Grouper Users - Open Discussion List

["Waldbieser, Carl" <>]

Bryan,

Are you redeploying the WAR file each time?  I will typically nuke everything 
in webapps/ just to be sure.

Thanks,
Carl Waldbieser
ITS System Programmer
Lafayette College

----- Original Message -----
From: "Bryan Wooten" 
<>
To: "Chris Hyzer" 
<>,
 

Sent: Wednesday, February 4, 2015 11:41:58 AM
Subject: [grouper-users] RE: Fresh 2.2.1 Installation

Exactly, no other errors. I always use a fresh incognito window in Chrome or 
Firefox to login.

The really weird thing is I thought the my CAS stuff in web.core.xml was the 
problem so I removed it. Now when I hit grouper, I don't get any kind of 
login page, I just go straight the "anonymous user" error page.

So I must have some other kind of configuration issue?

-Bryan

From: Chris Hyzer 
[mailto:]
Sent: Wednesday, February 04, 2015 9:34 AM
To: Bryan Wooten; 

Subject: RE: Fresh 2.2.1 Installation

You are saying that you dont see a CSRF problem anymore or other errors, what 
happens on the screen?  I assume you cleared your cache etc on the browser.

Thanks,
Chris

From: Bryan Wooten 
[mailto:]
Sent: Wednesday, February 04, 2015 10:49 AM
To: Chris Hyzer; 
<mailto:>
Subject: RE: Fresh 2.2.1 Installation

Hmmm,

That did not seem to work.

We are running Tomcat 7 so following the instructions on the link you sent I 
added:
<session-config>
     <tracking-mode>COOKIE</tracking-mode>
</session-config>

To the web.core.xml and redeployed.

I no longer get the CSRF error in grouper_error.log. In fact I get no errors. 
I just get this when I login as GrouperSystem:

2015-02-04 08:16:28,756: [http-bio-8080-exec-18] INFO  EventLog.info(156) -  
- [811b2b7a85754229802d5eec4a1ae1f2,'GrouperSystem','application'] session: 
start (6ms)
2015-02-04 08:16:28,802: [http-bio-8080-exec-18] INFO  EventLog.info(156) -  
- [ac1faa55dde24fd9af4cc51a8b9004d1,'GrouperSystem','application'] session: 
start (1ms)

I verified that the sysadmingrouper exists and that GrouperSystem was a 
member:


gsh 1% addGroup("etc", "sysadmingroup", "SysAdmin Group")
// Error: group already exists with name: 'etc:sysadmingroup', stem name: 
etc, group extension: sysadmingroup, group dExtension: SysAdmin Group, uuid: 
null, typeOfGroup: null,
Problem in HibernateSession: HibernateSession (2f1dc865): new, notReadonly, 
READ_WRITE_NEW, notActiveTransaction, session (2cb1227e)
gsh 2% addMember("etc:sysadmingroup", "GrouperSystem")
// Error: membership already exists,

I turned up logging to debug (on the root loggerO, but I don't know what I 
should be looking for.

-Bryan


From: Chris Hyzer 
[mailto:]
Sent: Tuesday, February 03, 2015 4:17 PM
To: Bryan Wooten; 
<mailto:>
Subject: RE: Fresh 2.2.1 Installation

Im thinking you should disable url rewriting with jsessionid...

e.g.
https://fralef.me/tomcat-disable-jsessionid-in-url.html

Seems like a good security thing to do anyways right?

Thanks,
Chris

From: Bryan Wooten 
[mailto:]
Sent: Tuesday, February 03, 2015 3:27 PM
To: Chris Hyzer; 
<mailto:>
Subject: RE: Fresh 2.2.1 Installation

Hmm, grouper_error.log has this clue:

2015-02-03 13:20:19,231: [http-bio-8080-exec-6] ERROR CsrfGuardLogger.log(47) 
-  - potential cross-site request forgery (CSRF) attack thwarted 
(user:GrouperSystem, ip:155.101.205.178, method:GET, 
uri:/grouper/;jsessionid=A5FFC803A416F58090D3F3691077A6E5, error:required 
token is missing from the request)

I think my CAS web.xml config could be the issue? I didn't see this 2.1.x. I 
am pointing at my standard U test CAS server.

-Bryan


From: Chris Hyzer 
[mailto:]
Sent: Tuesday, February 03, 2015 12:42 PM
To: Bryan Wooten; 
<mailto:>
Subject: RE: Fresh 2.2.1 Installation

Anything else in logs or stdout / stderr from tomcat?

From: 
<mailto:>
 
[mailto:]
 On Behalf Of Bryan Wooten
Sent: Tuesday, February 03, 2015 2:39 PM
To: 
<mailto:>
Subject: [grouper-users] Fresh 2.2.1 Installation

Ok, not sure what is going on here.

We have a fresh 2.2.1 installation, not an upgrade from 2.1.x

We have a CASified Grouper UI. The CAS login is successful.

I have run the following GSH script:

grouperSession = GrouperSession.startRootSession();
addGroup("etc", "sysadmingroup", "SysAdmin Group")
addMember("etc:sysadmingroup", "GrouperSystem")
addMember("etc:sysadmingroup", "u0519980")

After login the UI displays this:

Maybe your session timed out and you need to start again. This should not 
happen under normal operation. CSRF error.

I click "start over" and  I get this:

You have an anonymous session since you are not logged in, but this section 
requires you to be logged in. Maybe No username found. Your identity provider 
might not be sending your username to this application. Either you need to 
use a different identity provider, or ask your IT department to send your 
username to this application.

Ideas?



Bryan Wooten

UIT-Common Infrastructure Systems
Work: 801.585.9323
Cell: 801.414.3593