[jira] [Commented] (KNOX-730) pac4jRequestedUrl = null after saml2 assertion is parsed

[Larry McCay (JIRA)]

    [ 
https://issues.apache.org/jira/browse/KNOX-730?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15873829#comment-15873829
 ] 

Larry McCay commented on KNOX-730:
----------------------------------

Based on the context of [~sametkaradag]'s issue and environment, I have addd a 
feature through which a the domainSuffix can be used to specify that the entire 
fully qualified hostname should be used as the cookie domain. By setting the 
domainSuffix params (KnoxSSO and pac4j both have separate params for this) to 
"*" you indicate this desire.

In addition, the pac4j filter was not looking in the filterConfig for the param 
- so I fixed that.

I have tested that this addresses the issue in this deployment which is due to 
the fact that a number of the amazonaws.com domains are considered TLDs and 
cookies are not settable on them. So, you have to set it to the FQHN instead. 
As long as all consumers of the sso cookie are being proxied through Knox as 
well this will work.

> pac4jRequestedUrl = null after saml2 assertion is parsed
> --------------------------------------------------------
>
>                 Key: KNOX-730
>                 URL: https://issues.apache.org/jira/browse/KNOX-730
>             Project: Apache Knox
>          Issue Type: Bug
>          Components: Server
>    Affects Versions: 0.9.0
>         Environment: rhel 
>            Reporter: jeff
>              Labels: idp, security
>             Fix For: 0.12.0
>
>         Attachments: hadoop_dev.cer, hadoop_post_request_good.saz
>
>
> We are working with a hadoop system and trying to get the knox saml2 support 
> working with our IDP. (note, this is not Okta but another IDP we use with 
> many of our commercial clients internal and external.)
> We have successfully configured knox 0.9.0 to handle the redirection to idp, 
> we clearly see the assertion being passed back and being parsed by the pc4j 
> component and the requestedurl being stored.
> HOWEVER, it seems that when knox goes to retrieve this info, it finds a null.
> (from last line of log snippet below)  2016-07-22 13:16:27,818 DEBUG 
> session.KnoxSessionStore (KnoxSessionStore.java:get(90)) - Get from session: 
> pac4jRequestedUrl = null
> and therefore the final redirect seems to default to '/' instead of the 
> actual requestedurl (in this case 
> https://tchdpm01.lmig.com:8445/gateway/knoxsso2/webhdfs/v1/?op=LISTSTATUS)
> 2016-07-22 13:13:03,911 INFO  hadoop.gateway 
> (GatewayServer.java:startGateway(294)) - Started gateway on port 8,445.
> 2016-07-22 13:15:58,995 DEBUG hadoop.gateway 
> (GatewayFilter.java:doFilter(116)) - Received request: GET /webhdfs/v1/
> 2016-07-22 13:15:59,736 DEBUG session.KnoxSessionStore 
> (KnoxSessionStore.java:get(90)) - Get from session: pac4jUserProfile = null
> 2016-07-22 13:15:59,737 DEBUG session.KnoxSessionStore 
> (KnoxSessionStore.java:set(105)) - Save in session: pac4jRequestedUrl = 
> https://tchdpm01.lmig.com:8445/gateway/knoxsso2/webhdfs/v1/?op=LISTSTATUS
> 2016-07-22 13:15:59,833 DEBUG session.KnoxSessionStore 
> (KnoxSessionStore.java:get(90)) - Get from session: 
> SAML2Client$attemptedAuthentication = null
> 2016-07-22 13:15:59,927 DEBUG session.KnoxSessionStore 
> (KnoxSessionStore.java:get(90)) - Get from session: samlRelayState = null
> 2016-07-22 13:15:59,927 DEBUG session.KnoxSessionStore 
> (KnoxSessionStore.java:set(105)) - Save in session: samlRelayState = 
> 2016-07-22 13:16:16,179 DEBUG hadoop.gateway 
> (GatewayFilter.java:doFilter(116)) - Received request: GET /webhdfs/v1/
> 2016-07-22 13:16:16,180 DEBUG session.KnoxSessionStore 
> (KnoxSessionStore.java:get(90)) - Get from session: pac4jUserProfile = null
> 2016-07-22 13:16:16,180 DEBUG session.KnoxSessionStore 
> (KnoxSessionStore.java:set(105)) - Save in session: pac4jRequestedUrl = 
> https://tchdpm01.lmig.com:8445/gateway/knoxsso2/webhdfs/v1/?op=LISTSTATUS
> 2016-07-22 13:16:16,182 DEBUG session.KnoxSessionStore 
> (KnoxSessionStore.java:get(90)) - Get from session: 
> SAML2Client$attemptedAuthentication = null
> 2016-07-22 13:16:16,268 DEBUG session.KnoxSessionStore 
> (KnoxSessionStore.java:get(90)) - Get from session: samlRelayState = 
> 2016-07-22 13:16:16,268 DEBUG session.KnoxSessionStore 
> (KnoxSessionStore.java:set(105)) - Save in session: samlRelayState = 
> 2016-07-22 13:16:27,641 DEBUG hadoop.gateway 
> (GatewayFilter.java:doFilter(116)) - Received request: POST /api/v1/websso
> 2016-07-22 13:16:27,813 DEBUG session.KnoxSessionStore 
> (KnoxSessionStore.java:set(105)) - Save in session: 
> SAML2Client$attemptedAuthentication = null
> 2016-07-22 13:16:27,814 DEBUG session.KnoxSessionStore 
> (KnoxSessionStore.java:set(105)) - Save in session: pac4jUserProfile = 
> <SAML2Profile> | id: n0251132 | attributes: {Products=[], 
> Groups=[cn=ram_am_im_infc_admin,cn=Products,ou=Groups,o=Liberty,o=intranet^cn=ram_am_im_infc_AllUsers,cn=Products,ou=Groups,o=Liberty,o=intranet^cn=lram_portal_claims,cn=Products,ou=Groups,o=Liberty,o=Intranet^cn=lram_portal_billing,cn=Products,ou=Groups,o=Liberty,o=Intranet^cn=kev_test_grp1,cn=Products,ou=Groups,o=Liberty,o=Intranet^cn=cp_planit,cn=products,ou=groups,o=Liberty,o=Intranet^cn=cp_is_users,cn=Products,ou=Groups,o=Liberty,o=Intranet^cn=sec_it_only,cn=products,ou=groups,o=Liberty,o=Intranet^cn=cm_SSL_Remote_Access,cn=Products,ou=Groups,o=Liberty,o=intranet^cn=sec_twofactor_population,cn=Products,ou=Groups,o=Liberty,o=intranet^cn=cp_dashboard_standard,cn=Products,ou=Groups,o=Liberty,o=intranet^cn=ram_AM_IM_Hyp_Admin,cn=Products,ou=Groups,o=Liberty,o=intranet^cn=cm_sasa_scheduling,cn=Products,ou=Groups,o=Liberty,o=intranet^cn=cm_sas,cn=Products,ou=Groups,o=Liberty,o=intranet^cn=cm_sas_adm_99,cn=Products,ou=Groups,o=Liberty,o=intranet^cn=am_wasadmin,cn=Products,ou=Groups,o=Liberty,o=intranet^cn=cm_WASAdmin,cn=Products,ou=Groups,o=Liberty,o=intranet^cn=cm_pwrcntr_admin,cn=Products,ou=Groups,o=Liberty,o=intranet^cn=ets_libertyforge_git,cn=Products,ou=Groups,o=Liberty,o=intranet^cn=ci_ats_datatools_admin,cn=Products,ou=Groups,o=Liberty,o=intranet^cn=cp_capsmlinsecureconnect,cn=Products,ou=Groups,o=Liberty,o=intranet^cn=ci_data_innov_developer,cn=Products,ou=Groups,o=Liberty,o=intranet^cn=cm_DBaaS,cn=Products,ou=Groups,o=Liberty,o=intranet^cn=cp_SS_DBaaS,cn=Products,ou=Groups,o=Liberty,o=intranet^cn=pm_DBaaS,cn=Products,ou=Groups,o=Liberty,o=intranet^cn=ram_DBaaS,cn=Products,ou=Groups,o=Liberty,o=intranet^cn=ci_HadoopPOC,cn=Products,ou=Groups,o=Liberty,o=intranet^cn=ci_Hadoop_RangerPOC,cn=Products,ou=Groups,o=Liberty,o=intranet],
>  FirstName=[XXXXXX], PhoneNumber=[], LastName=[XXXXXXXXX], CustomerId=[], 
> EmailAddress=[xxxx...@libertymutual.com]} | roles: [] | permissions: [] | 
> isRemembered: false |
> 2016-07-22 13:16:27,818 DEBUG session.KnoxSessionStore 
> (KnoxSessionStore.java:get(90)) - Get from session: pac4jRequestedUrl = null



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)