.active=${APP_SPRING_PROFILE:-default}"

Could the issue be due to the --session.service.url still using HTTP instead of HTTPS? Or is there something else I should check to ensure Keycloak accepts the HTTPS redirect?

Thanks,

Harika

[Benjamin Gross]

Hi Harika,

I’m glad you are making progress.  Someone from another post in the Google Group had a similar issue.  Its seems that adding the following to your portal properties file may do the trick:

server.forward-headers-strategy=NATIVE

This comes into play when your application is running behind a load-balancer or proxy as is the case with your Apache setup.  This link has more info:

Let me know how it goes.

-Benjamin

To view this discussion visit https://groups.google.com/d/msgid/cbioportal/2a1cbcc8-955a-4f9a-b6cb-98989beb3df8n%40googlegroups.com.

[Harika Gannu]

Thanks Benjamin for sharing more details. But, I already tried, it didn't work.