Zeppelin redirect to CAS login

342 views
Skip to first unread message

daveolic...@gmail.com

unread,
Apr 13, 2018, 6:04:30 PM4/13/18
to Pac4j users mailing list
Hi Everyone,

I'm attempting to integrate an existing, CAS 5.1.8 installation with a new, Zeppelin 0.7.3 installation.  My expectation was to have the browser display the CAS login when the user navigates to the Zeppelin site - after entering credentials, redirecting back to the Zeppelin site.  From there, I dig out the credentials to perform authorization, etc.  Instead, when I navigate to my Zeppelin instance, the browser lands on the Zeppelin home page.  So, the user is unable to enter their credentials.  I attempted this with Chrome and Firefox with the same results.  IE didn't seem to work at all.  

I see a couple of 302s from the web console log and AUTHENTICATION_EVENTs in the CAS log (below) but don't understand why the login page isn't accessible.    

Any ideas are appreciated.

Thanks a lot.


I'm using the libraries provided by the Zeppelin binary download, adding the following jars:

buji-pac4j-3.2.1.jar
pac4j-cas-2.2.1.jar
pac4j-core-2.2.1.jar
shiro-cas-1.2.3.jar



shiro.ini:

[main]

casConfig = org.pac4j.cas.config.CasConfiguration
casClient = org.pac4j.cas.client.CasClient
casClient.configuration = $casConfig

clients = org.pac4j.core.client.Clients
clients.callbackUrl = https://myZeppelinContainer:8444
clients.clients = $casClient

requireRoleAdmin = org.pac4j.core.authorization.authorizer.RequireAnyRoleAuthorizer
requireRoleAdmin.elements = ROLE_ADMIN

config = org.pac4j.core.config.Config
config.clients = $clients
config.authorizers = admin:$requireRoleAdmin

casSecurityFilter = io.buji.pac4j.filter.SecurityFilter
casSecurityFilter.config = $config
casSecurityFilter.clients = CasClient

pac4jRealm = io.buji.pac4j.realm.Pac4jRealm
pac4jSubjectFactory = io.buji.pac4j.subject.Pac4jSubjectFactory

sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
securityManager.sessionManager = $sessionManager
securityManager.subjectFactory = $pac4jSubjectFactory

callbackFilter = io.buji.pac4j.filter.CallbackFilter
callbackFilter.defaultUrl = https://myZeppelinContainer:8444
callbackFilter.config = $config

[urls]
/** = casSecurityFilter




Firefox Web Console:
<snippet>
[13:23:38.489] GET https://myZeppelinContainer:8444/extensions/tex2jax.js?V=2.7.0 [HTTP/1.1 200 OK 20ms]
[13:23:38.490] GET https://myZeppelinContainer:8444/api/security/ticket [HTTP/1.1 302 Found 40ms]
[13:23:38.728] GET https://myZeppelinContainer:8444/ws [HTTP/1.1 101 Switching Protocols 34ms]
[13:23:38.812] GET https://myZeppelinContainer:8444/assets/images/zepLogoW.png [HTTP/1.1 200 OK 5ms]
[13:23:38.813] GET https://myZeppelinContainer:8444/assets/images/zepLogo.png [HTTP/1.1 200 OK 5ms]
[13:23:38.814] GET https://myZeppelinContainer:8444/api/version [HTTP/1.1 302 Found 7ms]
[13:23:39.849] GET https://myZeppelinContainer:8444/extensions/MathMenu.js?V=2.7.0 [HTTP/1.1 200 OK 10ms]




Cas server log:
<snippet>
2018-04-13 13:23:08,170 INFO [org.apereo.cas.services.DefaultServicesManager] - <Loaded [3] service(s) from [JsonServiceRegistryDao].>
2018-04-13 13:23:38,528 DEBUG [org.apereo.cas.web.support.DefaultArgumentExtractor] - <Created [org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl@2ad2d241[id=https://myZeppelinContainer:8444?client_name=CasClient,originalUrl=https://myZeppelinContainer:8444?client_name=CasClient,artifactId=<null>,principal=<null>,loggedOutAlready=false,format=XML]] based on [org.apereo.cas.authentication.principal.WebApplicationServiceFactory@1dab9dd6[]]>
2018-04-13 13:23:38,529 DEBUG [org.apereo.cas.web.support.AbstractArgumentExtractor] - <Extractor generated service type [org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl] for: [https://myZeppelinContainer:8444?client_name=CasClient]>
2018-04-13 13:23:38,529 DEBUG [org.apereo.cas.web.support.WebUtils] - <Evaluating request to determine if warning cookie should be generated>
2018-04-13 13:23:38,530 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: audit:unknown
WHAT: [event=success,timestamp=Fri Apr 13 13:23:38 PDT 2018,source=RankedAuthenticationProviderWebflowEventResolver]
ACTION: AUTHENTICATION_EVENT_TRIGGERED
APPLICATION: CAS
WHEN: Fri Apr 13 13:23:38 PDT 2018
CLIENT IP ADDRESS: fe80:0:0:0:c175:65e2:9441:4bb3%22
SERVER IP ADDRESS: fe80:0:0:0:c175:65e2:9441:4bb3%22
=============================================================

>
2018-04-13 13:23:38,545 DEBUG [org.apereo.cas.web.view.CasReloadableMessageBundle] - <No properties file found for [classpath:custom_messages_en] - neither plain properties nor XML>
2018-04-13 13:23:38,546 DEBUG [org.apereo.cas.web.view.CasReloadableMessageBundle] - <No properties file found for [classpath:custom_messages] - neither plain properties nor XML>
2018-04-13 13:23:38,547 DEBUG [org.apereo.cas.web.view.CasReloadableMessageBundle] - <No properties file found for [classpath:messages_en] - neither plain properties nor XML>
2018-04-13 13:23:38,548 DEBUG [org.apereo.cas.web.view.CasReloadableMessageBundle] - <Re-caching properties for filename [classpath:messages] - file hasn't been modified>
2018-04-13 13:23:38,806 DEBUG [org.apereo.cas.web.support.DefaultArgumentExtractor] - <Created [org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl@169c708[id=https://myZeppelinContainer:8444?client_name=CasClient,originalUrl=https://myZeppelinContainer:8444?client_name=CasClient,artifactId=<null>,principal=<null>,loggedOutAlready=false,format=XML]] based on [org.apereo.cas.authentication.principal.WebApplicationServiceFactory@1dab9dd6[]]>
2018-04-13 13:23:38,806 DEBUG [org.apereo.cas.web.support.AbstractArgumentExtractor] - <Extractor generated service type [org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl] for: [https://myZeppelinContainer:8444?client_name=CasClient]>
2018-04-13 13:23:38,807 DEBUG [org.apereo.cas.web.support.WebUtils] - <Evaluating request to determine if warning cookie should be generated>
2018-04-13 13:23:38,807 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: audit:unknown
WHAT: [event=success,timestamp=Fri Apr 13 13:23:38 PDT 2018,source=RankedAuthenticationProviderWebflowEventResolver]
ACTION: AUTHENTICATION_EVENT_TRIGGERED
APPLICATION: CAS
WHEN: Fri Apr 13 13:23:38 PDT 2018
CLIENT IP ADDRESS: fe80:0:0:0:c175:65e2:9441:4bb3%22
SERVER IP ADDRESS: fe80:0:0:0:c175:65e2:9441:4bb3%22
=============================================================

>
2018-04-13 13:24:07,330 DEBUG [org.apereo.cas.authentication.PseudoPlatformTransactionManager] - <Creating new transaction with name [org.apereo.cas.ticket.registry.DefaultTicketRegistryCleaner.clean]: PROPAGATION_REQUIRED,ISOLATION_DEFAULT; 'ticketTransactionManager'>
2018-04-13 13:24:07,330 DEBUG [org.apereo.cas.authentication.PseudoPlatformTransactionManager] - <Creating new transaction with name [org.apereo.cas.ticket.registry.DefaultTicketRegistryCleaner.clean]: PROPAGATION_REQUIRED,ISOLATION_DEFAULT; 'ticketTransactionManager'>





Zeppelin server log (I added print and log statements to the code - including a stack trace in HttpAction)
<snippet>

 INFO [2018-04-13 13:23:38,484] ({qtp1096283470-21} AbstractValidatingSessionManager.java[enableSessionValidation]:230) - Enabling session validation scheduler...
Inside SecurityFilter.doFilter myCasContainer filterChain org.apache.shiro.web.servlet.ProxiedFilterChain@43309613
SecurityLogic class io.buji.pac4j.engine.ShiroSecurityLogic
 INFO [2018-04-13 13:23:38,490] ({qtp1096283470-21} DefaultSecurityLogic.java[perform]:67) - === SECURITY ===
 INFO [2018-04-13 13:23:38,490] ({qtp1096283470-21} DefaultSecurityLogic.java[perform]:91) - url: https://myZeppelinContainer:8444/api/security/ticket
 INFO [2018-04-13 13:23:38,490] ({qtp1096283470-21} DefaultSecurityLogic.java[perform]:92) - matchers: null
 INFO [2018-04-13 13:23:38,490] ({qtp1096283470-21} DefaultSecurityLogic.java[perform]:95) - clients: CasClient
 INFO [2018-04-13 13:23:38,491] ({qtp1096283470-21} DefaultSecurityLogic.java[perform]:97) - currentClients: [#CasClient# | name: CasClient | callbackUrl: https://myZeppelinContainer:8444?client_name=CasClient | urlResolver: org.pac4j.core.http.DefaultUrlResolver@7c103c5c | ajaxRequestResolver: org.pac4j.core.http.DefaultAjaxRequestResolver@6662ba36 | redirectActionBuilder: null | credentialsExtractor: null | authenticator: null | profileCreator: org.pac4j.core.profile.creator.AuthenticatorProfileCreator@7545036 | logoutActionBuilder: org.pac4j.core.logout.NoLogoutActionBuilder@48f650cb | configuration: #CasConfiguration# | loginUrl: https://myCasContainer:444/cas/login | prefixUrl: null | restUrl: null | protocol: CAS30 | renew: false | gateway: false | encoding: UTF-8 | logoutHandler: null | acceptAnyProxy: false | allowedProxyChains: [] | proxyReceptor: null | timeTolerance: 1000 | postLogoutUrlParameter: service | defaultTicketValidator: null | urlResolver: org.pac4j.core.http.DefaultUrlResolver@35796755 | |]
 INFO [2018-04-13 13:23:38,491] ({qtp1096283470-21} DefaultSecurityLogic.java[perform]:100) - loadProfilesFromSession: true
 INFO [2018-04-13 13:23:38,493] ({qtp1096283470-21} DefaultSecurityLogic.java[perform]:103) - profiles: []
 INFO [2018-04-13 13:23:38,494] ({qtp1096283470-21} DefaultSecurityLogic.java[perform]:147) - Starting authentication
 INFO [2018-04-13 13:23:38,494] ({qtp1096283470-21} DefaultSecurityLogic.java[saveRequestedUrl]:244) - requestedUrl: https://myZeppelinContainer:8444/api/security/ticket
 INFO [2018-04-13 13:23:38,497] ({qtp1096283470-21} DefaultSecurityLogic.java[redirectToIdentityProvider]:257) - Inside DefaultSecurityLogic.redirectToIdentityProvider
 INFO [2018-04-13 13:23:38,498] ({qtp1096283470-21} DefaultSecurityLogic.java[redirectToIdentityProvider]:260) - IndirectClient org.pac4j.cas.client.CasClient
ERROR [2018-04-13 13:23:38,498] ({qtp1096283470-21} IndirectClient.java[redirect]:68) - Inside IndirectClient.redirect org.pac4j.cas.client.CasClient
ERROR [2018-04-13 13:23:38,499] ({qtp1096283470-21} CasRedirectActionBuilder.java[<init>]:32) - CallbackUrl https://myZeppelinContainer:8444?client_name=CasClient
ERROR [2018-04-13 13:23:38,502] ({qtp1096283470-21} CasAuthenticator.java[<init>]:44) - CasAuthenticator https://myZeppelinContainer:8444?client_name=CasClient
ERROR [2018-04-13 13:23:38,502] ({qtp1096283470-21} IndirectClient.java[getRedirectAction]:94) - attemptedAuth: null
ERROR [2018-04-13 13:23:38,503] ({qtp1096283470-21} CasRedirectActionBuilder.java[redirect]:49) - loginUrl: https://myCasContainer:444/cas/login
ERROR [2018-04-13 13:23:38,503] ({qtp1096283470-21} CasRedirectActionBuilder.java[redirect]:50) - callbackUrl: https://myZeppelinContainer:8444?client_name=CasClient
ERROR [2018-04-13 13:23:38,503] ({qtp1096283470-21} CasRedirectActionBuilder.java[redirect]:51) - redirectionUrl: https://myCasContainer:444/cas/login?service=https%3A%2F%2FmyZeppelinContainer%3A8444%3Fclient_name%3DCasClient
 INFO [2018-04-13 13:23:38,503] ({qtp1096283470-21} IndirectClient.java[getRedirectAction]:106) - Created RedirectAction of type org.pac4j.core.redirect.RedirectAction
Inside RedirectAction.perform type: REDIRECT
HttpAction.redirect context type org.pac4j.core.context.J2EContext
java.lang.Thread.getStackTrace(Thread.java:1559)
org.pac4j.core.exception.HttpAction.redirect(HttpAction.java:58)
org.pac4j.core.redirect.RedirectAction.perform(RedirectAction.java:84)
org.pac4j.core.client.IndirectClient.redirect(IndirectClient.java:70)
org.pac4j.core.engine.DefaultSecurityLogic.redirectToIdentityProvider(DefaultSecurityLogic.java:261)
org.pac4j.core.engine.DefaultSecurityLogic.perform(DefaultSecurityLogic.java:149)
io.buji.pac4j.filter.SecurityFilter.doFilter(SecurityFilter.java:86)
org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66)
org.apache.shiro.web.servlet.AbstractShiroFilter.executeChain(AbstractShiroFilter.java:449)
org.apache.shiro.web.servlet.AbstractShiroFilter$1.call(AbstractShiroFilter.java:365)
org.apache.shiro.subject.support.SubjectCallable.doCall(SubjectCallable.java:90)
org.apache.shiro.subject.support.SubjectCallable.call(SubjectCallable.java:83)
org.apache.shiro.subject.support.DelegatingSubject.execute(DelegatingSubject.java:383)
org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:362)
org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
org.apache.zeppelin.server.CorsFilter.doFilter(CorsFilter.java:72)
org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:585)
org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:577)
org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:223)
org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1127)
org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515)
org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185)
org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1061)
org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:215)
org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)
org.eclipse.jetty.server.Server.handle(Server.java:499)
org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:311)
org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257)
org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:544)
org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635)
org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555)
java.lang.Thread.run(Thread.java:748)
 INFO [2018-04-13 13:23:38,504] ({qtp1096283470-21} DefaultSecurityLogic.java[perform]:171) - Calling HttpActionAdapter.adapt for class org.pac4j.core.http.J2ENopHttpActionAdapter code 302
 INFO [2018-04-13 13:23:38,505] ({qtp1096283470-21} DefaultSecurityLogic.java[perform]:177) - returning object null
 INFO [2018-04-13 13:23:38,652] ({qtp1096283470-62} NotebookServer.java[onOpen]:157) - New connection from fe80:0:0:0:c175:65e2:9441:4bb3%22 : 50336
Inside SecurityFilter.doFilter myCasContainer filterChain org.apache.shiro.web.servlet.ProxiedFilterChain@70faf54b
SecurityLogic class io.buji.pac4j.engine.ShiroSecurityLogic
 INFO [2018-04-13 13:23:38,753] ({qtp1096283470-15} DefaultSecurityLogic.java[perform]:67) - === SECURITY ===
 INFO [2018-04-13 13:23:38,753] ({qtp1096283470-15} DefaultSecurityLogic.java[perform]:91) - url: https://myZeppelinContainer:8444/api/version
 INFO [2018-04-13 13:23:38,753] ({qtp1096283470-15} DefaultSecurityLogic.java[perform]:92) - matchers: null
 INFO [2018-04-13 13:23:38,753] ({qtp1096283470-15} DefaultSecurityLogic.java[perform]:95) - clients: CasClient
 INFO [2018-04-13 13:23:38,754] ({qtp1096283470-15} DefaultSecurityLogic.java[perform]:97) - currentClients: [#CasClient# | name: CasClient | callbackUrl: https://myZeppelinContainer:8444?client_name=CasClient | urlResolver: org.pac4j.core.http.DefaultUrlResolver@7c103c5c | ajaxRequestResolver: org.pac4j.core.http.DefaultAjaxRequestResolver@6662ba36 | redirectActionBuilder: org.pac4j.cas.redirect.CasRedirectActionBuilder@4edcc86e | credentialsExtractor: org.pac4j.cas.credentials.extractor.TicketAndLogoutRequestExtractor@4337b894 | authenticator: org.pac4j.cas.credentials.authenticator.CasAuthenticator@6cd99591 | profileCreator: org.pac4j.core.profile.creator.AuthenticatorProfileCreator@7545036 | logoutActionBuilder: #CasLogoutActionBuilder# | serverLogoutUrl: https://myCasContainer:444/cas/logout | postLogoutUrlParameter: service | | configuration: #CasConfiguration# | loginUrl: https://myCasContainer:444/cas/login | prefixUrl: https://myCasContainer:444/cas/ | restUrl: https://myCasContainer:444/cas/v1/tickets | protocol: CAS30 | renew: false | gateway: false | encoding: UTF-8 | logoutHandler: #DefaultCasLogoutHandler# | store: #GuavaStore# | size: 10000 | timeout: 30 | timeUnit: MINUTES | | destroySession: false | | acceptAnyProxy: false | allowedProxyChains: [] | proxyReceptor: null | timeTolerance: 1000 | postLogoutUrlParameter: service | defaultTicketValidator: null | urlResolver: org.pac4j.core.http.DefaultUrlResolver@7c103c5c | |]
 INFO [2018-04-13 13:23:38,754] ({qtp1096283470-15} DefaultSecurityLogic.java[perform]:100) - loadProfilesFromSession: true
 INFO [2018-04-13 13:23:38,754] ({qtp1096283470-15} DefaultSecurityLogic.java[perform]:103) - profiles: []
 INFO [2018-04-13 13:23:38,754] ({qtp1096283470-15} DefaultSecurityLogic.java[perform]:147) - Starting authentication
 INFO [2018-04-13 13:23:38,754] ({qtp1096283470-15} DefaultSecurityLogic.java[saveRequestedUrl]:244) - requestedUrl: https://myZeppelinContainer:8444/api/version
 INFO [2018-04-13 13:23:38,754] ({qtp1096283470-15} DefaultSecurityLogic.java[redirectToIdentityProvider]:257) - Inside DefaultSecurityLogic.redirectToIdentityProvider
 INFO [2018-04-13 13:23:38,754] ({qtp1096283470-15} DefaultSecurityLogic.java[redirectToIdentityProvider]:260) - IndirectClient org.pac4j.cas.client.CasClient
ERROR [2018-04-13 13:23:38,754] ({qtp1096283470-15} IndirectClient.java[redirect]:68) - Inside IndirectClient.redirect org.pac4j.cas.client.CasClient
ERROR [2018-04-13 13:23:38,754] ({qtp1096283470-15} IndirectClient.java[getRedirectAction]:94) - attemptedAuth: null
ERROR [2018-04-13 13:23:38,754] ({qtp1096283470-15} CasRedirectActionBuilder.java[redirect]:49) - loginUrl: https://myCasContainer:444/cas/login
ERROR [2018-04-13 13:23:38,755] ({qtp1096283470-15} CasRedirectActionBuilder.java[redirect]:50) - callbackUrl: https://myZeppelinContainer:8444?client_name=CasClient
ERROR [2018-04-13 13:23:38,755] ({qtp1096283470-15} CasRedirectActionBuilder.java[redirect]:51) - redirectionUrl: https://myCasContainer:444/cas/login?service=https%3A%2F%2FmyZeppelinContainer%3A8444%3Fclient_name%3DCasClient
 INFO [2018-04-13 13:23:38,755] ({qtp1096283470-15} IndirectClient.java[getRedirectAction]:106) - Created RedirectAction of type org.pac4j.core.redirect.RedirectAction
Inside RedirectAction.perform type: REDIRECT
HttpAction.redirect context type org.pac4j.core.context.J2EContext
java.lang.Thread.getStackTrace(Thread.java:1559)
org.pac4j.core.exception.HttpAction.redirect(HttpAction.java:58)
org.pac4j.core.redirect.RedirectAction.perform(RedirectAction.java:84)
org.pac4j.core.client.IndirectClient.redirect(IndirectClient.java:70)
org.pac4j.core.engine.DefaultSecurityLogic.redirectToIdentityProvider(DefaultSecurityLogic.java:261)
org.pac4j.core.engine.DefaultSecurityLogic.perform(DefaultSecurityLogic.java:149)
io.buji.pac4j.filter.SecurityFilter.doFilter(SecurityFilter.java:86)
org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66)
org.apache.shiro.web.servlet.AbstractShiroFilter.executeChain(AbstractShiroFilter.java:449)
org.apache.shiro.web.servlet.AbstractShiroFilter$1.call(AbstractShiroFilter.java:365)
org.apache.shiro.subject.support.SubjectCallable.doCall(SubjectCallable.java:90)
org.apache.shiro.subject.support.SubjectCallable.call(SubjectCallable.java:83)
org.apache.shiro.subject.support.DelegatingSubject.execute(DelegatingSubject.java:383)
org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:362)
org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
org.apache.zeppelin.server.CorsFilter.doFilter(CorsFilter.java:72)
org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:585)
org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:577)
org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:223)
org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1127)
org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515)
org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185)
org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1061)
org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:215)
org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)
org.eclipse.jetty.server.Server.handle(Server.java:499)
org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:311)
org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257)
org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:544)
org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635)
org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555)
java.lang.Thread.run(Thread.java:748)
 INFO [2018-04-13 13:23:38,756] ({qtp1096283470-15} DefaultSecurityLogic.java[perform]:171) - Calling HttpActionAdapter.adapt for class org.pac4j.core.http.J2ENopHttpActionAdapter code 302
 INFO [2018-04-13 13:23:38,756] ({qtp1096283470-15} DefaultSecurityLogic.java[perform]:177) - returning object null



Jérôme LELEU

unread,
Apr 16, 2018, 11:10:09 AM4/16/18
to daveolic...@gmail.com, Pac4j users mailing list
Hi,

You have defined all URLs to be secured: /** = casSecurityFilter

But the callback must NOT be secured, otherwise, it doesn't work.

Thanks.
Best regards,
Jérôme


--
You received this message because you are subscribed to the Google Groups "Pac4j users mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pac4j-users+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

daveolic...@gmail.com

unread,
May 8, 2018, 6:39:33 PM5/8/18
to Pac4j users mailing list
Hi Jerome - Thanks for your response.

I updated my shiro.ini security settings but the redirect to the CAS login page is still not taking place.  I explored the possibility of this being a CORS issue (my CAS server and Zeppelin instance are on different domains) and attempted to resolve it on the CAS side (see below) without success.  I included my updated shiro.ini as well. 

Using the Web Console in Firefox, I grabbed a GET request:

If I copy/paste the URI into the address bar of the browser, it takes me to CAS.  When I login, I am redirected to Zeppelin - as intended.

I suspect you've seen this sort of thing a lot and was wondering if anything looks suspicious to you.   
  
Thanks a lot,

d


<cas.properties snippet>

cas.httpWebRequest.header.xframe=false
cas.httpWebRequest.header.xss=false
cas.httpWebRequest.header.hsts=true
cas.httpWebRequest.header.xcontent=true
cas.httpWebRequest.header.cache=true
cas.httpWebRequest.cors.enabled=true
cas.httpWebRequest.cors.allowCredentials=false
cas.httpWebRequest.cors.allowOrigins[0]=*
cas.httpWebRequest.cors.allowMethods[0]=*
cas.httpWebRequest.cors.allowHeaders[0]=*
cas.httpWebRequest.cors.exposedHeaders[1]=Origin
cas.httpWebRequest.cors.exposedHeaders[2]=Content-Range
cas.httpWebRequest.cors.exposedHeaders[3]=Content-Disposition
cas.httpWebRequest.cors.exposedHeaders[4]=Content-Description
cas.httpWebRequest.cors.exposedHeaders[5]=x-requested-with
cas.httpWebRequest.cors.exposedHeaders[6]=Content-Type
cas.httpWebRequest.cors.exposedHeaders[7]=cookie
cas.httpWebRequest.cors.exposedHeaders[8]=withcredentials
cas.httpWebRequest.cors.exposedHeaders[9]=token
cas.httpWebRequest.cors.exposedHeaders[10]=Authorization
cas.httpWebRequest.cors.exposedHeaders[11]=Location
cas.httpWebRequest.cors.exposedHeaders[12]=location
cas.httpWebRequest.cors.exposedHeaders[13]=WWW-Authenticate
cas.httpWebRequest.cors.exposedHeaders[14]=Server-Authorization
cas.httpWebRequest.cors.exposedHeaders[15]=Access-Control-Allow-Credentials
cas.httpWebRequest.cors.exposedHeaders[16]=X-ACCESS_TOKEN
cas.httpWebRequest.cors.exposedHeaders[17]=Access-Control-Allow-Origin
cas.httpWebRequest.cors.maxAge=3600




<shiro.ini>

[main]
casConfig = org.pac4j.cas.config.CasConfiguration
casClient = org.pac4j.cas.client.CasClient
casClient.configuration = $casConfig

clients = org.pac4j.core.client.Clients
clients.callbackUrl = https://myZeppelinContainer:8444
clients.clients = $casClient

config = org.pac4j.core.config.Config
config.clients = $clients

casSecurityFilter = io.buji.pac4j.filter.SecurityFilter
casSecurityFilter.config = $config
casSecurityFilter.clients = CasClient

pac4jRealm = io.buji.pac4j.realm.Pac4jRealm
pac4jSubjectFactory = io.buji.pac4j.subject.Pac4jSubjectFactory

sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
securityManager.sessionManager = $sessionManager
securityManager.subjectFactory = $pac4jSubjectFactory

callbackFilter = io.buji.pac4j.filter.CallbackFilter
callbackFilter.config = $config

[urls]
/api/security/** = casSecurityFilter
/** authc


To unsubscribe from this group and stop receiving emails from it, send an email to pac4j-users...@googlegroups.com.

Jérôme LELEU

unread,
May 9, 2018, 3:03:34 AM5/9/18
to daveolic...@gmail.com, Pac4j users mailing list
Hi,

"still not taking place": what do you mean? what happens when you call /api/security/whatever?

Notice that in any case, after the successful login at CAS, it won't work as your callback URL is / (clients.callbackUrl = https://myZeppelinContainer:8444) and it's protected (/** = authc).

Thanks.
Best regards,
Jérôme



To unsubscribe from this group and stop receiving emails from it, send an email to pac4j-users+unsubscribe@googlegroups.com.

daveolic...@gmail.com

unread,
May 9, 2018, 1:23:32 PM5/9/18
to Pac4j users mailing list
Hi Jerome,

After entering the zeppelin url in the browser (https://myZeppelinContainer:8444), zeppelin tries to get a CAS ticket by making a GET call to  https://mZeppelinContainer:8444/api/security/ticket .
I'm expecting the browser to display the CAS login page.  Instead, it displays a blank page.  If I drop that GET string into the address bar of the browser, I do see the CAS login screen.  When I login through CAS, it redirects me to the zeppelin page as intended.

I changed my shiro.ini [users] from  /** authc to /** anon with the same results.

I guess my question is why won't the browser display the CAS login?

Thanks again for your time,

d

Jérôme LELEU

unread,
May 10, 2018, 12:24:18 PM5/10/18
to daveolic...@gmail.com, Pac4j users mailing list
Hi,

This is very strange indeed, but a redirection may fail when a direct call succeeds. I suspect something around that: a security limitation of the browser refusing to perform a secured redirection...

Do you have this behavior with all browsers?

Thanks.
Best regards,
Jérôme


To unsubscribe from this group and stop receiving emails from it, send an email to pac4j-users+unsubscribe@googlegroups.com.

daveolic...@gmail.com

unread,
May 10, 2018, 8:51:01 PM5/10/18
to Pac4j users mailing list
Hi Jerome,

Unfortunately, Yes.  I'm seeing this in all of the browsers I've tried (Firefox, IE and Chrome).

I'll pursue the security issue.

Thanks again,

d
Reply all
Reply to author
Forward
0 new messages