Mica docker

[alby...@gmail.com]

Hi,

I am testing Mica docker on a machine with ubuntu and I don't know what password is needed to log in Opal, Mica and Agate.
The steps I have followed are:
1) Install docker
2) Create the file docker-compose.yml with the content here: https://micadoc.obiba.org/en/latest/admin/installation.html#docker-image-installation
3) In the terminal "sudo docker-compose up".
4) In the browser "http://localhost:8872".
5) I type "administrator" and I tried "password" and I can't log in.

In the log I get the following:

albert-mongo-1 | 2022-07-15T09:14:45.637+0000 I INDEX [conn6] index build: done building index _id_ on ns mica.taxonomyEntityWrapper
albert-mica-1 | 2022-07-15 09:14:46.622 WARN 83 --- [tp2021046913-56] o.o.m.web.rest.security.CSRFInterceptor : CSRF detection: Host=localhost:8872, Referer=http://localhost:8872/
albert-mica-1 | 2022-07-15 09:14:46.622 INFO 83 --- [tp2021046913-56] o.o.m.web.rest.security.CSRFInterceptor : >> You can add localhost:8872 to csrf.allowed setting

Thank you!

Best,

Albert

[Yannick Marcon]

Hi,

The password is the MICA_ADMINISTRATOR_PASSWORD env variable that you must have provided in the dockerfile (this is required as stated by the doc).

While you were accessing the server via the localhost address, the CSRF check was applied (see messages in the log). The CSRF check appears to be too aggressive, especially with docker port mapping: I just released Mica 5.0.1 that fixes that. Please pull the latest image and try again.

Regards

Yannick

--
You received this message because you are subscribed to the Google Groups "obiba-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to obiba-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/obiba-users/e1cf7747-1aed-440a-b53e-2e884413b737n%40googlegroups.com.

[alby...@gmail.com]

Hi Yannick,

I'm sorry, I don't understand exactly what I have to do about environment variables. Do I have to edit something specific in the docker-compose.yml file? I have the same as in Mica's doc.

I tried to create an .env file by entering the following:

MICA_ADMINISTRATOR_PASSWORD=password

OPAL_ADMINISTRATOR_PASSWORD=password

AGATE_ADMINISTRATOR_PASSWORD=password

Now, when I run "sudo docker-compose up", it does not complain that "MICA_ADMINISTRATOR_PASSWORD variable is not set" (same in Opal, Agate, etc). But when I go to Mica (localhost:8872),  the user "administrator" and "password" is not recognized. The same in Opal and Agate.

The log is the following:

albert-mica-1   | 2022-07-21 11:14:46.245  WARN 20 --- [tp1508413459-54] o.o.s.web.filter.AuthenticationFilter    : Previous executing subject was not properly unbound from executing thread. Unbinding now.

albert-mica-1   | 2022-07-21 11:14:46.246  WARN 20 --- [tp1508413459-54] o.glassfish.jersey.servlet.WebComponent  : A servlet request to the URI http://localhost:8872/ws/auth/sessions contains form parameters in the request body but the request body has been consumed by the servlet or a servlet filter accessing the request parameters. Only resource methods using @FormParam will work as expected. Resource methods consuming the request body by other means will not work as expected.

albert-mica-1   | 2022-07-21 11:14:46.248  WARN 20 --- [tp1508413459-54] o.o.m.web.rest.security.CSRFInterceptor  : CSRF detection: Host=localhost:8872, Referer=http://localhost:8872/signin

albert-mica-1   | 2022-07-21 11:14:46.248  INFO 20 --- [tp1508413459-54] o.o.m.web.rest.security.CSRFInterceptor  : >> You can add localhost:8872 to csrf.allowed setting

How can I add localhost:8872 to csrf.allowed setting? I upgraded Mica to the latest version by using "docker pull obiba/mica". 

In addition, only ports 8870, 8871 and 8872 are recognized, the others like 8080 etc, are not recognized. I don't know if this is related.

Thank you for your patience!

Best,

Albert

[Ramin H.A.]

Hi there,

There was a new release for Mica making the CSRF a little more relaxed on the localhost. Can you try the latest version?

Best

To view this discussion on the web visit https://groups.google.com/d/msgid/obiba-users/3380fb35-56cc-427c-ac03-50f373cba219n%40googlegroups.com.

[alby...@gmail.com]

Hi Rhaeri,

Excuse my ignorance, I thought that running "sudo docker pull obiba/mica" would update the latest version. Now it says the following:

$ sudo docker pull obiba/mica
Using default tag: latest
latest: Pulling from obiba/mica
Digest: sha256:2ba8ce63fdc2c81f4bf46838fa22e1abf81904c588d9d998c2cf8502c25bfb1f
Status: Image is up to date for obiba/mica:latest
docker.io/obiba/mica:latest

 How to update then?
Thanks a lot!

Albert

[Ramin H.A.]

Hi,

Did you remove the existing images first? I just tried the Opal docker from the demo repository and had no issues with respect to the password nor CSRF.

If you do NOT have any data, you could try a clean docker setup:

cd <docker-compose-file-folder>
docker-compose rm -s # clean all containers created by this docker-compose (NOTE: `docker compose` for newer versions)
docker images
docker rmi <OPAL-IMAGE-ID>   # Repository: obiba/opal      Tag: latest 
docker-compose up -d

Best,

To view this discussion on the web visit https://groups.google.com/d/msgid/obiba-users/67bd08f4-f177-4e2d-9c90-911752877323n%40googlegroups.com.

[alby...@gmail.com]

Hi Ramin,

Thanks for the instructions. I followed them but now the logs show that Mica exits and is not loading by localhost:8872.

I have also run "docker system prune -a" which removes everything, but not success.

So, I've installed a new fresh Ubuntu in VirtualBox (for testing), install docker, copy the text from obiba mica doc's (changing the password with a string) into docker-compose.yml file, and run "sudo docker-compose up".

When I enter to Mica, Opal or Agate, log shows again the csrf issue, and I can not sign in successfully (

Authentication failed. Please verify credentials.). These are the messages:

mica_1   | 2022-07-22 09:35:53.806  WARN 62 --- [qtp980383652-17] o.o.s.web.filter.AuthenticationFilter    : Previous executing subject was not properly unbound from executing thread. Unbinding now.

mica_1   | 2022-07-22 09:35:53.808  WARN 62 --- [qtp980383652-17] o.glassfish.jersey.servlet.WebComponent  : A servlet request to the URI http://localhost:8872/ws/auth/sessions contains form parameters in the request body but the request body has been consumed by the servlet or a servlet filter accessing the request parameters. Only resource methods using @FormParam will work as expected. Resource methods consuming the request body by other means will not work as expected.

mica_1   | 2022-07-22 09:35:53.829  WARN 62 --- [qtp980383652-17] o.o.m.web.rest.security.CSRFInterceptor  : CSRF detection: Host=localhost:8872, Referer=http://localhost:8872/signin

mica_1   | 2022-07-22 09:35:53.830  INFO 62 --- [qtp980383652-17] o.o.m.web.rest.security.CSRFInterceptor  : >> You can add localhost:8872 to csrf.allowed setting

Thank you and sorry for my issues...

Best,

Albert

[Cédric Fontin]

Hi,

As the log suggests, you have to add localhost:8872 to the csrf.allowed in the config file.
For Mica, it would be under MICA_HOME/conf/application.yml where MICA_HOME would be /opt/mica as per the volumes config that you copied from the documentation (resulting in the file being placed under /opt/mica/conf).
Similarly, for Opal and Agate this file should be placed under /opt/opal/conf and /opt/agate/conf respectively.

Regards

To view this discussion on the web visit https://groups.google.com/d/msgid/obiba-users/0ac7cd1b-da21-4eec-93d5-211511144f38n%40googlegroups.com.

[alby...@gmail.com]

Hi Cédric,

What should I write in "application.yml" to add the localhost:8872 in csrf.allowed?

I have tried several things without success, one of them is as follows:

server:

    port: 8082

    csrf.allowed: http://localhost:8872

Agate has the same file, but Opal has no application.yml file. Where should I write the csrf in Opal?

Thanks for the help,

Albert

[Cédric Fontin]

Hi,
The config should look like:

csrf:
    allowed: "localhost:8872"

Here is an example of the default configs.
Regards.

To view this discussion on the web visit https://groups.google.com/d/msgid/obiba-users/8d8752b0-efbe-439f-8ca8-57c478fea050n%40googlegroups.com.

[alby...@gmail.com]

Thank you Cédric, it works with Mica and Agate!

In Opal  I wrote at the end "csrf.allowed=localhost:8870" and it also works!

Thanks so much.

Regards,

Albert

[Cédric Fontin]

Glad to be of help.

To view this discussion on the web visit https://groups.google.com/d/msgid/obiba-users/fe154b41-4d3c-4ee3-b9b5-1b61d1efc0a8n%40googlegroups.com.

[Yannick Marcon]

Hi,

FYI the latest Mica/Agate/Opal releases do not check for CSRF when access is done via localhost (which is considered to be a trusted origin). Then pull the latest docker images and this CSRF setting will not be necessary anymore.

Regards

Yannick

To view this discussion on the web visit https://groups.google.com/d/msgid/obiba-users/CAOGeEEKSwkNFge11B6JUOFUwWfZn4-j%2B403BbVaiQWm7LfnnBg%40mail.gmail.com.