grouper-users - Re: [grouper-users] Grouper 2.5 on Openshift
Subject: Grouper Users - Open Discussion List
List archive
- From: Darren Boss <>
- To: "Black, Carey M." <>
- Cc: Alex Poulos <>, Oliver Trieu <>, "" <>
- Subject: Re: [grouper-users] Grouper 2.5 on Openshift
- Date: Mon, 1 Jun 2020 10:28:08 -0400
I terminate TLS at the ingress controller (OpenResty/Nginx) in
Kubernetes and I haven't changed this setting, don't have this issue
but I am using the embedded Apache/Shib in the image which is likely
the difference.
The change I need to make in http.conf is to explicitly set the
ServerName to my grouper cname and while listening on port 80 still
have https://cname:443 in the apache config. If I don't do that I have
all kinds of issues.
On Mon, Jun 1, 2020 at 10:06 AM Black, Carey M. <> wrote:
>
> Alex,
>
>
>
> YMMV, But most “enterprise LB’s” (ELB) will blindly accept self signed SSL
> certs.
>
> You might try adding a cert to the tomee layer and change the LB to use
> HTTPS to the app too.
>
>
> Technically the ELB is a “vulnerability” because the traffic could be seen
> on that node. But I understand the heartburn with not terminating SSL at
> the ELB too.
>
>
>
> --
>
> Carey Matthew
>
>
>
> From: Alex Poulos <>
> Sent: Monday, June 1, 2020 9:32 AM
> To: Black, Carey M. <>
> Cc: Oliver Trieu <>;
> Subject: Re: [grouper-users] Grouper 2.5 on Openshift
>
>
>
> FWIW, though this is probably not the best way to do it, I have added this
> parameter to
> /opt/grouper/grouperWebapp/WEB-INF/classes/Owasp.CsrfGuard.overlay.properties
> to get around the http(s) mismatch (our ssl terminates at the load
> balancer)
>
>
>
> org.owasp.csrfguard.JavascriptServlet.refererMatchDomain = false
>
>
>
>
>
>
>
> On Fri, May 29, 2020 at 10:05 PM Black, Carey M. <> wrote:
>
> Oliver,
>
> Sorry I did not comment on the CSRF Part of your post too.
>
> I suspect you have a "http" url instead of using HTTPS. ( somewhere in the
> network link/flow. )
> It is fine that you are not using apache in the container. ( I
> don't do that either. Apache is outside the container for me and handles
> the HTTPs to AJP to tomee into the container. )
> My basic understanding is the CSRF lib used by Grouper uses a
> secure HTTPS cookie. And when you hit the first URL, it should set it, and
> it gets "renewed" along the way. But if the traffic is not HTTPS, then the
> cookie is not sent back to tomee.
>
> HTH.
>
> --
> Carey Matthew
>
> -----Original Message-----
> From:
> <> On Behalf Of Oliver Trieu
> Sent: Friday, May 29, 2020 1:41 PM
> To:
> Subject: Re: [grouper-users] Grouper 2.5 on Openshift
>
> Hi Carey,
>
>
> Thank you very much for your fast reply!
>
> I gave 2.5.28 (and 2.5.29) a go.
>
> Using GROUPER_RUN_TOMCAT_NOT_SUPERVISOR=true will result in an error
> complaining that /home/tomcat/.bashrc is missing.
>
> I think that is a general problem with openshift since i cannot
> guarantee any user at all. Instead openshift will generate a random GUID
> each run.
>
> So permissions are handled via groups (thats why you see the strange
> permission handling in my dockerfile).
>
> So there is no way for me to guarantee the user tomcat (or any user).
>
>
> Anyway i just went ahead an started TomEE manually.
>
> This worked and the UI is no longer presenting the NullPointerException.
>
> However once i actually click something in the UI i run into CSRF errors:
>
> ERROR CsrfGuardLogger.log(47) - - potential cross-site request forgery
> (CSRF) attack thwarted (user:oliver, method:POST,
> uri:/grouper/grouperUi/app/UiV2Stem.viewStem, error:request token does
> not match session token)
>
>
> I should mention that we dont use the apache or shib implementation
> inside the container.
>
> We have a speperate container running apache and handling the shibboleth
> login for us.
>
> This setup has worked very well for us with grouper 2.4.
>
>
> If i look at the Client side i can see my Post requests only partly
> containing a CSRF token.
>
> Request URLs in the CLient:
>
> https://urldefense.com/v3/__https://my.grouper.url/grouper/grouperExternal/public/UiV2Public.postIndex?function=UiV2Public.error&code=csrf&OWASP_CSRFTOKEN=BMAH-0KYJ-ZNY2-50TB-M1S6-XDUG-I7ZC-2JJO__;!!KGKeukY!hfFEE4XcvuRsPbiyhLhzvccbhbbiRL9mMn9bdSl6WvEzE79Ib6Noi56SkjhDueVjTrM$
>
> https://urldefense.com/v3/__https://my.grouper.url/grouper/grouperUi/app/UiV2Stem.viewStem?stemId=1aa6aa124e7846e294b98fcf559a9a32__;!!KGKeukY!hfFEE4XcvuRsPbiyhLhzvccbhbbiRL9mMn9bdSl6WvEzE79Ib6Noi56SkjhDcrmpkdY$
>
>
> TomEE access-log:
>
> "POST
> /grouper/grouperUi/app/UiV2Stem.viewStem?stemId=1aa6aa124e7846e294b98fcf559a9a32&csrfExtraParam=xyz
> HTTP/1.1" 302 -
>
> "POST
> /grouper/grouperExternal/public/UiV2Public.postIndex?function=UiV2Public.error&code=csrf&OWASP_CSRFTOKEN=BMAH-0KYJ-ZNY2-50TB-M1S6-XDUG-I7ZC-2JJO
> HTTP/1.1" 200 4051
>
> So the viewStem request is missing the Token and triggers the Error.
>
> Any ideas what the problem could be?
>
>
>
> Kind Regards
>
> Oliver
>
>
>
>
> Am 29.05.2020 um 16:30 schrieb Black, Carey M.:
> > REF:
> > https://urldefense.com/v3/__https://spaces.at.internet2.edu/display/Grouper/Grouper*container*documentation*for*v2.5__;KysrKw!!KGKeukY!hfFEE4XcvuRsPbiyhLhzvccbhbbiRL9mMn9bdSl6WvEzE79Ib6Noi56SkjhDCQxFYXo$
> > "
> > -e GROUPER_RUN_TOMCAT_NOT_SUPERVISOR=true
> > (v2.5.28+)
> >
> > Will run the tomee process as the only process in the container, not
> > supervisor. Note, this is advanced, and should be run as the tomcat user.
> > See this wiki
> > "
> >
> > Try on a later image. I think v2.5.28+ will do what you want.
> >
--
Darren Boss
Senior Programmer/Analyst
Programmeur-analyste principal
- Re: [grouper-users] Grouper 2.5 on Openshift, Alex Poulos, 06/01/2020
- RE: [grouper-users] Grouper 2.5 on Openshift, Black, Carey M., 06/01/2020
- Re: [grouper-users] Grouper 2.5 on Openshift, Darren Boss, 06/01/2020
- <Possible follow-up(s)>
- RE: [grouper-users] Grouper 2.5 on Openshift, Hyzer, Chris, 06/01/2020
- RE: [grouper-users] Grouper 2.5 on Openshift, Black, Carey M., 06/01/2020
Archive powered by MHonArc 2.6.19.