Re: Knox 1.0.0 Unknown Host Exception for KnoxSSO Config

Sun, 04 Mar 2018 07:12:06 -0800 

Hi,

Thanks for the Proxy direction, that is what I was looking for. I wasn't
sure if there was a config file that supported this, or if it needed to be
done with the Java args.

I thought I found an older JIRA related to this, but after looking at it
again it wasn't related. The issue that I am now facing looks like it has
to do with pac4j. Once authenticated to the OpenID provider, I am getting
an error on the redirect back to Knox. Looks like it has to do with the
Session and/or State param.

There are 2 errors that I am seeing:

*The First:*
2018-03-04 10:07:09,246 ERROR engine.DefaultCallbackLogic
(DefaultCallbackLogic.java:renewSession(123)) - Unable to renew the
session. The session store may not support this feature

*The Second:*
2018-03-04 10:07:05,578 ERROR knox.gateway
(AbstractGatewayFilter.java:doFilter(69)) - Failed to execute filter:
org.pac4j.core.exception.TechnicalException: State parameter is different
from the one sent in authentication request. Session expired or possible
threat of cross-site request forgery
2018-03-04 10:07:05,578 ERROR knox.gateway
(GatewayFilter.java:doFilter(177)) - Gateway processing failed:
javax.servlet.ServletException:
org.pac4j.core.exception.TechnicalException: State parameter is different
from the one sent in authentication request. Session expired or possible
threat of cross-site request forgery
javax.servlet.ServletException:
org.pac4j.core.exception.TechnicalException: State parameter is different
from the one sent in authentication request. Session expired or possible
threat of cross-site request forgery
at
org.apache.knox.gateway.filter.AbstractGatewayFilter.doFilter(AbstractGatewayFilter.java:70)
at
org.apache.knox.gateway.GatewayFilter$Holder.doFilter(GatewayFilter.java:377)
at
org.apache.knox.gateway.GatewayFilter$Chain.doFilter(GatewayFilter.java:277)
at
org.apache.knox.gateway.webappsec.filter.XFrameOptionsFilter.doFilter(XFrameOptionsFilter.java:58)
at
org.apache.knox.gateway.GatewayFilter$Holder.doFilter(GatewayFilter.java:377)
at
org.apache.knox.gateway.GatewayFilter$Chain.doFilter(GatewayFilter.java:277)
at org.apache.knox.gateway.GatewayFilter.doFilter(GatewayFilter.java:171)
at org.apache.knox.gateway.GatewayFilter.doFilter(GatewayFilter.java:94)
at org.apache.knox.gateway.GatewayServlet.service(GatewayServlet.java:141)
at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:812)
at
org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:587)
at
org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
at
org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:577)
at
org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:223)
at
org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1127)
at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515)
at
org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185)
at
org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1061)
at
org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
at
org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:215)
at
org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)
at org.apache.knox.gateway.trace.TraceHandler.handle(TraceHandler.java:51)
at
org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)
at
org.apache.knox.gateway.filter.CorrelationHandler.handle(CorrelationHandler.java:39)
at org.eclipse.jetty.servlets.gzip.GzipHandler.handle(GzipHandler.java:479)
at
org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)
at
org.apache.knox.gateway.filter.PortMappingHelperHandler.handle(PortMappingHelperHandler.java:152)
at
org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:110)
at
org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)
at org.eclipse.jetty.server.Server.handle(Server.java:499)
at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:311)
at
org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257)
at
org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:544)
at
org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635)
at
org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555)
at java.lang.Thread.run(Thread.java:745)
Caused by: org.pac4j.core.exception.TechnicalException: State parameter is
different from the one sent in authentication request. Session expired or
possible threat of cross-site request forgery
at
org.pac4j.oidc.credentials.extractor.OidcExtractor.extract(OidcExtractor.java:80)
at
org.pac4j.oidc.credentials.extractor.OidcExtractor.extract(OidcExtractor.java:31)
at org.pac4j.core.client.BaseClient.retrieveCredentials(BaseClient.java:61)
at
org.pac4j.core.client.IndirectClient.getCredentials(IndirectClient.java:125)
at
org.pac4j.core.engine.DefaultCallbackLogic.perform(DefaultCallbackLogic.java:79)
at
org.pac4j.j2e.filter.CallbackFilter.internalFilter(CallbackFilter.java:77)
at
org.pac4j.j2e.filter.AbstractConfigFilter.doFilter(AbstractConfigFilter.java:81)
at
org.apache.knox.gateway.pac4j.filter.Pac4jDispatcherFilter.doFilter(Pac4jDispatcherFilter.java:205)
at
org.apache.knox.gateway.GatewayFilter$Holder.doFilter(GatewayFilter.java:377)
at
org.apache.knox.gateway.GatewayFilter$Chain.doFilter(GatewayFilter.java:277)
at
org.apache.knox.gateway.filter.XForwardedHeaderFilter.doFilter(XForwardedHeaderFilter.java:30)
at
org.apache.knox.gateway.filter.AbstractGatewayFilter.doFilter(AbstractGatewayFilter.java:61)
... 35 more




On Sat, Mar 3, 2018 at 11:32 PM, larry mccay <[email protected]> wrote:

> I would think you could put them into gateway.sh options in a similar
> manner to:
>
> JAVA_FLAGS=-Dhttp.proxyHost=10.0.0.100 -Dhttp.proxyPort=8800
> java ${JAVA_FLAGS} ...
>
> I don't recall seeing those errors before - you see a similar JIRA?
>
>
> On Sat, Mar 3, 2018 at 10:54 PM, Ryan H <[email protected]
> > wrote:
>
>> Yep, that was the issue; I was behind a proxy (bang my head). This got me
>> past the current issue and into a new set of issues. Firstly, is there a
>> way to set a proxy with Knox for scenarios such as this? Second, now I see
>> the following error (which it looks like there may have been a JIRA opened
>> for this a while back):
>>
>> 2018-03-03 22:45:46,171 ERROR knox.gateway 
>> (AbstractGatewayFilter.java:doFilter(69))
>> - Failed to execute filter: org.pac4j.core.exception.TechnicalException:
>> State parameter is different from the one sent in authentication request.
>> Session expired or possible threat of cross-site request forgery
>> 2018-03-03 22:45:46,171 ERROR knox.gateway (GatewayFilter.java:doFilter(177))
>> - Gateway processing failed: javax.servlet.ServletException:
>> org.pac4j.core.exception.TechnicalException: State parameter is
>> different from the one sent in authentication request. Session expired or
>> possible threat of cross-site request forgery
>> javax.servlet.ServletException: org.pac4j.core.exception.TechnicalException:
>> State parameter is different from the one sent in authentication request.
>> Session expired or possible threat of cross-site request forgery
>> at org.apache.knox.gateway.filter.AbstractGatewayFilter.doFilte
>> r(AbstractGatewayFilter.java:70)
>> ...
>>
>> -Ryan
>>
>> On Sat, Mar 3, 2018 at 10:45 PM, larry mccay <[email protected]>
>> wrote:
>>
>>> Maybe you have a proxy configured in your browser to allow you to get
>>> there.
>>>
>>> On Sat, Mar 3, 2018 at 10:35 PM, Ryan H <ryan.howell.development@gmail
>>> .com> wrote:
>>>
>>>> Hi Larry,
>>>>
>>>> I can reach the host via browser, but not via ping... Ping results in
>>>> "Unknown Host", I'm seeing a correlation here...
>>>>
>>>> -Ryan
>>>>
>>>> On Sat, Mar 3, 2018 at 10:32 PM, larry mccay <[email protected]> wrote:
>>>>
>>>>> Hi Ryan -
>>>>>
>>>>> Welcome to Knox-ville!
>>>>>
>>>>> Going to start with a very obvious question - can you ping that host
>>>>> from the machine where the gateway is running?
>>>>>
>>>>> thanks,
>>>>>
>>>>> --larry
>>>>>
>>>>> On Sat, Mar 3, 2018 at 10:07 PM, Ryan H <ryan.howell.development@gmail
>>>>> .com> wrote:
>>>>>
>>>>>> Hi All,
>>>>>>
>>>>>> Disclaimer: I am very new to Knox!
>>>>>>
>>>>>> I am working on setting up KnoxSSO with an OpenID provider (Cloud
>>>>>> Foundry UAA) for AuthN to an application (Apache NiFi). I am running into
>>>>>> an issue where it seems that the oidc.discoverUri is resulting in the
>>>>>> following error:
>>>>>>
>>>>>> 2018-03-03 21:59:37,104 ERROR knox.gateway
>>>>>> (AbstractGatewayFilter.java:doFilter(69)) - Failed to execute
>>>>>> filter: org.pac4j.core.exception.TechnicalException:
>>>>>> java.net.UnknownHostException: {guid-id}.sub-uaa.another.zone
>>>>>> .aws-us01.something.io
>>>>>> 2018-03-03 21:59:37,104 ERROR knox.gateway
>>>>>> (GatewayFilter.java:doFilter(177)) - Gateway processing failed:
>>>>>> javax.servlet.ServletException: 
>>>>>> org.pac4j.core.exception.TechnicalException:
>>>>>> java.net.UnknownHostException: {guid-id}.sub-uaa.another.zone
>>>>>> .aws-us01.something.io
>>>>>> javax.servlet.ServletException: 
>>>>>> org.pac4j.core.exception.TechnicalException:
>>>>>> java.net.UnknownHostException: {guid-id}.sub-uaa.another.zone
>>>>>> .aws-us01.something.io
>>>>>> at org.apache.knox.gateway.filter.AbstractGatewayFilter.doFilte
>>>>>> r(AbstractGatewayFilter.java:70)
>>>>>> at org.apache.knox.gateway.GatewayFilter$Holder.doFilter(Gatewa
>>>>>> yFilter.java:377)
>>>>>> at org.apache.knox.gateway.GatewayFilter$Chain.doFilter(Gateway
>>>>>> Filter.java:277)
>>>>>> at org.apache.knox.gateway.webappsec.filter.XFrameOptionsFilter
>>>>>> .doFilter(XFrameOptionsFilter.java:58)
>>>>>> at org.apache.knox.gateway.GatewayFilter$Holder.doFilter(Gatewa
>>>>>> yFilter.java:377)
>>>>>> at org.apache.knox.gateway.GatewayFilter$Chain.doFilter(Gateway
>>>>>> Filter.java:277)
>>>>>> at org.apache.knox.gateway.GatewayFilter.doFilter(GatewayFilter
>>>>>> .java:171)
>>>>>> at org.apache.knox.gateway.GatewayFilter.doFilter(GatewayFilter
>>>>>> .java:94)
>>>>>> at org.apache.knox.gateway.GatewayServlet.service(GatewayServle
>>>>>> t.java:141)
>>>>>> at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder
>>>>>> .java:812)
>>>>>>
>>>>>> *Here is my topology from knoxsso.xml config:*
>>>>>>
>>>>>> <topology>
>>>>>>   <gateway>
>>>>>>                 <provider>
>>>>>>                     <role>webappsec</role>
>>>>>>                     <name>WebAppSec</name>
>>>>>>                     <enabled>true</enabled>
>>>>>>                     <param><name>xframe.options.en
>>>>>> abled</name><value>true</value></param>
>>>>>>                 </provider>
>>>>>>                 <provider>
>>>>>>                     <role>federation</role>
>>>>>>                     <name>pac4j</name>
>>>>>>                     <enabled>true</enabled>
>>>>>>                     <param>
>>>>>>                       <name>pac4j.callbackUrl</name>
>>>>>>                       <value>https://localhost:8443/
>>>>>> gateway/knoxsso/api/v1/websso</value>
>>>>>>                     </param>
>>>>>>                     <param>
>>>>>>                       <name>clientName</name>
>>>>>>                       <value>OidcClient</value>
>>>>>>                     </param>
>>>>>>                     <param>
>>>>>>                       <name>oidc.id</name>
>>>>>>                       <value>some_client_id</value>
>>>>>>                     </param>
>>>>>>                     <param>
>>>>>>                       <name>oidc.secret</name>
>>>>>>                       <value>some_client_secret</value>
>>>>>>                     </param>
>>>>>>                     <param>
>>>>>>                       <name>oidc.discoveryUri</name>
>>>>>>                       <value>https://{guid-id}.sub-u
>>>>>> aa.another.zone.aws-us01.something.io/.well-known/openid-con
>>>>>> figuration</value>
>>>>>>                     </param>
>>>>>>                     <param>
>>>>>>                       <name>oidc.preferredJwsAlgorithm</name>
>>>>>>                       <value>RS256</value>
>>>>>>                     </param>
>>>>>>                 </provider>
>>>>>>             </gateway>
>>>>>>             <application>
>>>>>>               <name>knoxauth</name>
>>>>>>             </application>
>>>>>>             <service>
>>>>>>                 <role>KNOXSSO</role>
>>>>>>                 <param>
>>>>>>                     <name>knoxsso.cookie.secure.only</name>
>>>>>>                     <value>false</value>
>>>>>>                 </param>
>>>>>>                 <param>
>>>>>>                     <name>knoxsso.token.ttl</name>
>>>>>>                     <value>3600000</value>
>>>>>>                 </param>
>>>>>>                 <param>
>>>>>>                    <name>knoxsso.redirect.whitelist.regex</name>
>>>>>>                    <value>^https?:\/\/(localhost
>>>>>> |127\.0\.0\.1|0:0:0:0:0:0:0:1|::1):[0-9].*$</value>
>>>>>>                 </param>
>>>>>>             </service>
>>>>>> </topology>
>>>>>>
>>>>>>
>>>>>> *Here is my topology from sandbox.xml:*
>>>>>>
>>>>>> <topology>
>>>>>>
>>>>>>     <gateway>
>>>>>>
>>>>>> <provider>
>>>>>>     <role>federation</role>
>>>>>>     <name>SSOCookieProvider</name>
>>>>>>     <enabled>true</enabled>
>>>>>>     <param>
>>>>>>         <name>sso.authentication.provider.url</name>
>>>>>>         <value>https://127.0.0.1:8443/gateway/knoxsso/api/v1/websso<
>>>>>> /value>
>>>>>>     </param>
>>>>>> </provider>
>>>>>>
>>>>>> <provider>
>>>>>>     <role>identity-assertion</role>
>>>>>>     <name>Default</name>
>>>>>>     <enabled>true</enabled>
>>>>>> </provider>
>>>>>>
>>>>>>     </gateway>
>>>>>>
>>>>>>     <service>
>>>>>>         <role>NIFI</role>
>>>>>>         <url>http://localhost:8080</url>
>>>>>>     </service>
>>>>>>
>>>>>> </topology>
>>>>>>
>>>>>> I was able to use the gateway to get to the NiFi app with basic auth
>>>>>> as a connectivity test, and now I want to drop in the OpenID provider for
>>>>>> the auth I am really after. Any help is greatly appreciated!
>>>>>>
>>>>>>
>>>>>> Cheers,
>>>>>>
>>>>>> Ryan H.
>>>>>>
>>>>>
>>>>>
>>>>
>>>
>>
>

Reply via email to