grouper-users - RE: [grouper-users] Grouper 2.5 on Openshift
Subject: Grouper Users - Open Discussion List
List archive
- From: "Black, Carey M." <>
- To: Oliver Trieu <>, "" <>
- Subject: RE: [grouper-users] Grouper 2.5 on Openshift
- Date: Sat, 30 May 2020 02:05:12 +0000
- Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=osu.edu; dmarc=pass action=none header.from=osu.edu; dkim=pass header.d=osu.edu; arc=none
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=19CDguCUeIBLXQG7M7kAzMq3Xz7z8a5zq2Ag/+6uM4I=; b=FW0pW566sZ9UB5AS4uxCKJwTLDccn4+kY11DRUuKjd3bncFfjC55BXNeohv4bI2StAT17b1t16nJxlGX8hpCPY9lwS4++shQq8OMksy8rGVwSBV5cpHo3nvS1dTGS0ZMRr3yrQsuyGnTkIp0tEx5azN9CEWuvAQidWe7HhmABIVLjgk+QwWwHMa5WXMOAXE9Jwls0gD2RTtk/3N6ejwaiMqD++EYk3nFOJaapWVYjtGV2fIlH8aH+RUhyUvwCEzrG7vlEbDFqFbN80iS5gkydkh/SKEVCXP/bq84LSbmGCbDPUetDCNZ4yqy58egN+gEcx6ax9qYyTa3g0L7Vwq/8w==
- Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=HDV3GbkXrZ6QlFy2HzYjN8F8suPhXW6T6mSiATKs2oN416HfdlITg4tLUWE9v5svJtpeP/qoeaxPocOZYVNkbRrudnUVUlgQF7cry27tkaN3wGOsWdDpG2ylzbURIdKtoG1EQLoqO/kKidA26HIg0kAb2sMn4973T4O/STf3d83QRSSe6PfDJVHZOTj7pJnVYY/CbYMKwHi4yzBRnab4YFb36o4B1A73Ch1QUecaZJmhB5uE6/TJRVr3gIib1wRfRZZBhRwwDRY7T8lhpbPIcquwJpVvm2eERInRXlgjn6M+GH9PHdQOHuv004G27KdXVpGO1ElJhgLOa4CuFL1RnA==
Oliver,
Sorry I did not comment on the CSRF Part of your post too.
I suspect you have a "http" url instead of using HTTPS. ( somewhere in the
network link/flow. )
It is fine that you are not using apache in the container. ( I don't
do that either. Apache is outside the container for me and handles the HTTPs
to AJP to tomee into the container. )
My basic understanding is the CSRF lib used by Grouper uses a secure
HTTPS cookie. And when you hit the first URL, it should set it, and it gets
"renewed" along the way. But if the traffic is not HTTPS, then the cookie is
not sent back to tomee.
HTH.
--
Carey Matthew
-----Original Message-----
From:
<> On Behalf Of Oliver Trieu
Sent: Friday, May 29, 2020 1:41 PM
To:
Subject: Re: [grouper-users] Grouper 2.5 on Openshift
Hi Carey,
Thank you very much for your fast reply!
I gave 2.5.28 (and 2.5.29) a go.
Using GROUPER_RUN_TOMCAT_NOT_SUPERVISOR=true will result in an error
complaining that /home/tomcat/.bashrc is missing.
I think that is a general problem with openshift since i cannot
guarantee any user at all. Instead openshift will generate a random GUID
each run.
So permissions are handled via groups (thats why you see the strange
permission handling in my dockerfile).
So there is no way for me to guarantee the user tomcat (or any user).
Anyway i just went ahead an started TomEE manually.
This worked and the UI is no longer presenting the NullPointerException.
However once i actually click something in the UI i run into CSRF errors:
ERROR CsrfGuardLogger.log(47) - - potential cross-site request forgery
(CSRF) attack thwarted (user:oliver, method:POST,
uri:/grouper/grouperUi/app/UiV2Stem.viewStem, error:request token does
not match session token)
I should mention that we dont use the apache or shib implementation
inside the container.
We have a speperate container running apache and handling the shibboleth
login for us.
This setup has worked very well for us with grouper 2.4.
If i look at the Client side i can see my Post requests only partly
containing a CSRF token.
Request URLs in the CLient:
https://urldefense.com/v3/__https://my.grouper.url/grouper/grouperExternal/public/UiV2Public.postIndex?function=UiV2Public.error&code=csrf&OWASP_CSRFTOKEN=BMAH-0KYJ-ZNY2-50TB-M1S6-XDUG-I7ZC-2JJO__;!!KGKeukY!hfFEE4XcvuRsPbiyhLhzvccbhbbiRL9mMn9bdSl6WvEzE79Ib6Noi56SkjhDueVjTrM$
https://urldefense.com/v3/__https://my.grouper.url/grouper/grouperUi/app/UiV2Stem.viewStem?stemId=1aa6aa124e7846e294b98fcf559a9a32__;!!KGKeukY!hfFEE4XcvuRsPbiyhLhzvccbhbbiRL9mMn9bdSl6WvEzE79Ib6Noi56SkjhDcrmpkdY$
TomEE access-log:
"POST
/grouper/grouperUi/app/UiV2Stem.viewStem?stemId=1aa6aa124e7846e294b98fcf559a9a32&csrfExtraParam=xyz
HTTP/1.1" 302 -
"POST
/grouper/grouperExternal/public/UiV2Public.postIndex?function=UiV2Public.error&code=csrf&OWASP_CSRFTOKEN=BMAH-0KYJ-ZNY2-50TB-M1S6-XDUG-I7ZC-2JJO
HTTP/1.1" 200 4051
So the viewStem request is missing the Token and triggers the Error.
Any ideas what the problem could be?
Kind Regards
Oliver
Am 29.05.2020 um 16:30 schrieb Black, Carey M.:
> REF:
> https://urldefense.com/v3/__https://spaces.at.internet2.edu/display/Grouper/Grouper*container*documentation*for*v2.5__;KysrKw!!KGKeukY!hfFEE4XcvuRsPbiyhLhzvccbhbbiRL9mMn9bdSl6WvEzE79Ib6Noi56SkjhDCQxFYXo$
>
> "
> -e GROUPER_RUN_TOMCAT_NOT_SUPERVISOR=true
> (v2.5.28+)
>
> Will run the tomee process as the only process in the container, not
> supervisor. Note, this is advanced, and should be run as the tomcat user.
> See this wiki
> "
>
> Try on a later image. I think v2.5.28+ will do what you want.
>
- [grouper-users] Grouper 2.5 on Openshift, Oliver Trieu, 05/29/2020
- RE: [grouper-users] Grouper 2.5 on Openshift, Black, Carey M., 05/29/2020
- Re: [grouper-users] Grouper 2.5 on Openshift, Oliver Trieu, 05/29/2020
- Re: [grouper-users] Grouper 2.5 on Openshift, Darren Boss, 05/29/2020
- RE: [grouper-users] Grouper 2.5 on Openshift, Black, Carey M., 05/29/2020
- RE: [grouper-users] Grouper 2.5 on Openshift, Black, Carey M., 05/30/2020
- Re: [grouper-users] Grouper 2.5 on Openshift, Darren Boss, 05/29/2020
- Re: [grouper-users] Grouper 2.5 on Openshift, Oliver Trieu, 05/29/2020
- RE: [grouper-users] Grouper 2.5 on Openshift, Black, Carey M., 05/29/2020
Archive powered by MHonArc 2.6.19.