Skip to Content.
Sympa Menu

grouper-users - [grouper-users] RE: Grouper 2.4 UI problem with Setting Attributes

Subject: Grouper Users - Open Discussion List

List archive

[grouper-users] RE: Grouper 2.4 UI problem with Setting Attributes


Chronological Thread 
  • From: "Coleman, Erik C" <>
  • To: "Redman, Chad" <>, "Hyzer, Chris" <>, "" <>
  • Subject: [grouper-users] RE: Grouper 2.4 UI problem with Setting Attributes
  • Date: Thu, 1 Nov 2018 21:11:14 +0000
  • Accept-language: en-US
  • Ironport-phdr: 9a23:cl2Dhh35TDhXQ31WsmDT+DRfVm0co7zxezQtwd8ZsesWLPvxwZ3uMQTl6Ol3ixeRBMOHs60C07KempujcFRI2YyGvnEGfc4EfD4+ouJSoTYdBtWYA1bwNv/gYn9yNs1DUFh44yPzahANS47xaFLIv3K98yMZFAnhOgppPOT1HZPZg9iq2+yo9JDffwdFiCChbb9uMR67sRjfus4KjIV4N60/0AHJonxGe+RXwWNnO1eelAvi68mz4ZBu7T1et+ou+MBcX6r6eb84TaFDAzQ9L281/szrugLdQgaJ+3ART38ZkhtMAwjC8RH6QpL8uTb0u+ZhxCWXO9D9QKsqUjq+8ahkVB7oiD8GNzEn9mHXltdwh79frB64uhBz35LYbISTOfFjfK3SYMkaSHJBUMhPSiJBHo2yYYgBD+UDPOZXs4byqkAUrReiGQWhHv/jxiNWinLwwKY00/4hEQbD3AE4Ed4DrnPUrNHrO6cXS++1yrHExijMYfNM2Df965XDfw4vrfqRWr9/b9bexlU0GgPEilWQrY3lPzWS1uQMqGiX9fRvWv+yi2M+rQx6vzahxsApiobTh4IVzEjJ9SR9wIYxJN24Tkl7Yd+/EJdKqS6VKpZ2TtsiQ2F0pCY60qYGtoO6fCgExpQo2QTfZOKBc4eU/B3sSviRLil+hHJ5eLK/gAuy8Uegyu3gVsm7zktFri1AktbWt3AN0RrT5dKCSvRj8Eauwy2P1xzT6u5aOkA7j6/bJIA7zr4xjZoet1nIECzumEjukqOaakop9vKs5unpeLnquIWQOo9shg3jPKkihtazDfkmPgUPRWSX5+Sx2b358UD2QbhGlvM2nbfavZzGIMkWo7C1DBJL3Yo/7huyASuq384dkHQFKF9Iex2Kgo33NF7TPf/0E/GyiEm2njhx3fDJJLjhD43NLnfdlLfheq5w609YyAo3zNBf4ZVUCrAaIP7pRED+qcHYAgc4Mwyy3ennFM1w2p0CVW+AGKOUNK3fvUWW6u41I+SAfIoVtyz8K/gh6f7ul3g5mVoFcKa3wZQYdGu1HvViI0WdYHrshNABEWYRvgYkUuPllUCCXSZJZ3muR6I8+i07CIW+AIfMXICth6GB3D+lEZ1Mf2xGF0uMHmnyd4WfQPoMbCOSItR9kjwfS7StUY4h1ReytADk0bpnKPTb+jEGuZ75ytd6+vDTxlkO8mk+NcmR1miLCylfnmoEDXdi16B2rXtnx1uG2K5QnvpTU9Ff+qUNGk0aJIzR1agyINDoWxmLNoOMQ1a3UNi8KTAqRZQs29IIZQBwF8j0yliJ0DCtHqcYjfmWH5Eu6Yrd2WT8PcBw1yyA2aU8xRFyTdFIKHWrnOti7AXJHKbIlVmUjaCnaf5a0SLQojSt122L6QtzVwp9VKzDGTgyfErV5f+zrhfPRLSGCLAjMw1GyNXEJ6dXPI66xW5aTevubYyNK1m6nH29UFPRnuuB
  • Spamdiagnosticmetadata: NSPM
  • Spamdiagnosticoutput: 1:99

Thanks to Chris Hubing for figuring this one out for me—I simply had to replace my port 8009 connector line in Tomcat’s server.xml with this:

 

<Connector port="8009" protocol="AJP/1.3" secure="true" scheme="https" tomcatAuthentication="false" URIEncoding="UTF-8" />

 

I had a redirectPort=”8443” option so I deleted that and added the secure=true and scheme=https paramters.

 

For reference to the other questions, I do have the URL configured in grouper.properties and I do have x-forwarded-for turned on in Apache (grouper-www.conf), though I think the AWS ALB is not properly using that the right way, so maybe I wouldn’t have seen this problem had it been working properly.  It was odd that nearly everything in the app clicks through fine, except the attribute functionality.

 

Thanks!

 

-Erik

 

 

 

From: Redman, Chad <>
Sent: Tuesday, October 30, 2018 2:08 PM
To: Hyzer, Chris <>; Coleman, Erik C <>;
Subject: RE: Grouper 2.4 UI problem with Setting Attributes

 

Yes, if you set the x-forwarded-* headers, or at least x-forwarded-proto, it does tend to fix the http/https issue for applications. We saw the same with the Shibboleth IdP. And we took another look at our CSRF refererMatchDomain=false setting which was set a long time ago. if the x-forwarded headers are enabled, it isn't needed.

 

From: [] On Behalf Of Hyzer, Chris
Sent: Tuesday, October 30, 2018 2:32 PM
To: Coleman, Erik C <>;
Subject: [grouper-users] RE: Grouper 2.4 UI problem with Setting Attributes

 

First question, as you click through the app everything is ok except the attribute case you list?

 

If not, Do you have the UI url configured in grouper.properties?  And do you have x-forwarded-for and x-forwarded-proto HTTP HEADERS from the load balancer?  Im not sure they are needed but I think useful to have and that is how we set this up in a similar way. 

 

Thanks

Chris

 

From: <> On Behalf Of Coleman, Erik C
Sent: Tuesday, October 30, 2018 9:45 AM
To:
Subject: [grouper-users] RE: Grouper 2.4 UI problem with Setting Attributes

 

Brett, thanks,

 

I am not explicitly accessing the site insecurely, but I think you’re on to something.  We have redirects to HTTPS, but furthermore, since SSL is terminated at the AWS app load balancer, all the SSL is stripped out of the UI container in the Apache and Tomcat configs, but maybe there’s something amiss.

 

I’m no Java (or _javascript_) expert, so what function in the UI is having me try to access this link on HTTP and not HTTPS?:

 

http://authman-test.techservices.illinois.edu/grouper/grouperExternal/public/OwaspJavaScriptServlet

 

Is this something I can change in a properties file?

 

-Erik

 

 

From: Brett Bieber <>
Sent: Tuesday, October 30, 2018 8:24 AM
To: Coleman, Erik C <>;
Subject: Re: Grouper 2.4 UI problem with Setting Attributes

 

Hi Erik,

We're doing the same here at Nebraska and not having any issues, so I don't think it's a UI bug. I can't tell in the first screenshot if you were accessing the site securely or not, but I noticed the error message indicated an http vs https difference even though the domain name was the same. Is it possible you were accessing the site via an insecure URL and the config is set to https? We've got ours configured to redirect any requests to http:// to https:// at the load balancer. Hope that helps.

-Brett


From: <> on behalf of Coleman, Erik C <>
Sent: Monday, October 29, 2018 6:09:00 PM
To:
Subject: [grouper-users] Grouper 2.4 UI problem with Setting Attributes

 

I’m running into a snag with the new Grouper 2.4 (running from container tier/grouper:2.4.0-a2-u0-w0-p0).  I’m wanting to demonstrate how group owners can selectively choose to have their groups or folders sync to our AD via our PSPNG config. I select a group or folder and choose “More Actions” -> “Attribute Assignments” and assign an attribute, it seems to work, but then I get this strange error “ErrorType; LoadXML Description: Incorrect XML”:

 

 

Then if I click OK, then attempt to choose the action to assign a value to that attribute, I get a remarkably blank screen:

 

 

The only interesting log entries I am seeing is this:

 

grouper-api;grouper_error.log;as-aws-test-dev2;aws-poc;2018-10-29 18:05:26,238: [ajp-nio-8009-exec-3] ERROR CsrfGuardLogger.log(47) - - potential cross-site request forgery (CSRF) attack thwarted (user:ecc, ip:xxx.xxx.xxx.xxx, method:POST, uri:/grouper/grouperUi/app/UiV2GroupAttributeAssignment.assignmentMenuAddValue, error:request token does not match session token)

 

grouper-api;grouper_error.log;as-aws-test-dev2;aws-poc;2018-10-29 18:05:26,475: [ajp-nio-8009-exec-4] ERROR CsrfGuardLogger.log(47) - - Referer domain https://authman-test.techservices.illinois.edu/grouper/grouperUi/app/UiV2Main.index?operation=UiV2GroupAttributeAssignment.assignmentMenuAddValue&attributeAssignId=635adbb3af3b4c2fa54a8eafca18ee13&csrfExtraParam=xyz does not match request domain: http://authman-test.techservices.illinois.edu/grouper/grouperExternal/public/OwaspJavaScriptServlet

 

Is this a UI bug? Or possibly a sign I’ve got something corrupted somewhere?  It’s still pretty stock test environment otherwise.

 

Thanks,

 

Erik Coleman

University of Illinois at Urbana-Champaign

 




Archive powered by MHonArc 2.6.19.

Top of Page