Ok, sorry, I thought the change that pick up the property "*J2ESessionStore*" were in master but they are not, I confused it with some other bug. Anyways, if you want you can try to apply the attached patch (to master) which enables Knox to pick up "*J2ESessionStore*" property and see what you get !
Again sorry about that. Best, Sandeep On Sun, Mar 4, 2018 at 8:45 PM, Ryan H <[email protected]> wrote: > Just tried with the 1.1.0-SNAPSHOT build with same result; but with a new > warning now (might not be relevant, but including anyways). Same error as > before if going incognito browser. > > Here is the error that I now get: > > 2018-03-04 20:37:50,653 ERROR engine.DefaultCallbackLogic > (DefaultCallbackLogic.java:renewSession(123)) - Unable to renew the > session. The session store may not support this feature > 2018-03-04 20:39:10,899 WARN federation.jwt > (AbstractJWTFilter.java:validateToken(305)) > - Failed to verify the token signature. > > *Updated knoxsso.xml file:* > <topology> > <gateway> > <provider> > <role>webappsec</role> > <name>WebAppSec</name> > <enabled>true</enabled> > <param><name>xframe.options.enabled</name><value>true</ > value></param> > </provider> > <provider> > <role>federation</role> > <name>pac4j</name> > <enabled>true</enabled> > *<param>* > * <name>pac4j.session.store</name>* > * <value>J2ESessionStore</value>* > * </param>* > <param> > <name>pac4j.callbackUrl</name> > <value>https://localhost:8443/gateway/knoxsso/api/v1/websso< > /value> > </param> > <param> > <name>clientName</name> > <value>OidcClient</value> > </param> > <param> > <name>oidc.id</name> > <value>my_client_id</value> > </param> > <param> > <name>oidc.secret</name> > <value>my_client_secret</value> > </param> > <param> > <name>oidc.discoveryUri</name> > <value>https://my-openid-provider:443/.well-known/ > openid-configuration</value> > </param> > <param> > <name>oidc.preferredJwsAlgorithm</name> > <value>RS256</value> > </param> > </provider> > </gateway> > > <application> > <name>knoxauth</name> > </application> > > <service> > <role>KNOXSSO</role> > <param> > <name>knoxsso.cookie.secure.only</name> > <value>false</value> > </param> > <param> > <name>knoxsso.cookie.max.age</name> > <value>session</value> > </param> > <param> > <name>knoxsso.token.ttl</name> > <value>30000</value> > </param> > <param> > <name>knoxsso.redirect.whitelist.regex</name> > <value>^https?:\/\/(localhost|127\.0\.0\.1|0:0:0: > 0:0:0:0:1|::1):[0-9].*$</value> > </param> > </service> > > </topology> > > > > On Sun, Mar 4, 2018 at 8:26 PM, Sandeep Moré <[email protected]> > wrote: > >> Thanks for the update, I have a hunch that the "state" param is not >> getting passed to Pac4J via the SessionStore (Error 1). >> Keep us posted. >> >> Thanks ! >> >> On Sun, Mar 4, 2018 at 7:40 PM, Ryan H <[email protected] >> > wrote: >> >>> Hey Guys, >>> >>> I will pull 1.1.0 this evening and give it a go. >>> >>> A little more information on the flow for the error(s): >>> >>> When I log in with regular browser (not incognito), I get the following >>> error: >>> ERROR engine.DefaultCallbackLogic >>> (DefaultCallbackLogic.java:renewSession(123)) >>> - Unable to renew the session. The session store may not support this >>> feature >>> >>> When I try to log in using an incognito browser, I get the following >>> error: >>> ERROR knox.gateway (AbstractGatewayFilter.java:doFilter(69)) - Failed >>> to execute filter: org.pac4j.core.exception.TechnicalException: State >>> parameter is different from the one sent in authentication request. Session >>> expired or possible threat of cross-site request forgery >>> 2018-03-04 19:30:42,151 ERROR knox.gateway >>> (GatewayFilter.java:doFilter(177)) >>> - Gateway processing failed: javax.servlet.ServletException: >>> org.pac4j.core.exception.TechnicalException: State parameter is >>> different from the one sent in authentication request. Session expired or >>> possible threat of cross-site request forgery >>> javax.servlet.ServletException: org.pac4j.core.exception.TechnicalException: >>> State parameter is different from the one sent in authentication request. >>> Session expired or possible threat of cross-site request forgery >>> at org.apache.knox.gateway.filter.AbstractGatewayFilter.doFilte >>> r(AbstractGatewayFilter.java:70) >>> ... >>> >>> As for the state param: >>> When I log in using a regular browser (not incognito): the state param >>> is the same. >>> >>> When I use the incognito browser: the state param is different from the >>> OpenID provider and Knox (why I am not sure). >>> >>> I am using Cloud Foundry UAA for the OpenID provider, which works well >>> when configured directly with Apache NiFi. I would like to use Apache Knox >>> though as our gateway though for many reasons. I will follow up once I try >>> with the 1.1.0 build of Knox. >>> >>> Cheers, >>> >>> Ryan >>> >>> On Sun, Mar 4, 2018 at 6:21 PM, Sandeep Moré <[email protected]> >>> wrote: >>> >>>> Hello Ryan, >>>> >>>> Can you check the value of the State parameter ? you should see it in >>>> the request and response. >>>> >>>> The state attribute is stored in the session so if is not getting >>>> properly passed we might have an issue there (KNOX-1190 is tracking this), >>>> the current implementation of SessionStore for Pac4J is a bit limited. >>>> >>>> Can you try adding the following to your knoxsso.xml topology with the >>>> current Knox build (1.1.0, you will have to build it from source as this >>>> will not work with the current 1.0.0 release) >>>> >>>> <param> >>>> <name>pac4j.session.store</name> >>>> <value>J2ESessionStore</value> >>>> </param> >>>> >>>> I am hoping this should save the "state" variable in the in-memory >>>> session store. >>>> >>>> Let us know what you find ! >>>> >>>> Also, what ODIC are you trying to integrate to, just curious to know >>>> what all works with Knox. >>>> >>>> >>>> On Sun, Mar 4, 2018 at 11:47 AM, Ryan H <ryan.howell.development@gmail >>>> .com> wrote: >>>> >>>>> Hi Knox Users, >>>>> >>>>> I am rethreading this error I am getting as I mentioned it in a >>>>> different thread that was about a different error (sorry to those active >>>>> on >>>>> the other email thread). >>>>> >>>>> I am running into an issue with KnoxSSO with the pac4j OIDC federation >>>>> provider. When accessing the gateway, I am correctly redirected to my >>>>> configured OpenID provider and upon successful authentication, redirected >>>>> back to Knox but resulting in error. I am posting the relevant config >>>>> files >>>>> as well as the errors below. I have switched over to testBasicAuth just to >>>>> confirm that I can connect to the NiFi app, which I can. I am not really >>>>> sure where to go from here. I have sifted the internet and Knox >>>>> documentation on this and haven't been able to find anything. I did find >>>>> some info on this error with play and pac4j with the way the session was >>>>> being handled and assumed that Knox would handle this (if not, it is not >>>>> documented that I can find). Any help is appreciated! >>>>> >>>>> Cheers, >>>>> >>>>> Ryan >>>>> >>>>> >>>>> *Error 1: * >>>>> 2018-03-04 11:22:53,701 ERROR engine.DefaultCallbackLogic >>>>> (DefaultCallbackLogic.java:renewSession(123)) - Unable to renew the >>>>> session. The session store may not support this feature >>>>> >>>>> *Error 2:* >>>>> 2018-03-04 10:07:05,578 ERROR knox.gateway >>>>> (AbstractGatewayFilter.java:doFilter(69)) - Failed to execute filter: >>>>> org.pac4j.core.exception.TechnicalException: State parameter is >>>>> different from the one sent in authentication request. Session expired or >>>>> possible threat of cross-site request forgery >>>>> 2018-03-04 10:07:05,578 ERROR knox.gateway >>>>> (GatewayFilter.java:doFilter(177)) - Gateway processing failed: >>>>> javax.servlet.ServletException: >>>>> org.pac4j.core.exception.TechnicalException: >>>>> State parameter is different from the one sent in authentication request. >>>>> Session expired or possible threat of cross-site request forgery >>>>> javax.servlet.ServletException: >>>>> org.pac4j.core.exception.TechnicalException: >>>>> State parameter is different from the one sent in authentication request. >>>>> Session expired or possible threat of cross-site request forgery >>>>> at org.apache.knox.gateway.filter.AbstractGatewayFilter.doFilte >>>>> r(AbstractGatewayFilter.java:70) >>>>> at org.apache.knox.gateway.GatewayFilter$Holder.doFilter(Gatewa >>>>> yFilter.java:377) >>>>> at org.apache.knox.gateway.GatewayFilter$Chain.doFilter(Gateway >>>>> Filter.java:277) >>>>> at org.apache.knox.gateway.webappsec.filter.XFrameOptionsFilter >>>>> .doFilter(XFrameOptionsFilter.java:58) >>>>> at org.apache.knox.gateway.GatewayFilter$Holder.doFilter(Gatewa >>>>> yFilter.java:377) >>>>> at org.apache.knox.gateway.GatewayFilter$Chain.doFilter(Gateway >>>>> Filter.java:277) >>>>> at org.apache.knox.gateway.GatewayFilter.doFilter(GatewayFilter >>>>> .java:171) >>>>> at org.apache.knox.gateway.GatewayFilter.doFilter(GatewayFilter >>>>> .java:94) >>>>> at org.apache.knox.gateway.GatewayServlet.service(GatewayServle >>>>> t.java:141) >>>>> at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder >>>>> .java:812) >>>>> at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHan >>>>> dler.java:587) >>>>> at org.eclipse.jetty.server.handler.ScopedHandler.handle(Scoped >>>>> Handler.java:143) >>>>> at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHa >>>>> ndler.java:577) >>>>> at org.eclipse.jetty.server.session.SessionHandler.doHandle(Ses >>>>> sionHandler.java:223) >>>>> at org.eclipse.jetty.server.handler.ContextHandler.doHandle(Con >>>>> textHandler.java:1127) >>>>> at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHand >>>>> ler.java:515) >>>>> at org.eclipse.jetty.server.session.SessionHandler.doScope(Sess >>>>> ionHandler.java:185) >>>>> at org.eclipse.jetty.server.handler.ContextHandler.doScope(Cont >>>>> extHandler.java:1061) >>>>> at org.eclipse.jetty.server.handler.ScopedHandler.handle(Scoped >>>>> Handler.java:141) >>>>> at org.eclipse.jetty.server.handler.ContextHandlerCollection.ha >>>>> ndle(ContextHandlerCollection.java:215) >>>>> at org.eclipse.jetty.server.handler.HandlerWrapper.handle(Handl >>>>> erWrapper.java:97) >>>>> at org.apache.knox.gateway.trace.TraceHandler.handle(TraceHandl >>>>> er.java:51) >>>>> at org.eclipse.jetty.server.handler.HandlerWrapper.handle(Handl >>>>> erWrapper.java:97) >>>>> at org.apache.knox.gateway.filter.CorrelationHandler.handle(Cor >>>>> relationHandler.java:39) >>>>> at org.eclipse.jetty.servlets.gzip.GzipHandler.handle(GzipHandl >>>>> er.java:479) >>>>> at org.eclipse.jetty.server.handler.HandlerWrapper.handle(Handl >>>>> erWrapper.java:97) >>>>> at org.apache.knox.gateway.filter.PortMappingHelperHandler.hand >>>>> le(PortMappingHelperHandler.java:152) >>>>> at org.eclipse.jetty.server.handler.HandlerCollection.handle(Ha >>>>> ndlerCollection.java:110) >>>>> at org.eclipse.jetty.server.handler.HandlerWrapper.handle(Handl >>>>> erWrapper.java:97) >>>>> at org.eclipse.jetty.server.Server.handle(Server.java:499) >>>>> at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:311) >>>>> at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConne >>>>> ction.java:257) >>>>> at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnec >>>>> tion.java:544) >>>>> at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(Queued >>>>> ThreadPool.java:635) >>>>> at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedT >>>>> hreadPool.java:555) >>>>> at java.lang.Thread.run(Thread.java:745) >>>>> Caused by: org.pac4j.core.exception.TechnicalException: State >>>>> parameter is different from the one sent in authentication request. >>>>> Session >>>>> expired or possible threat of cross-site request forgery >>>>> at org.pac4j.oidc.credentials.extractor.OidcExtractor.extract(O >>>>> idcExtractor.java:80) >>>>> at org.pac4j.oidc.credentials.extractor.OidcExtractor.extract(O >>>>> idcExtractor.java:31) >>>>> at org.pac4j.core.client.BaseClient.retrieveCredentials(BaseCli >>>>> ent.java:61) >>>>> at org.pac4j.core.client.IndirectClient.getCredentials(Indirect >>>>> Client.java:125) >>>>> at org.pac4j.core.engine.DefaultCallbackLogic.perform(DefaultCa >>>>> llbackLogic.java:79) >>>>> at org.pac4j.j2e.filter.CallbackFilter.internalFilter(CallbackF >>>>> ilter.java:77) >>>>> at org.pac4j.j2e.filter.AbstractConfigFilter.doFilter(AbstractC >>>>> onfigFilter.java:81) >>>>> at org.apache.knox.gateway.pac4j.filter.Pac4jDispatcherFilter.d >>>>> oFilter(Pac4jDispatcherFilter.java:205) >>>>> at org.apache.knox.gateway.GatewayFilter$Holder.doFilter(Gatewa >>>>> yFilter.java:377) >>>>> at org.apache.knox.gateway.GatewayFilter$Chain.doFilter(Gateway >>>>> Filter.java:277) >>>>> at org.apache.knox.gateway.filter.XForwardedHeaderFilter.doFilt >>>>> er(XForwardedHeaderFilter.java:30) >>>>> at org.apache.knox.gateway.filter.AbstractGatewayFilter.doFilte >>>>> r(AbstractGatewayFilter.java:61) >>>>> ... 35 more >>>>> >>>>> >>>>> *knoxsso.xml:* >>>>> <gateway> >>>>> <provider> >>>>> <role>webappsec</role> >>>>> <name>WebAppSec</name> >>>>> <enabled>true</enabled> >>>>> <param><name>xframe.options.enabled</name><value>true</value >>>>> ></param> >>>>> </provider> >>>>> <provider> >>>>> <role>federation</role> >>>>> <name>pac4j</name> >>>>> <enabled>true</enabled> >>>>> <param> >>>>> <name>pac4j.callbackUrl</name> >>>>> <value>https://localhost:8443/gateway/knoxsso/api/v1/websso< >>>>> /value> >>>>> </param> >>>>> <param> >>>>> <name>clientName</name> >>>>> <value>OidcClient</value> >>>>> </param> >>>>> <param> >>>>> <name>oidc.id</name> >>>>> <value>my_client_id</value> >>>>> </param> >>>>> <param> >>>>> <name>oidc.secret</name> >>>>> <value>my_client_secret</value> >>>>> </param> >>>>> <param> >>>>> <name>oidc.discoveryUri</name> >>>>> <value>https://<my-openid-provider-url>/.well-known/openid-c >>>>> onfiguration</value> >>>>> </param> >>>>> <param> >>>>> <name>oidc.preferredJwsAlgorithm</name> >>>>> <value>RS256</value> >>>>> </param> >>>>> </provider> >>>>> </gateway> >>>>> >>>>> <application> >>>>> <name>knoxauth</name> >>>>> </application> >>>>> >>>>> <service> >>>>> <role>KNOXSSO</role> >>>>> <param> >>>>> <name>knoxsso.cookie.secure.only</name> >>>>> <value>false</value> >>>>> </param> >>>>> <param> >>>>> <name>knoxsso.cookie.max.age</name> >>>>> <value>session</value> >>>>> </param> >>>>> <param> >>>>> <name>knoxsso.token.ttl</name> >>>>> <value>30000</value> >>>>> </param> >>>>> <param> >>>>> <name>knoxsso.redirect.whitelist.regex</name> >>>>> <value>^https?:\/\/(localhost|127\.0\.0\.1|0:0:0:0:0:0:0:1| >>>>> ::1):[0-9].*$</value> >>>>> </param> >>>>> </service> >>>>> >>>>> >>>>> >>>>> *sandbox.xml:* >>>>> <gateway> >>>>> <provider> >>>>> <role>federation</role> >>>>> <name>SSOCookieProvider</name> >>>>> <enabled>true</enabled> >>>>> <param> >>>>> <name>sso.authentication.provider.url</name> >>>>> <value>https://localhost:8443/gateway/knoxsso/api/v1/websso< >>>>> /value> >>>>> </param> >>>>> </provider> >>>>> >>>>> <provider> >>>>> <role>identity-assertion</role> >>>>> <name>Default</name> >>>>> <enabled>true</enabled> >>>>> </provider> >>>>> </gateway> >>>>> >>>>> <service> >>>>> <role>NIFI</role> >>>>> <url>http://localhost:8080</url> >>>>> </service> >>>>> <application> >>>>> <role>admin-ui</role> >>>>> </application> >>>>> <service> >>>>> <role>KNOX</role> >>>>> </service> >>>>> >>>>> >>>> >>> >> >
sessionStore.patch
Description: Binary data
