Patch worked! That did solve the session issue. Thanks for the patch. -Ryan
On Mon, Mar 5, 2018 at 10:01 AM Ryan H <[email protected]> wrote: > No worries! Just applied patch and rebuilding. I will follow up with the > verdict. > > -Ryan > > On Mon, Mar 5, 2018 at 9:45 AM, Sandeep Moré <[email protected]> > wrote: > >> Ok, sorry, I thought the change that pick up the property " >> *J2ESessionStore*" were in master but they are not, I confused it with >> some other bug. >> Anyways, if you want you can try to apply the attached patch (to master) >> which enables Knox to pick up "*J2ESessionStore*" property and see what >> you get ! >> >> Again sorry about that. >> >> Best, >> Sandeep >> >> >> >> On Sun, Mar 4, 2018 at 8:45 PM, Ryan H <[email protected] >> > wrote: >> >>> Just tried with the 1.1.0-SNAPSHOT build with same result; but with a >>> new warning now (might not be relevant, but including anyways). Same error >>> as before if going incognito browser. >>> >>> Here is the error that I now get: >>> >>> 2018-03-04 20:37:50,653 ERROR engine.DefaultCallbackLogic >>> (DefaultCallbackLogic.java:renewSession(123)) - Unable to renew the >>> session. The session store may not support this feature >>> 2018-03-04 20:39:10,899 WARN federation.jwt >>> (AbstractJWTFilter.java:validateToken(305)) - Failed to verify the token >>> signature. >>> >>> *Updated knoxsso.xml file:* >>> <topology> >>> <gateway> >>> <provider> >>> <role>webappsec</role> >>> <name>WebAppSec</name> >>> <enabled>true</enabled> >>> >>> <param><name>xframe.options.enabled</name><value>true</value></param> >>> </provider> >>> <provider> >>> <role>federation</role> >>> <name>pac4j</name> >>> <enabled>true</enabled> >>> *<param>* >>> * <name>pac4j.session.store</name>* >>> * <value>J2ESessionStore</value>* >>> * </param>* >>> <param> >>> <name>pac4j.callbackUrl</name> >>> <value>https://localhost:8443/gateway/knoxsso/api/v1/websso >>> </value> >>> </param> >>> <param> >>> <name>clientName</name> >>> <value>OidcClient</value> >>> </param> >>> <param> >>> <name>oidc.id</name> >>> <value>my_client_id</value> >>> </param> >>> <param> >>> <name>oidc.secret</name> >>> <value>my_client_secret</value> >>> </param> >>> <param> >>> <name>oidc.discoveryUri</name> >>> <value> >>> https://my-openid-provider:443/.well-known/openid-configuration</value> >>> </param> >>> <param> >>> <name>oidc.preferredJwsAlgorithm</name> >>> <value>RS256</value> >>> </param> >>> </provider> >>> </gateway> >>> >>> <application> >>> <name>knoxauth</name> >>> </application> >>> >>> <service> >>> <role>KNOXSSO</role> >>> <param> >>> <name>knoxsso.cookie.secure.only</name> >>> <value>false</value> >>> </param> >>> <param> >>> <name>knoxsso.cookie.max.age</name> >>> <value>session</value> >>> </param> >>> <param> >>> <name>knoxsso.token.ttl</name> >>> <value>30000</value> >>> </param> >>> <param> >>> <name>knoxsso.redirect.whitelist.regex</name> >>> >>> >>> <value>^https?:\/\/(localhost|127\.0\.0\.1|0:0:0:0:0:0:0:1|::1):[0-9].*$</value> >>> </param> >>> </service> >>> >>> </topology> >>> >>> >>> >>> On Sun, Mar 4, 2018 at 8:26 PM, Sandeep Moré <[email protected]> >>> wrote: >>> >>>> Thanks for the update, I have a hunch that the "state" param is not >>>> getting passed to Pac4J via the SessionStore (Error 1). >>>> Keep us posted. >>>> >>>> Thanks ! >>>> >>>> On Sun, Mar 4, 2018 at 7:40 PM, Ryan H < >>>> [email protected]> wrote: >>>> >>>>> Hey Guys, >>>>> >>>>> I will pull 1.1.0 this evening and give it a go. >>>>> >>>>> A little more information on the flow for the error(s): >>>>> >>>>> When I log in with regular browser (not incognito), I get the >>>>> following error: >>>>> ERROR engine.DefaultCallbackLogic >>>>> (DefaultCallbackLogic.java:renewSession(123)) - Unable to renew the >>>>> session. The session store may not support this feature >>>>> >>>>> When I try to log in using an incognito browser, I get the following >>>>> error: >>>>> ERROR knox.gateway (AbstractGatewayFilter.java:doFilter(69)) - Failed >>>>> to execute filter: org.pac4j.core.exception.TechnicalException: State >>>>> parameter is different from the one sent in authentication request. >>>>> Session >>>>> expired or possible threat of cross-site request forgery >>>>> 2018-03-04 19:30:42,151 ERROR knox.gateway >>>>> (GatewayFilter.java:doFilter(177)) - Gateway processing failed: >>>>> javax.servlet.ServletException: >>>>> org.pac4j.core.exception.TechnicalException: State parameter is different >>>>> from the one sent in authentication request. Session expired or possible >>>>> threat of cross-site request forgery >>>>> javax.servlet.ServletException: >>>>> org.pac4j.core.exception.TechnicalException: State parameter is different >>>>> from the one sent in authentication request. Session expired or possible >>>>> threat of cross-site request forgery >>>>> at >>>>> org.apache.knox.gateway.filter.AbstractGatewayFilter.doFilter(AbstractGatewayFilter.java:70) >>>>> ... >>>>> >>>>> As for the state param: >>>>> When I log in using a regular browser (not incognito): the state param >>>>> is the same. >>>>> >>>>> When I use the incognito browser: the state param is different from >>>>> the OpenID provider and Knox (why I am not sure). >>>>> >>>>> I am using Cloud Foundry UAA for the OpenID provider, which works well >>>>> when configured directly with Apache NiFi. I would like to use Apache Knox >>>>> though as our gateway though for many reasons. I will follow up once I try >>>>> with the 1.1.0 build of Knox. >>>>> >>>>> Cheers, >>>>> >>>>> Ryan >>>>> >>>>> On Sun, Mar 4, 2018 at 6:21 PM, Sandeep Moré <[email protected]> >>>>> wrote: >>>>> >>>>>> Hello Ryan, >>>>>> >>>>>> Can you check the value of the State parameter ? you should see it in >>>>>> the request and response. >>>>>> >>>>>> The state attribute is stored in the session so if is not getting >>>>>> properly passed we might have an issue there (KNOX-1190 is tracking >>>>>> this), >>>>>> the current implementation of SessionStore for Pac4J is a bit limited. >>>>>> >>>>>> Can you try adding the following to your knoxsso.xml topology with >>>>>> the current Knox build (1.1.0, you will have to build it from source as >>>>>> this will not work with the current 1.0.0 release) >>>>>> >>>>>> <param> >>>>>> <name>pac4j.session.store</name> >>>>>> <value>J2ESessionStore</value> >>>>>> </param> >>>>>> >>>>>> I am hoping this should save the "state" variable in the in-memory >>>>>> session store. >>>>>> >>>>>> Let us know what you find ! >>>>>> >>>>>> Also, what ODIC are you trying to integrate to, just curious to know >>>>>> what all works with Knox. >>>>>> >>>>>> >>>>>> On Sun, Mar 4, 2018 at 11:47 AM, Ryan H < >>>>>> [email protected]> wrote: >>>>>> >>>>>>> Hi Knox Users, >>>>>>> >>>>>>> I am rethreading this error I am getting as I mentioned it in a >>>>>>> different thread that was about a different error (sorry to those >>>>>>> active on >>>>>>> the other email thread). >>>>>>> >>>>>>> I am running into an issue with KnoxSSO with the pac4j OIDC >>>>>>> federation provider. When accessing the gateway, I am correctly >>>>>>> redirected >>>>>>> to my configured OpenID provider and upon successful authentication, >>>>>>> redirected back to Knox but resulting in error. I am posting the >>>>>>> relevant >>>>>>> config files as well as the errors below. I have switched over to >>>>>>> testBasicAuth just to confirm that I can connect to the NiFi app, which >>>>>>> I >>>>>>> can. I am not really sure where to go from here. I have sifted the >>>>>>> internet >>>>>>> and Knox documentation on this and haven't been able to find anything. I >>>>>>> did find some info on this error with play and pac4j with the way the >>>>>>> session was being handled and assumed that Knox would handle this (if >>>>>>> not, >>>>>>> it is not documented that I can find). Any help is appreciated! >>>>>>> >>>>>>> Cheers, >>>>>>> >>>>>>> Ryan >>>>>>> >>>>>>> >>>>>>> *Error 1: * >>>>>>> 2018-03-04 11:22:53,701 ERROR engine.DefaultCallbackLogic >>>>>>> (DefaultCallbackLogic.java:renewSession(123)) - Unable to renew the >>>>>>> session. The session store may not support this feature >>>>>>> >>>>>>> *Error 2:* >>>>>>> 2018-03-04 10:07:05,578 ERROR knox.gateway >>>>>>> (AbstractGatewayFilter.java:doFilter(69)) - Failed to execute filter: >>>>>>> org.pac4j.core.exception.TechnicalException: State parameter is >>>>>>> different >>>>>>> from the one sent in authentication request. Session expired or possible >>>>>>> threat of cross-site request forgery >>>>>>> 2018-03-04 10:07:05,578 ERROR knox.gateway >>>>>>> (GatewayFilter.java:doFilter(177)) - Gateway processing failed: >>>>>>> javax.servlet.ServletException: >>>>>>> org.pac4j.core.exception.TechnicalException: State parameter is >>>>>>> different >>>>>>> from the one sent in authentication request. Session expired or possible >>>>>>> threat of cross-site request forgery >>>>>>> javax.servlet.ServletException: >>>>>>> org.pac4j.core.exception.TechnicalException: State parameter is >>>>>>> different >>>>>>> from the one sent in authentication request. Session expired or possible >>>>>>> threat of cross-site request forgery >>>>>>> at >>>>>>> org.apache.knox.gateway.filter.AbstractGatewayFilter.doFilter(AbstractGatewayFilter.java:70) >>>>>>> at >>>>>>> org.apache.knox.gateway.GatewayFilter$Holder.doFilter(GatewayFilter.java:377) >>>>>>> at >>>>>>> org.apache.knox.gateway.GatewayFilter$Chain.doFilter(GatewayFilter.java:277) >>>>>>> at >>>>>>> org.apache.knox.gateway.webappsec.filter.XFrameOptionsFilter.doFilter(XFrameOptionsFilter.java:58) >>>>>>> at >>>>>>> org.apache.knox.gateway.GatewayFilter$Holder.doFilter(GatewayFilter.java:377) >>>>>>> at >>>>>>> org.apache.knox.gateway.GatewayFilter$Chain.doFilter(GatewayFilter.java:277) >>>>>>> at >>>>>>> org.apache.knox.gateway.GatewayFilter.doFilter(GatewayFilter.java:171) >>>>>>> at >>>>>>> org.apache.knox.gateway.GatewayFilter.doFilter(GatewayFilter.java:94) >>>>>>> at >>>>>>> org.apache.knox.gateway.GatewayServlet.service(GatewayServlet.java:141) >>>>>>> at >>>>>>> org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:812) >>>>>>> at >>>>>>> org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:587) >>>>>>> at >>>>>>> org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143) >>>>>>> at >>>>>>> org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:577) >>>>>>> at >>>>>>> org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:223) >>>>>>> at >>>>>>> org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1127) >>>>>>> at >>>>>>> org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515) >>>>>>> at >>>>>>> org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185) >>>>>>> at >>>>>>> org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1061) >>>>>>> at >>>>>>> org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141) >>>>>>> at >>>>>>> org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:215) >>>>>>> at >>>>>>> org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97) >>>>>>> at >>>>>>> org.apache.knox.gateway.trace.TraceHandler.handle(TraceHandler.java:51) >>>>>>> at >>>>>>> org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97) >>>>>>> at >>>>>>> org.apache.knox.gateway.filter.CorrelationHandler.handle(CorrelationHandler.java:39) >>>>>>> at >>>>>>> org.eclipse.jetty.servlets.gzip.GzipHandler.handle(GzipHandler.java:479) >>>>>>> at >>>>>>> org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97) >>>>>>> at >>>>>>> org.apache.knox.gateway.filter.PortMappingHelperHandler.handle(PortMappingHelperHandler.java:152) >>>>>>> at >>>>>>> org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:110) >>>>>>> at >>>>>>> org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97) >>>>>>> at org.eclipse.jetty.server.Server.handle(Server.java:499) >>>>>>> at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:311) >>>>>>> at >>>>>>> org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257) >>>>>>> at org.eclipse.jetty.io >>>>>>> .AbstractConnection$2.run(AbstractConnection.java:544) >>>>>>> at >>>>>>> org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635) >>>>>>> at >>>>>>> org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555) >>>>>>> at java.lang.Thread.run(Thread.java:745) >>>>>>> Caused by: org.pac4j.core.exception.TechnicalException: State >>>>>>> parameter is different from the one sent in authentication request. >>>>>>> Session >>>>>>> expired or possible threat of cross-site request forgery >>>>>>> at >>>>>>> org.pac4j.oidc.credentials.extractor.OidcExtractor.extract(OidcExtractor.java:80) >>>>>>> at >>>>>>> org.pac4j.oidc.credentials.extractor.OidcExtractor.extract(OidcExtractor.java:31) >>>>>>> at >>>>>>> org.pac4j.core.client.BaseClient.retrieveCredentials(BaseClient.java:61) >>>>>>> at >>>>>>> org.pac4j.core.client.IndirectClient.getCredentials(IndirectClient.java:125) >>>>>>> at >>>>>>> org.pac4j.core.engine.DefaultCallbackLogic.perform(DefaultCallbackLogic.java:79) >>>>>>> at >>>>>>> org.pac4j.j2e.filter.CallbackFilter.internalFilter(CallbackFilter.java:77) >>>>>>> at >>>>>>> org.pac4j.j2e.filter.AbstractConfigFilter.doFilter(AbstractConfigFilter.java:81) >>>>>>> at >>>>>>> org.apache.knox.gateway.pac4j.filter.Pac4jDispatcherFilter.doFilter(Pac4jDispatcherFilter.java:205) >>>>>>> at >>>>>>> org.apache.knox.gateway.GatewayFilter$Holder.doFilter(GatewayFilter.java:377) >>>>>>> at >>>>>>> org.apache.knox.gateway.GatewayFilter$Chain.doFilter(GatewayFilter.java:277) >>>>>>> at >>>>>>> org.apache.knox.gateway.filter.XForwardedHeaderFilter.doFilter(XForwardedHeaderFilter.java:30) >>>>>>> at >>>>>>> org.apache.knox.gateway.filter.AbstractGatewayFilter.doFilter(AbstractGatewayFilter.java:61) >>>>>>> ... 35 more >>>>>>> >>>>>>> >>>>>>> *knoxsso.xml:* >>>>>>> <gateway> >>>>>>> <provider> >>>>>>> <role>webappsec</role> >>>>>>> <name>WebAppSec</name> >>>>>>> <enabled>true</enabled> >>>>>>> >>>>>>> <param><name>xframe.options.enabled</name><value>true</value></param> >>>>>>> </provider> >>>>>>> <provider> >>>>>>> <role>federation</role> >>>>>>> <name>pac4j</name> >>>>>>> <enabled>true</enabled> >>>>>>> <param> >>>>>>> <name>pac4j.callbackUrl</name> >>>>>>> <value> >>>>>>> https://localhost:8443/gateway/knoxsso/api/v1/websso</value> >>>>>>> </param> >>>>>>> <param> >>>>>>> <name>clientName</name> >>>>>>> <value>OidcClient</value> >>>>>>> </param> >>>>>>> <param> >>>>>>> <name>oidc.id</name> >>>>>>> <value>my_client_id</value> >>>>>>> </param> >>>>>>> <param> >>>>>>> <name>oidc.secret</name> >>>>>>> <value>my_client_secret</value> >>>>>>> </param> >>>>>>> <param> >>>>>>> <name>oidc.discoveryUri</name> >>>>>>> <value>https:// >>>>>>> <my-openid-provider-url>/.well-known/openid-configuration</value> >>>>>>> </param> >>>>>>> <param> >>>>>>> <name>oidc.preferredJwsAlgorithm</name> >>>>>>> <value>RS256</value> >>>>>>> </param> >>>>>>> </provider> >>>>>>> </gateway> >>>>>>> >>>>>>> <application> >>>>>>> <name>knoxauth</name> >>>>>>> </application> >>>>>>> >>>>>>> <service> >>>>>>> <role>KNOXSSO</role> >>>>>>> <param> >>>>>>> <name>knoxsso.cookie.secure.only</name> >>>>>>> <value>false</value> >>>>>>> </param> >>>>>>> <param> >>>>>>> <name>knoxsso.cookie.max.age</name> >>>>>>> <value>session</value> >>>>>>> </param> >>>>>>> <param> >>>>>>> <name>knoxsso.token.ttl</name> >>>>>>> <value>30000</value> >>>>>>> </param> >>>>>>> <param> >>>>>>> <name>knoxsso.redirect.whitelist.regex</name> >>>>>>> >>>>>>> >>>>>>> <value>^https?:\/\/(localhost|127\.0\.0\.1|0:0:0:0:0:0:0:1|::1):[0-9].*$</value> >>>>>>> </param> >>>>>>> </service> >>>>>>> >>>>>>> >>>>>>> >>>>>>> *sandbox.xml:* >>>>>>> <gateway> >>>>>>> <provider> >>>>>>> <role>federation</role> >>>>>>> <name>SSOCookieProvider</name> >>>>>>> <enabled>true</enabled> >>>>>>> <param> >>>>>>> <name>sso.authentication.provider.url</name> >>>>>>> <value>https://localhost:8443/gateway/knoxsso/api/v1/websso >>>>>>> </value> >>>>>>> </param> >>>>>>> </provider> >>>>>>> >>>>>>> <provider> >>>>>>> <role>identity-assertion</role> >>>>>>> <name>Default</name> >>>>>>> <enabled>true</enabled> >>>>>>> </provider> >>>>>>> </gateway> >>>>>>> >>>>>>> <service> >>>>>>> <role>NIFI</role> >>>>>>> <url>http://localhost:8080</url> >>>>>>> </service> >>>>>>> <application> >>>>>>> <role>admin-ui</role> >>>>>>> </application> >>>>>>> <service> >>>>>>> <role>KNOX</role> >>>>>>> </service> >>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >> >
