Endless redirect loop post authentication

[Hechmer, Aaron]

I'm running into the endless redirect loop others have reported upon the post-successful-authentication return to the main cbioportal page. I've seen it both using saml via keycloak and ldap in two different builds.

The version is 3.6.1 (or I guess "3.6.1-dirty-SNAPSHOT") compiled, not the docker container.

* Without authentication, everything works fine and I can access public studies
* In the keycloak case, http was served straight from webapp-runner/tomcat.
* In the ldap case, there's an nginx reverse proxy server handling https. Webapp-runner is provided the --proxy-base-url parameter and without authentication, all that works fine
* I believe the user authorization is set up correctly in users and authorities tables

Here's the url that looping:

https://cbp-hn.ucsf.edu/?spring-security-redirect=https%3A%2F%2Fcbp-hn.ucsf.edu%2Frestore%3Fkey%3Dlogin-redirect

I know little about spring-security, but the obvious question is why is the redirect url including an instruction that appears to ask for another redirect? Any ideas of suggestions?

Thanks for all your efforts!

[Ino de Bruijn]

Hi Aaron,

Thanks for reaching out! I am curious: is this the first time you are setting up cBioPortal or are you upgrading from a previous version? Trying to see if this is a newly introduced problem

Best wishes,

Ino

--
You received this message because you are subscribed to the Google Groups "cBioPortal for Cancer Genomics Discussion Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cbioportal+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/cbioportal/BYAPR05MB6071777E24E6336A04C18AD1829E9%40BYAPR05MB6071.namprd05.prod.outlook.com.

[Ino de Bruijn]

CC'ing the rest of the cbioportal user group to see if someone more familiar with auth has a pointer

On Wed, Mar 3, 2021, 1:52 PM Hechmer, Aaron <Aaron....@ucsf.edu> wrote:

BTW: if I'm barking up the right tree, targetUrlParameter is used in

./security/security-spring/src/main/java/org/cbioportal/security/spring/PortalSavedRequestAwareAuthenticationSuccessHandler.java

and git doesn't show that file having changed since 2017.

[tyler...@gmail.com]

This is the same issue I'm facing but using googleplus authentication and not using docker.  I've installed the latest cbioportal - 3.6.5, I didn't upgrade from a previous version.  Website works great without authentication but when I add the google authentication it goes into an endless redirect upon logging in with that same "restore%3Fkey%3Dlogin-redirect"

[Benjamin Gross]

Hi Aaron, Ino

Its hard to pinpoint what might be causing this issue with the given information.  All the code involved does run in our environment.  The question about the login redirect is because the frontend handles routing of requests and when it detects a 401, it redirects to the url below (I’m cc’ing Aaron Lisman, our frontend lead who is more familiar with that code) for authentication.  Perhaps authentication in the backend is not completing properly which is causing the loop.

My first suggestion is to turn logging on in the backend for the security libraries and see if there is anything in the log that can shed light on the situation.  There is some information on the following page for doing this:

https://docs.cbioportal.org/2.2-authorization-and-authentication/authenticating-and-authorizing-users-via-keycloak#troubleshooting

Let us know how it goes and if there is anything in the log file you think is relevant, please share and we can help you decipher.

Best,

Benjamin

[Benjamin Gross]

Hi Tyler,

As I mentioned to Aaron Hechmer, it would be helpful if you can turn on logging in the security libraries and see if anything shows up in it that can shed light on this issue.  Information can be found here:

https://docs.cbioportal.org/2.2-authorization-and-authentication/authenticating-and-authorizing-users-via-keycloak#troubleshooting

Let us know how it goes and if there is anything in the log file you think is relevant, please share and we can help you decipher.

Best,

Benjamin

--
You received this message because you are subscribed to the Google Groups "cBioPortal for Cancer Genomics Discussion Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cbioportal+...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/cbioportal/429230d7-7931-4d62-a9f3-a9f127340341n%40googlegroups.com.

[Tyler Izatt]

Thanks - I did turn on the security libraries.  I did not discover any errors, but I was able to get the site to load - only it took about 20-30 seconds (and was doing the refreshing the whole time).  Btw I am using "http" currently, and build38.

What I noticed in the logs was this - there was a pattern of certain paths that kept getting checked repeatedly (>50 times) and they showed as successfully authenticating each time:

/index.jsp?spring-security-redirect=http%3A%2F%2Fcbioportal.#####%3A8084%2Fcbioportal%2Frestore%3Fkey%3Dlogin-redirect
/api/studies?projection=SUMMARY;
ReflectiveMethodInvocation: public abstract java.util.List org.cbioportal.service.StudyService.getAllStudies
/api/info
/api/session/virtual_study
/api/cancer-types

When the website did load (after the above repetitions) - it ended with checking the virtual study path about 4 times.

/api/session/virtual_study

The messages at the ending (when the site stops refreshing) looked no different to me from the messages that appear after each iteration of the urls above.  It successfully authenticates near the top of the log and then keeps reaffirming that it's authenticated.  See attached log file - this is from a single load of the website.

[Benjamin Gross]

Hi Tyler,

I see in your log file that the URL to your instance contains the app name (“cbioportal”) in its path:

http://hostname:port/cbioportal/

We believe this is an issue and not supported in our current security configuration file.  Until we create a patch, is there a way you can redeploy your instance without the app name in the path and confirm it works?

Best,

Benjamin

To view this discussion on the web visit https://groups.google.com/d/msgid/cbioportal/b9c91298-d571-4e8b-affe-c176c9f2af67n%40googlegroups.com.

[Benjamin Gross]

Hi Tyler,

As a follow-up, can you verify that you have the following property set in your portal.properties?

authenticate=googleplus

Best,

Benjamin

[Tyler Izatt]

I'm using the webapp runner to set that property like so:

 java -jar -Dauthenticate=googleplus portal/target/dependency/webapp-runner.jar --path /cbioportal --port 8084 portal/target/cbioportal.war

[Benjamin Gross]

Is the —path argument to webapp-runner necessary in your setup?  Can you try removing it?

To view this discussion on the web visit https://groups.google.com/d/msgid/cbioportal/38b92e86-4fe5-4217-b436-18e333db3889n%40googlegroups.com.

[Tyler Izatt]

No it's not necessary - I went ahead and removed it and I am still running into the same issue. 

[Tyler Izatt]

Here is what's in the browser as it keeps redirecting:

http://cbioportal.rc.tgen.org:8083/?spring-security-redirect=http%3A%2F%2Fcbioportal.rc.tgen.org%3A8083%2Frestore%3Fkey%3Dlogin-redirect

[Aaron Lisman]

HI Tyler, 

I think the best thing would be for us to jump on a call so I can debug.   Are you free this afternoon?

--Aaron Lisman

To view this discussion on the web visit https://groups.google.com/d/msgid/cbioportal/d7ce9df4-c65f-43e4-8ae0-03f89ff1450dn%40googlegroups.com.

[Tyler Izatt]

Yes that works for me.  I'm available this afternoon 

[Aaron Lisman]

How about 5pm?  

To view this discussion on the web visit https://groups.google.com/d/msgid/cbioportal/ddfb3d34-05bb-41f3-8d04-8c37e36eb6cen%40googlegroups.com.

[Tyler Izatt]

Yes that should work.  what time zone is that for?

[Aaron Lisman]

EST (New York City).

I could do now also if that's better.

To view this discussion on the web visit https://groups.google.com/d/msgid/cbioportal/e14c4deb-f9ba-4580-8d4f-58e85ee6c6d8n%40googlegroups.com.

[Tyler Izatt]

Yes I can do now as well.  Do you need my phone number?  

[Aaron Lisman]

Lets stick with 5pm eST so my colleague ben can join.  

https://meetmsk.zoom.us/j/96962452671

To view this discussion on the web visit https://groups.google.com/d/msgid/cbioportal/1f1f62f9-436e-4d4b-8a49-20f54d53db4bn%40googlegroups.com.

[Tyler Izatt]

Okay that sounds good.

[Benjamin Gross]

Tyler,

I’ve been stepping through the code behind the session/virtual_study and there are two checks that would cause a 401 to be returned to the browser - either the user has not been authorized or that the session service has not been enabled

(see https://github.com/cBioPortal/cbioportal/blob/master/web/src/main/java/org/cbioportal/web/SessionServiceController.java#L188)

Based on the code, the only reason the session service would not be enabled is if the session.service.url is not set in portal.properties.  Can you confirm that you are setting this property?

Best,

Benjamin

To view this discussion on the web visit https://groups.google.com/d/msgid/cbioportal/bdbccb70-502d-4ed6-af5c-6731eb286d80n%40googlegroups.com.

[Tyler Izatt]

Benjamin -

    Thank you this helped with figuring out my problem!  I had set the session-service correctly in $PORTAL_HOME/portal.properties.  However when the .war file is created it was not using this portal.properties file as I expected, but was copying over a different one farther down the directory tree.  After I copied my portal.properties file in place of the other ones, the session-service url is populating correctly.  

I'm guessing if anyone else has this problem - make sure that the portal.properties file that you edit is getting utilized in the war file.

[Tyler Izatt]

I have a new error that popped up.  The site no longer refreshes, but now when I go to the DataSets tab from the home page - I'm getting the following error:

{"req":{"method":"POST","url":"http://cbioportal.rc.tgen.org:8083/api/session/custom_data/fetch","data":["brca_tcga_pub"],"headers":{"content-type":"application/json"}},"xhr":{},"text":"<!doctype html><html lang=\"en\"><head><title>HTTP Status 500 – Internal Server Error</title><style type=\"text/css\">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 500 – Internal Server Error</h1><hr class=\"line\" /><p><b>Type</b> Exception Report</p><p><b>Message</b> Request processing failed; nested exception is org.springframework.web.client.HttpClientErrorException$MethodNotAllowed: 405 Method Not Allowed: [{&quot;timestamp&quot;:1616080691430,&quot;status&quot;:405,&quot;error&quot;:&quot;Method Not Allowed&quot;,&quot;exception&quot;:&quot;org.springframework.web.HttpRequestMethodNotSupportedException&quot;,&quot;message&quot;:&quot;Request method &#39;POST&#39; not supported&quot;,&quot;path&quot;:&quot;&#47;session_service&#47;api&#47;sessions&#47;coh_portal&#47;custom_data&#47;query&#47;fetch&quot;}]</p><p><b>Description</b> The server encountered an unexpected condition that prevented it from fulfilling the request.</p><p><b>Exception</b></p><pre>org.springframework.web.util.NestedServletException: Request processing failed; nested exception is org.springframework.web.client.HttpClientErrorException$MethodNotAllowed: 405 Method Not Allowed: [{&quot;timestamp&quot;:1616080691430,&quot;status&quot;:405,&quot;error&quot;:&quot;Method Not Allowed&quot;,&quot;exception&quot;:&quot;org.springframework.web.HttpRequestMethodNotSupportedException&quot;,&quot;message&quot;:&quot;Request method &#39;POST&#39; not supported&quot;,&quot;path&quot;:&quot;&#47;session_service&#47;api&#47;sessions&#47;coh_portal&#47;custom_data&#47;query&#47;fetch&quot;}]\n\torg.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:1014)\n\torg.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:909)\n\tjavax.servlet.http.HttpServlet.service(HttpServlet.java:652)\n\torg.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:883)\n\tjavax.servlet.http.HttpServlet.service(HttpServlet.java:733)\n\torg.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)\n\torg.mskcc.cbio.portal.util.XssFilter.doFilter(XssFilter.java:65)\n\torg.cbioportal.web.util.ResettableHttpServletRequestFilter.doFilter(ResettableHttpServletRequestFilter.java:29)\n\torg.apache.catalina.filters.HttpHeaderSecurityFilter.doFilter(HttpHeaderSecurityFilter.java:126)\n\torg.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:320)\n\torg.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:126)\n\torg.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:90)\n\torg.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)\n\torg.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:118)\n\torg.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)\n\torg.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:137)\n\torg.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)\n\torg.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:111)\n\torg.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)\n\torg.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:158)\n\torg.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)\n\torg.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:63)\n\torg.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)\n\torg.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:200)\n\torg.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)\n\torg.springframework.security.web.header.HeaderWriterFilter.doHeadersAfter(HeaderWriterFilter.java:92)\n\torg.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:77)\n\torg.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)\n\torg.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)\n\torg.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56)\n\torg.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)\n\torg.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)\n\torg.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105)\n\torg.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)\n\torg.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:215)\n\torg.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:178)\n\torg.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:358)\n\torg.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:271)\n\tcom.vlkan.hrrs.servlet.HrrsFilter.doFilter(HrrsFilter.java:85)\n\torg.apache.catalina.filters.CorsFilter.handleNonCORS(CorsFilter.java:364)\n\torg.apache.catalina.filters.CorsFilter.doFilter(CorsFilter.java:170)\n\torg.mskcc.cbio.portal.util.RequestBodyGZipFilter.doFilter(RequestBodyGZipFilter.java:72)\n\torg.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:358)\n\torg.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:271)\n</pre><p><b>Root Cause</b></p><pre>org.springframework.web.client.HttpClientErrorException$MethodNotAllowed: 405 Method Not Allowed: [{&quot;timestamp&quot;:1616080691430,&quot;status&quot;:405,&quot;error&quot;:&quot;Method Not Allowed&quot;,&quot;exception&quot;:&quot;org.springframework.web.HttpRequestMethodNotSupportedException&quot;,&quot;message&quot;:&quot;Request method &#39;POST&#39; not supported&quot;,&quot;path&quot;:&quot;&#47;session_service&#47;api&#47;sessions&#47;coh_portal&#47;custom_data&#47;query&#47;fetch&quot;}]\n\torg.springframework.web.client.HttpClientErrorException.create(HttpClientErrorException.java:117)\n\torg.springframework.web.client.DefaultResponseErrorHandler.handleError(DefaultResponseErrorHandler.java:170)\n\torg.springframework.web.client.DefaultResponseErrorHandler.handleError(DefaultResponseErrorHandler.java:112)\n\torg.springframework.web.client.ResponseErrorHandler.handleError(ResponseErrorHandler.java:63)\n\torg.springframework.web.client.RestTemplate.handleResponse(RestTemplate.java:782)\n\torg.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:740)\n\torg.springframework.web.client.RestTemplate.execute(RestTemplate.java:674)\n\torg.springframework.web.client.RestTemplate.exchange(RestTemplate.java:612)\n\torg.cbioportal.web.SessionServiceController.fetchCustomProperties(SessionServiceController.java:460)\n\torg.cbioportal.web.SessionServiceController$$FastClassBySpringCGLIB$$6b4f2f08.invoke(&lt;generated&gt;)\n\torg.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:218)\n\torg.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:771)\n\torg.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:163)\n\torg.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:749)\n\torg.springframework.aop.framework.adapter.MethodBeforeAdviceInterceptor.invoke(MethodBeforeAdviceInterceptor.java:56)\n\torg.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186)\n\torg.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:749)\n\torg.springframework.aop.aspectj.AspectJAfterAdvice.invoke(AspectJAfterAdvice.java:47)\n\torg.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186)\n\torg.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:749)\n\torg.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:95)\n\torg.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186)\n\torg.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:749)\n\torg.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:691)\n\torg.cbioportal.web.SessionServiceController$$EnhancerBySpringCGLIB$$7f98ace1.fetchCustomProperties(&lt;generated&gt;)\n\tsun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)\n\tsun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)\n\tsun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)\n\tjava.lang.reflect.Method.invoke(Method.java:498)\n\torg.springframework.web.method.support.InvocableHandlerMethod.doInvoke(InvocableHandlerMethod.java:190)\n\torg.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:138)\n\torg.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:105)\n\torg.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandlerMethod(RequestMappingHandlerAdapter.java:879)\n\torg.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:793)\n\torg.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:87)\n\torg.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:1040)\n\torg.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:943)\n\torg.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:1006)\n\torg.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:909)\n\tjavax.servlet.http.HttpServlet.service(HttpServlet.java:652)\n\torg.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:883)\n\tjavax.servlet.http.HttpServlet.service(HttpServlet.java:733)\n\torg.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)\n\torg.mskcc.cbio.portal.util.XssFilter.doFilter(XssFilter.java:65)\n\torg.cbioportal.web.util.ResettableHttpServletRequestFilter.doFilter(ResettableHttpServletRequestFilter.java:29)\n\torg.apache.catalina.filters.HttpHeaderSecurityFilter.doFilter(HttpHeaderSecurityFilter.java:126)\n\torg.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:320)\n\torg.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:126)\n\torg.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:90)\n\torg.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)\n\torg.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:118)\n\torg.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)\n\torg.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:137)\n\torg.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)\n\torg.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:111)\n\torg.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)\n\torg.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:158)\n\torg.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)\n\torg.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:63)\n\torg.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)\n\torg.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:200)\n\torg.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)\n\torg.springframework.security.web.header.HeaderWriterFilter.doHeadersAfter(HeaderWriterFilter.java:92)\n\torg.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:77)\n\torg.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)\n\torg.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)\n\torg.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56)\n\torg.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)\n\torg.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)\n\torg.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105)\n\torg.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)\n\torg.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:215)\n\torg.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:178)\n\torg.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:358)\n\torg.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:271)\n\tcom.vlkan.hrrs.servlet.HrrsFilter.doFilter(HrrsFilter.java:85)\n\torg.apache.catalina.filters.CorsFilter.handleNonCORS(CorsFilter.java:364)\n\torg.apache.catalina.filters.CorsFilter.doFilter(CorsFilter.java:170)\n\torg.mskcc.cbio.portal.util.RequestBodyGZipFilter.doFilter(RequestBodyGZipFilter.java:72)\n\torg.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:358)\n\torg.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:271)\n</pre><p><b>Note</b> The full stack trace of the root cause is available in the server logs.</p><hr class=\"line\" /><h3>Apache Tomcat/8.5.61</h3></body></html>","statusText":"","statusCode":500,"status":500,"statusType":5,"info":false,"ok":false,"redirect":false,"clientError":false,"serverError":true,"error":{"status":500,"method":"POST","url":"http://cbioportal.rc.tgen.org:8083/api/session/custom_data/fetch"},"created":false,"accepted":false,"noContent":false,"badRequest":false,"unauthorized":false,"notAcceptable":false,"forbidden":false,"notFound":false,"unprocessableEntity":false,"headers":{"access-control-allow-origin":"*","access-control-expose-headers":"total-count,sample-count","cache-control":"no-cache, no-store, max-age=0, must-revalidate","connection":"close","content-language":"en","content-type":"text/html;charset=utf-8","date":"Thu, 18 Mar 2021 15:18:10 GMT","expires":"0","pragma":"no-cache","transfer-encoding":"chunked","x-content-type-options":"nosniff","x-frame-options":"DENY","x-xss-protection":"1; mode=block"},"header":{"access-control-allow-origin":"*","access-control-expose-headers":"total-count,sample-count","cache-control":"no-cache, no-store, max-age=0, must-revalidate","connection":"close","content-language":"en","content-type":"text/html;charset=utf-8","date":"Thu, 18 Mar 2021 15:18:10 GMT","expires":"0","pragma":"no-cache","transfer-encoding":"chunked","x-content-type-options":"nosniff","x-frame-options":"DENY","x-xss-protection":"1; mode=block"},"type":"text/html","charset":"utf-8","links":{},"body":null,"url":"http://cbioportal.rc.tgen.org:8083/study/summary?id=brca_tcga_pub"}

[Tyler Izatt]

Here was the error when I looked in the log file:

SEVERE: Servlet.service() for servlet [api] in context with path [] threw exception [Request processing failed; nested exception is org.springframework.web.client.HttpClientErrorException$MethodNotAllowed: 405 Method Not Allowed: [{"timestamp":1616080691431,"status":405,"error":"Method Not Allowed","exception":"org.springframework.web.HttpRequestMethodNotSupportedException","message":"Request method 'POST' not supported","path":"/session_service/api/sessions/coh_portal/settings/query/fetch"}]] with root cause

[Tyler Izatt]

Looks like it was the construction of my session-service url that is incorrect. 

I switched from:

http://cbioportal.rc.tgen.org:8080/session-service/api/sessions/coh_portal/ 

http://cbioportal.rc.tgen.org:8080/api/sessions/coh_portal/

[Benjamin Gross]

Glad to hear it works now Tyler and you figured out the proper path to the session service.  I’m still not sure why you didn’t encounter the following “No session service configured” screen and instead ended up getting into the endless loop.  In any event, there are some next steps we can take to improve our code and documentation.

Nice “meeting” you the other day and sorry for any inconvenience this may have caused.

Best,

Benjamin

To view this discussion on the web visit https://groups.google.com/d/msgid/cbioportal/524d3e06-3748-43d5-b393-11a85e86d87bn%40googlegroups.com.

[Tyler Izatt]

Thanks Benjamin you were very patient with me - I did get a "No session service configured" when I didn't have the session-service jar "running" originally, but you're right that I didn't get one for not having the correct url in the portal.properties.  I appreciated the help so much and it was nice to meet you!