Grouper Users - Open Discussion List

[Darren Boss <>]

I terminate TLS at the ingress controller (OpenResty/Nginx) in
Kubernetes and I haven't changed this setting, don't have this issue
but I am using the embedded Apache/Shib in the image which is likely
the difference.

The change I need to make in http.conf is to explicitly set the
ServerName to my grouper cname and while listening on port 80 still
have https://cname:443 in the apache config. If I don't do that I have
all kinds of issues.

On Mon, Jun 1, 2020 at 10:06 AM Black, Carey M. <> wrote:
>
> Alex,
>
>
>
> YMMV, But most “enterprise LB’s” (ELB) will blindly accept self signed SSL 
> certs.
>
>    You might try adding a cert to the tomee layer and change the LB to use 
> HTTPS to the app too.
>
>
> Technically the ELB is a “vulnerability” because the traffic could be seen 
> on that node. But I understand the heartburn with not terminating SSL at 
> the ELB too.
>
>
>
> --
>
> Carey Matthew 
>
>
>
> From: Alex Poulos <>
> Sent: Monday, June 1, 2020 9:32 AM
> To: Black, Carey M. <>
> Cc: Oliver Trieu <>; 
> Subject: Re: [grouper-users] Grouper 2.5 on Openshift
>
>
>
> FWIW, though this is probably not the best way to do it, I have added this 
> parameter to 
> /opt/grouper/grouperWebapp/WEB-INF/classes/Owasp.CsrfGuard.overlay.properties
>  to get around the http(s) mismatch (our ssl terminates at the load 
> balancer)
>
>
>
> org.owasp.csrfguard.JavascriptServlet.refererMatchDomain = false
>
>
>
>
>
>
>
> On Fri, May 29, 2020 at 10:05 PM Black, Carey M. <> wrote:
>
> Oliver,
>
> Sorry I did not comment on the CSRF Part of your post too.
>
> I suspect you have a "http" url instead of using HTTPS.  ( somewhere in the 
> network link/flow. )
>         It is fine that you are not using apache in the container. ( I 
> don't do that either. Apache is outside the container for me and handles 
> the HTTPs to AJP to tomee into the container. )
>         My basic understanding is the CSRF lib used by Grouper uses a 
> secure HTTPS cookie. And when you hit the first URL, it should set it, and 
> it gets "renewed" along the way. But if the traffic is not HTTPS, then the 
> cookie is not sent back to tomee.
>
> HTH.
>
> --
> Carey Matthew 
>
> -----Original Message-----
> From:  
> <> On Behalf Of Oliver Trieu
> Sent: Friday, May 29, 2020 1:41 PM
> To: 
> Subject: Re: [grouper-users] Grouper 2.5 on Openshift
>
> Hi Carey,
>
>
> Thank you very much for your fast reply!
>
> I gave 2.5.28 (and 2.5.29) a go.
>
> Using GROUPER_RUN_TOMCAT_NOT_SUPERVISOR=true will result in an error
> complaining that /home/tomcat/.bashrc is missing.
>
> I think that is a general problem with openshift since i cannot
> guarantee any user at all. Instead openshift will generate a random GUID
> each run.
>
> So permissions are handled via groups (thats why you see the strange
> permission handling in my dockerfile).
>
> So there is no way for me to guarantee the user tomcat (or any user).
>
>
> Anyway i just went ahead an started TomEE manually.
>
> This worked and the UI is no longer presenting the NullPointerException.
>
> However once i actually click something in the UI i run into CSRF errors:
>
> ERROR CsrfGuardLogger.log(47) -  - potential cross-site request forgery
> (CSRF) attack thwarted (user:oliver,  method:POST,
> uri:/grouper/grouperUi/app/UiV2Stem.viewStem, error:request token does
> not match session token)
>
>
> I should mention that we dont use the apache or shib implementation
> inside the container.
>
> We have a speperate container running apache and handling the shibboleth
> login for us.
>
> This setup has worked very well for us with grouper 2.4.
>
>
> If i look at the Client side i can see my Post requests only partly
> containing a CSRF token.
>
> Request URLs in the CLient:
>
> https://urldefense.com/v3/__https://my.grouper.url/grouper/grouperExternal/public/UiV2Public.postIndex?function=UiV2Public.error&code=csrf&OWASP_CSRFTOKEN=BMAH-0KYJ-ZNY2-50TB-M1S6-XDUG-I7ZC-2JJO__;!!KGKeukY!hfFEE4XcvuRsPbiyhLhzvccbhbbiRL9mMn9bdSl6WvEzE79Ib6Noi56SkjhDueVjTrM$
>
> https://urldefense.com/v3/__https://my.grouper.url/grouper/grouperUi/app/UiV2Stem.viewStem?stemId=1aa6aa124e7846e294b98fcf559a9a32__;!!KGKeukY!hfFEE4XcvuRsPbiyhLhzvccbhbbiRL9mMn9bdSl6WvEzE79Ib6Noi56SkjhDcrmpkdY$
>
>
> TomEE access-log:
>
> "POST
> /grouper/grouperUi/app/UiV2Stem.viewStem?stemId=1aa6aa124e7846e294b98fcf559a9a32&csrfExtraParam=xyz
> HTTP/1.1" 302 -
>
> "POST
> /grouper/grouperExternal/public/UiV2Public.postIndex?function=UiV2Public.error&code=csrf&OWASP_CSRFTOKEN=BMAH-0KYJ-ZNY2-50TB-M1S6-XDUG-I7ZC-2JJO
> HTTP/1.1" 200 4051
>
> So the viewStem request is missing the Token and triggers the Error.
>
> Any ideas what the problem could be?
>
>
>
> Kind Regards
>
> Oliver
>
>
>
>
> Am 29.05.2020 um 16:30 schrieb Black, Carey M.:
> > REF:
> > https://urldefense.com/v3/__https://spaces.at.internet2.edu/display/Grouper/Grouper*container*documentation*for*v2.5__;KysrKw!!KGKeukY!hfFEE4XcvuRsPbiyhLhzvccbhbbiRL9mMn9bdSl6WvEzE79Ib6Noi56SkjhDCQxFYXo$
> > "
> > -e GROUPER_RUN_TOMCAT_NOT_SUPERVISOR=true
> > (v2.5.28+)
> >
> > Will run the tomee process as the only process in the container, not
> > supervisor. Note, this is advanced, and should be run as the tomcat user.
> > See this wiki
> > "
> >
> > Try on a later image. I think v2.5.28+ will do what you want.
> >



-- 
Darren Boss
Senior Programmer/Analyst
Programmeur-analyste principal