grouper-users - Re: [grouper-users] Grouper 2.5 on Openshift
Subject: Grouper Users - Open Discussion List
List archive
- From: Darren Boss <>
- To: Oliver Trieu <>
- Cc: "" <>
- Subject: Re: [grouper-users] Grouper 2.5 on Openshift
- Date: Fri, 29 May 2020 15:46:06 -0400
Could it be the underscores in headers issue?
If you are using an nginx ingress controller in OpenShift, make sure
you have the enable-underscores-in-headers: "true" setting set in the
nginx-configuration configmap.
On Fri, May 29, 2020 at 1:41 PM Oliver Trieu <>
wrote:
>
> Hi Carey,
>
>
> Thank you very much for your fast reply!
>
> I gave 2.5.28 (and 2.5.29) a go.
>
> Using GROUPER_RUN_TOMCAT_NOT_SUPERVISOR=true will result in an error
> complaining that /home/tomcat/.bashrc is missing.
>
> I think that is a general problem with openshift since i cannot
> guarantee any user at all. Instead openshift will generate a random GUID
> each run.
>
> So permissions are handled via groups (thats why you see the strange
> permission handling in my dockerfile).
>
> So there is no way for me to guarantee the user tomcat (or any user).
>
>
> Anyway i just went ahead an started TomEE manually.
>
> This worked and the UI is no longer presenting the NullPointerException.
>
> However once i actually click something in the UI i run into CSRF errors:
>
> ERROR CsrfGuardLogger.log(47) - - potential cross-site request forgery
> (CSRF) attack thwarted (user:oliver, method:POST,
> uri:/grouper/grouperUi/app/UiV2Stem.viewStem, error:request token does
> not match session token)
>
>
> I should mention that we dont use the apache or shib implementation
> inside the container.
>
> We have a speperate container running apache and handling the shibboleth
> login for us.
>
> This setup has worked very well for us with grouper 2.4.
>
>
> If i look at the Client side i can see my Post requests only partly
> containing a CSRF token.
>
> Request URLs in the CLient:
>
> https://my.grouper.url/grouper/grouperExternal/public/UiV2Public.postIndex?function=UiV2Public.error&code=csrf&OWASP_CSRFTOKEN=BMAH-0KYJ-ZNY2-50TB-M1S6-XDUG-I7ZC-2JJO
>
> https://my.grouper.url/grouper/grouperUi/app/UiV2Stem.viewStem?stemId=1aa6aa124e7846e294b98fcf559a9a32
>
>
> TomEE access-log:
>
> "POST
> /grouper/grouperUi/app/UiV2Stem.viewStem?stemId=1aa6aa124e7846e294b98fcf559a9a32&csrfExtraParam=xyz
> HTTP/1.1" 302 -
>
> "POST
> /grouper/grouperExternal/public/UiV2Public.postIndex?function=UiV2Public.error&code=csrf&OWASP_CSRFTOKEN=BMAH-0KYJ-ZNY2-50TB-M1S6-XDUG-I7ZC-2JJO
> HTTP/1.1" 200 4051
>
> So the viewStem request is missing the Token and triggers the Error.
>
> Any ideas what the problem could be?
>
>
>
> Kind Regards
>
> Oliver
>
>
>
>
> Am 29.05.2020 um 16:30 schrieb Black, Carey M.:
> > REF:
> > https://spaces.at.internet2.edu/display/Grouper/Grouper+container+documentation+for+v2.5
> > "
> > -e GROUPER_RUN_TOMCAT_NOT_SUPERVISOR=true
> > (v2.5.28+)
> >
> > Will run the tomee process as the only process in the container, not
> > supervisor. Note, this is advanced, and should be run as the tomcat user.
> > See this wiki
> > "
> >
> > Try on a later image. I think v2.5.28+ will do what you want.
> >
--
Darren Boss
Senior Programmer/Analyst
Programmeur-analyste principal
- [grouper-users] Grouper 2.5 on Openshift, Oliver Trieu, 05/29/2020
- RE: [grouper-users] Grouper 2.5 on Openshift, Black, Carey M., 05/29/2020
- Re: [grouper-users] Grouper 2.5 on Openshift, Oliver Trieu, 05/29/2020
- Re: [grouper-users] Grouper 2.5 on Openshift, Darren Boss, 05/29/2020
- RE: [grouper-users] Grouper 2.5 on Openshift, Black, Carey M., 05/29/2020
- RE: [grouper-users] Grouper 2.5 on Openshift, Black, Carey M., 05/30/2020
- Re: [grouper-users] Grouper 2.5 on Openshift, Darren Boss, 05/29/2020
- Re: [grouper-users] Grouper 2.5 on Openshift, Oliver Trieu, 05/29/2020
- RE: [grouper-users] Grouper 2.5 on Openshift, Black, Carey M., 05/29/2020
Archive powered by MHonArc 2.6.19.