cuba-platform / idp-addon Goto Github PK

View Code? Open in Web Editor NEW

1.0 4.0 4.0 341 KB

CUBA IDP Addon

License: Apache License 2.0

Java 79.49% CSS 0.68% JavaScript 18.37% HTML 1.46%

cuba-platform cuba-component idp idp-addon sso

idp-addon's Introduction

CUBA IDP Add-on

Overview

Single-sign-on (SSO) for CUBA applications allows a user to log in to the multiple running applications by entering a single login name and password once in a browser session.

When using SSO, there are two types of applications:

Identity Provider (IDP) is an application that provides user authentication. It contains a login form for entering user credentials and checks the credentials against the list of registered users. Only one Identity Provider is allowed in an SSO environment.
Service Provider (SP) is a regular application that redirects to IDP for user authentication. SP should contain the same list of users as IDP (passwords do not matter though). SP provides authorization using CUBA security roles and access groups. There may be any number of Service Providers in an SSO environment.

An application can be an Identity Provider and a Service Provider at the same time, so you don’t have to setup a dedicated IDP.

CUBA SSO uses custom HTTP-based protocol and currently does not provide integration with systems using standard authentication protocols like SAML or OIDC.

In SSO environment, when a user enters a Service Provider URL, the SP redirects to the IDP page for entering login name and password. After successful authentication, IDP redirects back to the SP application and the user transparently logs in to SP.

Read addon Wiki for an additional information: link.

Installation

The add-on can be added to your project in one of the ways described below. Installation from the Marketplace is the simplest way. The last version of the add-on compatible with the used version of the platform will be installed. Also, you can install the add-on by coordinates choosing the required version of the add-on from the table.

In case you want to install the add-on by manual editing or by building from sources see the complete add-ons installation guide in CUBA Platform documentation.

From the Marketplace

Open your application in CUBA Studio. Check the latest version of CUBA Studio on the CUBA Platform site.
Go to CUBA -> Marketplace in the main menu.

Find the IDP add-on there.

Click Install and apply the changes. The add-on corresponding to the used platform version will be installed.

By Coordinates

Open your application in CUBA Studio. Check the latest version of CUBA Studio on the CUBA Platform site.
Go to CUBA -> Marketplace in the main menu.
Click the icon in the upper-right corner.

Paste the add-on coordinates in the corresponding field as follows:

com.haulmont.addon.idp:idp-global:<add-on version>

where <add-on version> is compatible with the used version of the CUBA platform.

Platform Version	Add-on Version
7.2.X	0.3.0
7.1.X	0.2.0
7.0.X	0.1.1

Click Install and apply the changes. The add-on will be installed to your project.

Configuration

Configure add-on with application properties (Wiki)

Demo

This section is a short version of example from Wiki.

We consider an example of setting up SSO for two applications: Fish and Chips. Fish will be an Identity Provider and Service Provider at the same time, Chips will be a Service Provider.

Add the idp-addon via Studio with the following coordinates (replace x with bug-fix number):

com.haulmont.addon.idp:idp-global:0.2.0
Configure aliases in the hosts file:

Address Alias

127.0.0.1 fish

127.0.0.1 chips

Address	Alias
127.0.0.1	fish
127.0.0.1	chips

Configure IDP for the Fish project in web-app.properties file of the web module:

cuba.webAppUrl = http://fish:8081/app/

cuba.idp.serviceProviderUrls = http://fish:8081/app/,http://chips:8082/app/
cuba.idp.serviceProviderLogoutUrls = http://fish:8081/app/dispatch/idpc/logout,http://chips:8082/app/dispatch/idpc/logout
cuba.idp.trustedServicePassword = mdgh12SSX_pic2

cuba.web.idp.enabled = true
cuba.web.idp.baseUrl = http://fish:8081/app/idp/
cuba.web.idp.trustedServicePassword = mdgh12SSX_pic2

Configure IDP for the "Chips" project in web-app.properties file of the web module:

cuba.webAppUrl = http://chips:8082/app/

cuba.web.idp.enabled = true
cuba.web.idp.baseUrl = http://fish:8081/app/idp/
cuba.web.idp.trustedServicePassword = mdgh12SSX_pic2

Start the Fish server by launching its tomcat/bin/startup.* script or via Gradle: gradlew start.
Go to http://fish:8081/app/ in your web browser. You will be redirected to the IDP login page. Log in with the admin / admin credentials. Create a new user, for example u1.
Start the Chips server by launching its tomcat/bin/startup.* script or via Gradle: gradlew start.
Go to http://chips:8082/app/ in the same web browser. If you are still logged in to the Fish application, you will be automatically logged in as admin to Chips. Create the same u1 user (password does not matter) in the Chips application.

Now you can log in as admin or u1 to both applications via the single login form, and if you are logged in one application, the login process for the second application will be automatic, bypassing the login form.

idp-addon's People

Contributors

Stargazers

Watchers

Forkers

pybender douit trx0eth7 hjp1993

idp-addon's Issues

Document IDP Integration for REST API

Relates to

Fix IDP DelegatingFilterProxy context attribute

Wrong context attribute is set for the proxy now:
FrameworkServlet.SERVLET_CONTEXT_PREFIX + "." + IDP_SERVLET_NAME

Due to this wrong attribute proxy cannot find WebApplicationContext

But should be:
FrameworkServlet.SERVLET_CONTEXT_PREFIX + IDP_SERVLET_NAME

NPE if a servlet with name "idp" is declared in project web.xml

17-Jan-2019 14:28:21.437 SEVERE [main] org.apache.catalina.core.StandardContext.loadOnStartup Servlet [idp] in web application [/app] threw load() exception
 java.lang.ClassNotFoundException: com.haulmont.idp.sys.CubaIdpServlet
	at org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1309)
	at org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1138)
	at org.apache.catalina.core.DefaultInstanceManager.loadClass(DefaultInstanceManager.java:542)
	at org.apache.catalina.core.DefaultInstanceManager.loadClassMaybePrivileged(DefaultInstanceManager.java:523)
	at org.apache.catalina.core.DefaultInstanceManager.newInstance(DefaultInstanceManager.java:150)
	at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1032)
	at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:971)
	at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:4829)
	at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5143)
	at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
	at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:743)
	at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:719)
	at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:703)
	at org.apache.catalina.startup.HostConfig.deployWAR(HostConfig.java:986)
	at org.apache.catalina.startup.HostConfig$DeployWar.run(HostConfig.java:1858)
	at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
	at java.util.concurrent.FutureTask.run(FutureTask.java:266)
	at org.apache.tomcat.util.threads.InlineExecutorService.execute(InlineExecutorService.java:75)
	at java.util.concurrent.AbstractExecutorService.submit(AbstractExecutorService.java:112)
	at org.apache.catalina.startup.HostConfig.deployWARs(HostConfig.java:772)
	at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:426)
	at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1585)
	at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:308)
	at org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:123)
	at org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:424)
	at org.apache.catalina.util.LifecycleBase.setState(LifecycleBase.java:367)
	at org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:969)
	at org.apache.catalina.core.StandardHost.startInternal(StandardHost.java:839)
	at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
	at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1429)
	at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1419)
	at java.util.concurrent.FutureTask.run(FutureTask.java:266)
	at org.apache.tomcat.util.threads.InlineExecutorService.execute(InlineExecutorService.java:75)
	at java.util.concurrent.AbstractExecutorService.submit(AbstractExecutorService.java:134)
	at org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:944)
	at org.apache.catalina.core.StandardEngine.startInternal(StandardEngine.java:261)
	at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
	at org.apache.catalina.core.StandardService.startInternal(StandardService.java:422)
	at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
	at org.apache.catalina.core.StandardServer.startInternal(StandardServer.java:770)
	at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
	at org.apache.catalina.startup.Catalina.start(Catalina.java:682)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:350)
	at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:492)

Web client throws unclear error when the logged in user missed on SP

Environment

Platform version: 6.8.7
Client type: Web

Description of the bug or enhancement

Minimal reproducible example

Adjust CUBA SSO as written in the documentation https://doc.cuba-platform.com/manual-6.8/sso.html
Start IDP
Start SP
On IDP and in LDAP: create some user. Do not create the user on SP.
In SP: login with the user credentials

Expected behavior
Some clear message.
Actual behavior

2018-05-07 17:25:51.238 INFO  [http-nio-8082-exec-2] com.haulmont.cuba.security.auth.AuthenticationServiceBean - Login failed: com.haulmont.cuba.security.global.LoginException: Unknown login name or bad password 'user3'
2018-05-07 17:25:51.256 ERROR [http-nio-8082-exec-2] com.haulmont.cuba.web.AppUI - Unable to init ui
com.haulmont.cuba.security.global.LoginException: Unknown login name or bad password 'user3'
	at com.haulmont.cuba.security.auth.providers.TrustedClientAuthenticationProvider.authenticate(TrustedClientAuthenticationProvider.java:69) ~[na:na]
	at com.haulmont.cuba.security.auth.AuthenticationManagerBean.authenticateInternal(AuthenticationManagerBean.java:253) ~[na:na]
	at com.haulmont.cuba.security.auth.AuthenticationManagerBean.login(AuthenticationManagerBean.java:118) ~[na:na]
	at com.haulmont.cuba.security.auth.AuthenticationServiceBean.login(AuthenticationServiceBean.java:86) ~[na:na]
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:1.8.0_151]
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[na:1.8.0_151]
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:1.8.0_151]
	at java.lang.reflect.Method.invoke(Method.java:498) ~[na:1.8.0_151]
	at com.haulmont.cuba.core.sys.remoting.LocalServiceInvokerImpl.invoke(LocalServiceInvokerImpl.java:94) ~[na:na]
	at com.haulmont.cuba.web.sys.remoting.LocalServiceProxy$LocalServiceInvocationHandler.invoke(LocalServiceProxy.java:154) ~[cuba-web-6.9-SNAPSHOT.jar:6.9-SNAPSHOT]
	at com.sun.proxy.$Proxy24.login(Unknown Source) ~[na:na]
	at com.haulmont.cuba.web.security.providers.ExternalUserLoginProvider.loginMiddleware(ExternalUserLoginProvider.java:91) ~[cuba-web-6.9-SNAPSHOT.jar:6.9-SNAPSHOT]
	at com.haulmont.cuba.web.security.providers.ExternalUserLoginProvider.login(ExternalUserLoginProvider.java:87) ~[cuba-web-6.9-SNAPSHOT.jar:6.9-SNAPSHOT]
	at com.haulmont.cuba.web.security.ConnectionImpl.loginInternal(ConnectionImpl.java:209) ~[cuba-web-6.9-SNAPSHOT.jar:6.9-SNAPSHOT]
	at com.haulmont.cuba.web.security.ConnectionImpl.login(ConnectionImpl.java:89) ~[cuba-web-6.9-SNAPSHOT.jar:6.9-SNAPSHOT]
	at com.haulmont.cuba.web.security.idp.IdpLoginLifecycleManager.onAppStarted(IdpLoginLifecycleManager.java:94) ~[cuba-web-6.9-SNAPSHOT.jar:6.9-SNAPSHOT]
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:1.8.0_151]
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[na:1.8.0_151]
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:1.8.0_151]
	at java.lang.reflect.Method.invoke(Method.java:498) ~[na:1.8.0_151]
	at org.springframework.context.event.ApplicationListenerMethodAdapter.doInvoke(ApplicationListenerMethodAdapter.java:256) ~[spring-context-4.3.14.RELEASE.jar:4.3.14.RELEASE]
	at org.springframework.context.event.ApplicationListenerMethodAdapter.processEvent(ApplicationListenerMethodAdapter.java:177) ~[spring-context-4.3.14.RELEASE.jar:4.3.14.RELEASE]
	at org.springframework.context.event.ApplicationListenerMethodAdapter.onApplicationEvent(ApplicationListenerMethodAdapter.java:140) ~[spring-context-4.3.14.RELEASE.jar:4.3.14.RELEASE]
	at org.springframework.context.event.SimpleApplicationEventMulticaster.doInvokeListener(SimpleApplicationEventMulticaster.java:172) ~[spring-context-4.3.14.RELEASE.jar:4.3.14.RELEASE]
	at org.springframework.context.event.SimpleApplicationEventMulticaster.invokeListener(SimpleApplicationEventMulticaster.java:165) ~[spring-context-4.3.14.RELEASE.jar:4.3.14.RELEASE]
	at org.springframework.context.event.SimpleApplicationEventMulticaster.multicastEvent(SimpleApplicationEventMulticaster.java:139) ~[spring-context-4.3.14.RELEASE.jar:4.3.14.RELEASE]
	at org.springframework.context.support.AbstractApplicationContext.publishEvent(AbstractApplicationContext.java:393) ~[spring-context-4.3.14.RELEASE.jar:4.3.14.RELEASE]
	at org.springframework.context.support.AbstractApplicationContext.publishEvent(AbstractApplicationContext.java:347) ~[spring-context-4.3.14.RELEASE.jar:4.3.14.RELEASE]
	at com.haulmont.cuba.core.sys.EventsImpl.publish(EventsImpl.java:33) ~[cuba-global-6.9-SNAPSHOT.jar:6.9-SNAPSHOT]
	at com.haulmont.cuba.web.sys.WebEvents.publish(WebEvents.java:36) ~[cuba-web-6.9-SNAPSHOT.jar:6.9-SNAPSHOT]
	at com.haulmont.cuba.web.DefaultApp.publishAppStartedEvent(DefaultApp.java:225) ~[cuba-web-6.9-SNAPSHOT.jar:6.9-SNAPSHOT]
	at com.haulmont.cuba.web.DefaultApp.loginOnStart(DefaultApp.java:212) ~[cuba-web-6.9-SNAPSHOT.jar:6.9-SNAPSHOT]
	at com.haulmont.cuba.web.AppUI.setupUI(AppUI.java:297) ~[cuba-web-6.9-SNAPSHOT.jar:6.9-SNAPSHOT]
	at com.haulmont.cuba.web.AppUI.init(AppUI.java:221) ~[cuba-web-6.9-SNAPSHOT.jar:6.9-SNAPSHOT]
	at com.vaadin.ui.UI.doInit(UI.java:693) [vaadin-server-7.7.13.cuba.9.jar:7.7.13.cuba.9]
	at com.vaadin.server.communication.UIInitHandler.getBrowserDetailsUI(UIInitHandler.java:222) [vaadin-server-7.7.13.cuba.9.jar:7.7.13.cuba.9]
	at com.vaadin.server.communication.UIInitHandler.synchronizedHandleRequest(UIInitHandler.java:74) [vaadin-server-7.7.13.cuba.9.jar:7.7.13.cuba.9]

Please describe in Wiki how to localize IDP identity provider

Environment

Platform version: 7.1.2
Addon version: 0.2.0

Description of the bug or enhancement

Minimal reproducible example

There are several translations of CUBA where the IDP is localized. Turkish for instance
See https://github.com/cuba-platform/translations/tree/master
In Identity Provider add some custom locale in the project properties
Add messages.properties from the needed translation
Start the server

Expected behavior
The IPD login page is localized
Actual behavior
The login page is not localized until locales.ini is not redefined in the project in web/idp/l10n (but not sure it is the most proper way)

Incorrectly working link

Environment

Platform version: 7.2.0
Addon version: 0.3.0

Description of the bug or enhancement

Minimal reproducible example

Import and run both projects
Go to http://fish:8081/app
Set User name = admin, login = admin
Click Sign in
Go to http://chips:8082/app/

Expected behavior
If you are still logged in to the Fish application, you will be automatically logged in as admin to Chips.
Actual behavior
If you are still logged in to the Fish application, you will not be automatically logged in as admin to Chips. You will stay in the Fish application

Unable to get REST API token if IDP enabled

Environment

Platform version: 7.1+
Addon version: 0.2+
Client type: Web, REST API

Description of the bug or enhancement

Minimal reproducible example

Create a project
Add REST API and IDP Add-ons
Configure IDP
Try to obtain REST API access token

Expected behavior

A response with an access token is returned

Actual behavior

Empty response is returned (in fact redirected)

Proposal

It seems that we can easily fix the problem with the following change in the BaseIdpSessionFilter class:

if (session.getAttribute(IDP_SESSION_ATTRIBUTE) == null) {
    if ("GET".equals(httpRequest.getMethod())
            && !StringUtils.startsWith(httpRequest.getRequestURI(), httpRequest.getContextPath() + "/PUSH")) {
        httpResponse.sendRedirect(getIdpRedirectUrl(httpRequest));
    } else {
        chain.doFilter(request, response);
    }
    return;
}

Test project

To be able to test the case you can use the idp-rest-demo project

Environment

Documentation version: 6.9
Part of the documentation: Manual

Description of the bug or enhancement

See: https://youtrack.haulmont.com/issue/PL-10712

REST-API integration does not work in 7.0

Environment

Platform version: 7.0.5
Addon version: 0.1.1
Client type: REST

Description of the bug or enhancement

Demo project: https://github.com/cuba-labs/idp-rest-demo
Checkout branch feature/platform-7.

Minimal reproducible example

Run application
Open http://localhost:8080/app/VAADIN/demo/idp-login-demo.html
Try to login

Actual behavior

Exception in log:

org.springframework.security.authentication.InsufficientAuthenticationException: There is no client authentication. Try adding an appropriate authentication filter.
	at com.haulmont.addon.idp.restapi.controllers.IdpAuthController.postAccessToken(IdpAuthController.java:121) ~[idp-web-0.1.1.jar:na]
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:1.8.0_171]
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[na:1.8.0_171]
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:1.8.0_171]
	at java.lang.reflect.Method.invoke(Method.java:498) ~[na:1.8.0_171]
	at org.springframework.web.method.support.InvocableHandlerMethod.doInvoke(InvocableHandlerMethod.java:189) ~[spring-web-5.1.6.RELEASE.jar:5.1.6.RELEASE]
	at org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:138) ~[spring-web-5.1.6.RELEASE.jar:5.1.6.RELEASE]
	at org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:102) ~[spring-webmvc-5.1.6.RELEASE.jar:5.1.6.RELEASE]
	at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandlerMethod(RequestMappingHandlerAdapter.java:892) ~[spring-webmvc-5.1.6.RELEASE.jar:5.1.6.RELEASE]
	at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:797) ~[spring-webmvc-5.1.6.RELEASE.jar:5.1.6.RELEASE]
	at org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:87) ~[spring-webmvc-5.1.6.RELEASE.jar:5.1.6.RELEASE]
	at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:1038) ~[spring-webmvc-5.1.6.RELEASE.jar:5.1.6.RELEASE]
	at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:942) ~[spring-webmvc-5.1.6.RELEASE.jar:5.1.6.RELEASE]
	at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:1005) [spring-webmvc-5.1.6.RELEASE.jar:5.1.6.RELEASE]
	at org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:908) [spring-webmvc-5.1.6.RELEASE.jar:5.1.6.RELEASE]
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:661) [servlet-api.jar:na]
	at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:882) [spring-webmvc-5.1.6.RELEASE.jar:5.1.6.RELEASE]
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:742) [servlet-api.jar:na]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231) [catalina.jar:8.5.23]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [catalina.jar:8.5.23]
	at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) [tomcat-websocket.jar:8.5.23]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [catalina.jar:8.5.23]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [catalina.jar:8.5.23]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:320) [spring-security-web-5.1.5.RELEASE.jar:5.1.5.RELEASE]
	at com.haulmont.restapi.auth.CubaRestLastSecurityFilter.doFilter(CubaRestLastSecurityFilter.java:98) [cuba-rest-api-7.0.5.jar:7.0.5]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.1.5.RELEASE.jar:5.1.5.RELEASE]
	at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:127) [spring-security-web-5.1.5.RELEASE.jar:5.1.5.RELEASE]
	at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:91) [spring-security-web-5.1.5.RELEASE.jar:5.1.5.RELEASE]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.1.5.RELEASE.jar:5.1.5.RELEASE]
	at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:119) [spring-security-web-5.1.5.RELEASE.jar:5.1.5.RELEASE]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.1.5.RELEASE.jar:5.1.5.RELEASE]
	at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:170) [spring-security-web-5.1.5.RELEASE.jar:5.1.5.RELEASE]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.1.5.RELEASE.jar:5.1.5.RELEASE]
	at com.haulmont.restapi.auth.CubaAnonymousAuthenticationFilter.doFilter(CubaAnonymousAuthenticationFilter.java:116) [cuba-rest-api-7.0.5.jar:7.0.5]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.1.5.RELEASE.jar:5.1.5.RELEASE]
	at org.springframework.security.oauth2.provider.authentication.OAuth2AuthenticationProcessingFilter.doFilter(OAuth2AuthenticationProcessingFilter.java:176) [spring-security-oauth2-2.3.5.RELEASE.jar:na]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.1.5.RELEASE.jar:5.1.5.RELEASE]
	at org.springframework.web.filter.CorsFilter.doFilterInternal(CorsFilter.java:96) [spring-web-5.1.6.RELEASE.jar:5.1.6.RELEASE]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-5.1.6.RELEASE.jar:5.1.6.RELEASE]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.1.5.RELEASE.jar:5.1.5.RELEASE]
	at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:74) [spring-security-web-5.1.5.RELEASE.jar:5.1.5.RELEASE]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-5.1.6.RELEASE.jar:5.1.6.RELEASE]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.1.5.RELEASE.jar:5.1.5.RELEASE]
	at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56) [spring-security-web-5.1.5.RELEASE.jar:5.1.5.RELEASE]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-5.1.6.RELEASE.jar:5.1.6.RELEASE]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.1.5.RELEASE.jar:5.1.5.RELEASE]
	at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105) [spring-security-web-5.1.5.RELEASE.jar:5.1.5.RELEASE]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.1.5.RELEASE.jar:5.1.5.RELEASE]
	at org.springframework.web.filter.CompositeFilter$VirtualFilterChain.doFilter(CompositeFilter.java:107) [spring-web-5.1.6.RELEASE.jar:5.1.6.RELEASE]
	at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:99) [spring-web-5.1.6.RELEASE.jar:5.1.6.RELEASE]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-5.1.6.RELEASE.jar:5.1.6.RELEASE]
	at org.springframework.web.filter.CompositeFilter$VirtualFilterChain.doFilter(CompositeFilter.java:112) [spring-web-5.1.6.RELEASE.jar:5.1.6.RELEASE]
	at com.haulmont.restapi.sys.RestExceptionLoggingFilter.doFilter(RestExceptionLoggingFilter.java:42) [cuba-rest-api-7.0.5.jar:7.0.5]
	at org.springframework.web.filter.CompositeFilter$VirtualFilterChain.doFilter(CompositeFilter.java:112) [spring-web-5.1.6.RELEASE.jar:5.1.6.RELEASE]
	at org.springframework.web.filter.CompositeFilter.doFilter(CompositeFilter.java:73) [spring-web-5.1.6.RELEASE.jar:5.1.6.RELEASE]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.1.5.RELEASE.jar:5.1.5.RELEASE]
	at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:215) [spring-security-web-5.1.5.RELEASE.jar:5.1.5.RELEASE]
	at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:178) [spring-security-web-5.1.5.RELEASE.jar:5.1.5.RELEASE]
	at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:357) [spring-web-5.1.6.RELEASE.jar:5.1.6.RELEASE]
	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:270) [spring-web-5.1.6.RELEASE.jar:5.1.6.RELEASE]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [catalina.jar:8.5.23]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [catalina.jar:8.5.23]
	at com.haulmont.cuba.web.sys.CubaHttpFilter.doFilter(CubaHttpFilter.java:103) [cuba-web-7.0.5.jar:7.0.5]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [catalina.jar:8.5.23]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [catalina.jar:8.5.23]
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199) [catalina.jar:8.5.23]
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) [catalina.jar:8.5.23]
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:478) [catalina.jar:8.5.23]
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140) [catalina.jar:8.5.23]
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81) [catalina.jar:8.5.23]
	at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:650) [catalina.jar:8.5.23]
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87) [catalina.jar:8.5.23]
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342) [catalina.jar:8.5.23]
	at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:803) [tomcat-coyote.jar:8.5.23]
	at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) [tomcat-coyote.jar:8.5.23]
	at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:868) [tomcat-coyote.jar:8.5.23]
	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1459) [tomcat-coyote.jar:8.5.23]
	at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) [tomcat-coyote.jar:8.5.23]
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [na:1.8.0_171]
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [na:1.8.0_171]
	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-util.jar:8.5.23]
	at java.lang.Thread.run(Thread.java:748) [na:1.8.0_171]

Upgrade add-on to CUBA 7.2 platform version.

Upgrade to CUBA 7.2-SNAPSHOT

Get rid of PasswordEncryption plainHash usage

The PasswordEncryption#getPlainHash() method is deprecated and should not be used.

It prevents correct login now:

17-Jan-2019 18:19:55.598 SEVERE [http-nio-8081-exec-17] org.apache.catalina.core.StandardWrapperValve.invoke Servlet.service() for servlet [idp] in context with path [/app] threw exception [Request processing failed; nested exception is java.lang.UnsupportedOperationException: Deprecated method] with root cause
 java.lang.UnsupportedOperationException: Deprecated method
	at com.haulmont.cuba.core.sys.encryption.BCryptEncryptionModule.getPlainHash(BCryptEncryptionModule.java:55)
	at com.haulmont.cuba.core.sys.PasswordEncryptionImpl.getPlainHash(PasswordEncryptionImpl.java:99)
	at com.haulmont.addon.idp.idp.controllers.IdpLoginManager.login(IdpLoginManager.java:81)
	at com.haulmont.addon.idp.idp.controllers.IdpController.authenticate(IdpController.java:268)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at org.springframework.web.method.support.InvocableHandlerMethod.doInvoke(InvocableHandlerMethod.java:215)
	at org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:142)
	at org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:102)
	at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandlerMethod(RequestMappingHandlerAdapter.java:895)
	at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:800)
	at org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:87)
	at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:1038)
	at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:942)
	at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:998)
	at org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:901)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:660)
	at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:875)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:741)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:320)
	at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:127)
	at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:91)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
	at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:119)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
	at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:111)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
	at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:170)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
	at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:200)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
	at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:116)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
	at org.springframework.security.web.csrf.CsrfFilter.doFilterInternal(CsrfFilter.java:100)
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
	at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:66)
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
	at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56)
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
	at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
	at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:215)
	at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:178)
	at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:357)
	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:270)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at com.haulmont.cuba.web.sys.CubaHttpFilter.doFilter(CubaHttpFilter.java:103)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:490)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
	at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:668)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
	at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:408)
	at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
	at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:834)
	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1417)
	at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
	at java.lang.Thread.run(Thread.java:745)

Do not consider slash on the end of a serviceProviderUrl

Following the documentation https://doc.cuba-platform.com/manual-6.7/sso_example.html

Configure IDP as written , but specify ''cuba.webAppUrl'' without slash at the end.

cuba.webAppUrl = http://localhost:8080/app
......

cuba.idp.serviceProviderUrls = http://foo:8081/app/, http://bar:8082/app/, http://localhost:8080/app/

start the application
Open UI. IDP login page is opened

!image3.png!

Input correct credentials

AR: incorrect URL is opened. The first URL in the 'cuba.idp.serviceProviderUrls' list is opened.

!image4.png!

"http://localhost:8080/app" and "http://localhost:8080/app/" are considered as different but it seems they are the same.

!image.png!

Original issue: https://youtrack.haulmont.com/issue/PL-10108

cuba-platform / idp-addon Goto Github PK

idp-addon's Introduction

CUBA IDP Add-on

Overview

Installation

From the Marketplace

By Coordinates

Configuration

Demo

idp-addon's People

Contributors

Stargazers

Watchers

Forkers

idp-addon's Issues

Environment

Description of the bug or enhancement

Environment

Description of the bug or enhancement

Environment

Description of the bug or enhancement

Environment

Description of the bug or enhancement

Proposal

Test project

Environment

Description of the bug or enhancement

Environment

Description of the bug or enhancement

Recommend Projects

Recommend Topics

Recommend Org