Menu
▾
▴
unity-idm-discuss
|
From: Tim K. <t.k...@fz...> - 2018-07-19 11:59:25
Attachments:
smime.p7s
|
Hi Krzysztof,
i have configured two different SAMLUnicoreSoapIdP - Endpoints with two
different oauth-rp with cxf-oauth-bearer authenticators. In the
configuration of the authenticators i used the attribute
'unity.oauth2-rp.cacheTime'. Are these two different authenticators use
the same cache?
An UNICORE/X Server is configured against these two endpoints. It
depends on the order of the connections to the endpoints, whether my
token is validated correctly or not. If hbpoidc ist connected first, the
given bearer token is unknown (which is ok, because it was granted from
myunity, not from the external MITRE OAuth Authorization Server). But
connecting the second endpoint after the first one it says "Caching
token for null ...". When changing the order and connecting to the unity
Authorization Server first everything works fine.
Best regards,
Tim Kreuzer
unity-server.log:
2018-07-19T09:36:44,348 [qtp256719132-38] DEBUG
unity.server.oauth.ResultsCache: Caching token validation result for
null: false expiry: Thu Jul 19 09:37:04 CEST 2018
2018-07-19T09:36:44,365 [qtp256719132-38] DEBUG
unity.server.rest.AuthenticationInterceptor: Authentication set failed
to authenticate the client, will try another:
pl.edu.icm.unity.engine.api.authn.AuthenticationException:
AuthenticationProcessorUtil.authnFailed
2018-07-19T09:36:44,365 [qtp256719132-38] INFO
unity.server.rest.AuthenticationInterceptor: Authentication failed for
client
2018-07-19T09:36:44,365 [qtp256719132-38] WARN
org.apache.cxf.phase.PhaseInterceptorChain: Interceptor for
{http://ws.samlidp.unicore.unity.icm.edu.pl/}SAMLETDAuthnImplService#{urn:oasis:names:tc:SAML:2.0:protocol}AuthnRequest
has thrown exception, unwinding now
org.apache.cxf.interceptor.Fault: Invalid user name, credential or
external authentication failed.
at
pl.edu.icm.unity.rest.authn.AuthenticationInterceptor.handleMessage(AuthenticationInterceptor.java:114)
~[unity-server-rest-2.5.0.jar:?]
at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308)
[cxf-core-3.1.10.jar:3.1.10]
at
org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
[cxf-core-3.1.10.jar:3.1.10]
at
org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:262)
[cxf-rt-transports-http-3.1.10.jar:3.1.10]
at
org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:234)
[cxf-rt-transports-http-3.1.10.jar:3.1.10]
at
org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:208)
[cxf-rt-transports-http-3.1.10.jar:3.1.10]
at
org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:160)
[cxf-rt-transports-http-3.1.10.jar:3.1.10]
at
org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:180)
[cxf-rt-transports-http-3.1.10.jar:3.1.10]
at
org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:299)
[cxf-rt-transports-http-3.1.10.jar:3.1.10]
at
org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:218)
[cxf-rt-transports-http-3.1.10.jar:3.1.10]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)
[javax.servlet-api-3.1.0.jar:3.1.0]
at
org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:274)
[cxf-rt-transports-http-3.1.10.jar:3.1.10]
at
org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:865)
[jetty-servlet-9.4.10.v20180503.jar:9.4.10.v20180503]
at
org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:535)
[jetty-servlet-9.4.10.v20180503.jar:9.4.10.v20180503]
at
org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:255)
[jetty-server-9.4.10.v20180503.jar:9.4.10.v20180503]
at
org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1595)
[jetty-server-9.4.10.v20180503.jar:9.4.10.v20180503]
at
org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:255)
[jetty-server-9.4.10.v20180503.jar:9.4.10.v20180503]
at
org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1253)
[jetty-server-9.4.10.v20180503.jar:9.4.10.v20180503]
at
org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:203)
[jetty-server-9.4.10.v20180503.jar:9.4.10.v20180503]
at
org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:473)
[jetty-servlet-9.4.10.v20180503.jar:9.4.10.v20180503]
at
org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1564)
[jetty-server-9.4.10.v20180503.jar:9.4.10.v20180503]
at
org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:201)
[jetty-server-9.4.10.v20180503.jar:9.4.10.v20180503]
at
org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1155)
[jetty-server-9.4.10.v20180503.jar:9.4.10.v20180503]
at
org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:144)
[jetty-server-9.4.10.v20180503.jar:9.4.10.v20180503]
at
org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:219)
[jetty-server-9.4.10.v20180503.jar:9.4.10.v20180503]
at
org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)
[jetty-server-9.4.10.v20180503.jar:9.4.10.v20180503]
at
org.eclipse.jetty.rewrite.handler.RewriteHandler.handle(RewriteHandler.java:335)
[jetty-rewrite-9.4.10.v20180503.jar:9.4.10.v20180503]
at
org.eclipse.jetty.server.handler.gzip.GzipHandler.handle(GzipHandler.java:674)
[jetty-server-9.4.10.v20180503.jar:9.4.10.v20180503]
at
org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)
[jetty-server-9.4.10.v20180503.jar:9.4.10.v20180503]
at org.eclipse.jetty.server.Server.handle(Server.java:531)
[jetty-server-9.4.10.v20180503.jar:9.4.10.v20180503]
at
org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:352)
[jetty-server-9.4.10.v20180503.jar:9.4.10.v20180503]
at
org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:260)
[jetty-server-9.4.10.v20180503.jar:9.4.10.v20180503]
at
org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:281)
[jetty-io-9.4.10.v20180503.jar:9.4.10.v20180503]
at
org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:102)
[jetty-io-9.4.10.v20180503.jar:9.4.10.v20180503]
at
org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:291)
[jetty-io-9.4.10.v20180503.jar:9.4.10.v20180503]
at
org.eclipse.jetty.io.ssl.SslConnection$3.succeeded(SslConnection.java:151)
[jetty-io-9.4.10.v20180503.jar:9.4.10.v20180503]
at
org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:102)
[jetty-io-9.4.10.v20180503.jar:9.4.10.v20180503]
at
org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:118)
[jetty-io-9.4.10.v20180503.jar:9.4.10.v20180503]
at
org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:333)
[jetty-util-9.4.10.v20180503.jar:9.4.10.v20180503]
at
org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:310)
[jetty-util-9.4.10.v20180503.jar:9.4.10.v20180503]
at
org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:168)
[jetty-util-9.4.10.v20180503.jar:9.4.10.v20180503]
at
org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:126)
[jetty-util-9.4.10.v20180503.jar:9.4.10.v20180503]
at
org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:366)
[jetty-util-9.4.10.v20180503.jar:9.4.10.v20180503]
at
org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:760)
[jetty-util-9.4.10.v20180503.jar:9.4.10.v20180503]
at
org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:678)
[jetty-util-9.4.10.v20180503.jar:9.4.10.v20180503]
at java.lang.Thread.run(Thread.java:748) [?:1.8.0_171]
Caused by: pl.edu.icm.unity.engine.api.authn.AuthenticationException:
Invalid user name, credential or external authentication failed.
at
pl.edu.icm.unity.rest.authn.AuthenticationInterceptor.handleMessage(AuthenticationInterceptor.java:105)
~[unity-server-rest-2.5.0.jar:?]
... 45 more
Configuration:
unityServer.conf:
...
unityServer.core.authenticators.hbpoidc.authenticatorName=hbpoidc
unityServer.core.authenticators.hbpoidc.authenticatorType=oauth-rp with
cxf-oauth-bearer
unityServer.core.authenticators.hbpoidc.verificatorConfigurationFile=${CONF}/authenticators/hbp-remoteOAuth.properties
unityServer.core.authenticators.jupyteroauthRPcxf.authenticatorName=jupyteroauthRP-cxf
unityServer.core.authenticators.jupyteroauthRPcxf.authenticatorType=oauth-rp
with cxf-oauth-bearer
unityServer.core.authenticators.jupyteroauthRPcxf.retrievalConfigurationFile=conf/authenticators/empty.json
unityServer.core.authenticators.jupyteroauthRPcxf.verificatorConfigurationFile=conf/authenticators/jupyter-internalOAuthRP.properties
...
hbp-remoteOAuth.properties:
unity.oauth2-rp.verificationProtocol=mitre
....
unity.oauth2-rp.translationProfile=hbp-tr-input-oauth
unity.oauth2-rp.cacheTime=20
....
jupyter-internalOAuthRP.properties:
unity.oauth2-rp.verificationProtocol=unity
unity.oauth2-rp.profileEndpoint=https://myunity.../oauth2/userinfo
unity.oauth2-rp.verificationEndpoint=https://myunity.../oauth2/tokeninfo
unity.oauth2-rp.translationProfile=jupyter-tr-input-oauth
....
samlIdP.module:
unityServer.core.endpoints.hbpsamlUnicoreSoapIdPoidc.endpointType=SAMLUnicoreSoapIdP
unityServer.core.endpoints.hbpsamlUnicoreSoapIdPoidc.endpointConfigurationFile=${CONF}/modules/saml/hbp-saml-webidp.properties
unityServer.core.endpoints.hbpsamlUnicoreSoapIdPoidc.contextPath=/hbp-unicore-soapidp-oidc
unityServer.core.endpoints.hbpsamlUnicoreSoapIdPoidc.endpointRealm=defaultRealm
unityServer.core.endpoints.hbpsamlUnicoreSoapIdPoidc.endpointName=HBP
UNICORE SOAP SAML OIDCservice
unityServer.core.endpoints.hbpsamlUnicoreSoapIdPoidc.endpointAuthenticators=hbpoidc
unityServer.core.endpoints.jupytersamlUnicoreSoapIdP.endpointType=SAMLUnicoreSoapIdP
unityServer.core.endpoints.jupytersamlUnicoreSoapIdP.endpointConfigurationFile=${CONF}/modules/saml/jupyter-saml-webidp.properties
unityServer.core.endpoints.jupytersamlUnicoreSoapIdP.contextPath=/jupyter-unicore-soapidp-oidc
unityServer.core.endpoints.jupytersamlUnicoreSoapIdP.endpointRealm=defaultRealm
unityServer.core.endpoints.jupytersamlUnicoreSoapIdP.endpointName=Jupyter@JSC
UNICORE SOAP SAML service
unityServer.core.endpoints.jupytersamlUnicoreSoapIdP.endpointAuthenticators=jupyteroauthRP-cxf
And in the UNICORE/X configuration... :
container.security.rest.authentication.UNITY-OIDC.class=eu.unicore.services.rest.security.UnityOAuthAuthenticator
container.security.rest.authentication.UNITY-OIDC.address=https://unity-jsc.fz-juelich.de/hbp-unicore-soapidp-oidc/saml2unicoreidp-soap/AuthenticationService
container.security.rest.authentication.UNITY-OIDC.validate=true
container.security.rest.authentication.JHUB.class=eu.unicore.services.rest.security.UnityOAuthAuthenticator
container.security.rest.authentication.JHUB.address=https://unity-jsc.fz-juelich.de/jupyter-unicore-soapidp-oidc/saml2unicoreidp-soap/AuthenticationService
container.security.rest.authentication.JHUB.validate=true
container.security.rest.authentication.order=UNITY-OIDC JHUB (if the
order is JHUB UNITY-OIDC everything is fine).
--
M.Sc. Tim Kreuzer
Federated Systems and Data
Jülich Supercomputing Centre, http://www.fz-juelich.de/jsc
Phone: +49 2461 61-1583
-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt,
Prof. Dr. Sebastian M. Schmidt
-----------------------------------------------------------------------
-----------------------------------------------------------------------
|
|
From: Krzysztof B. <kb...@un...> - 2018-07-23 17:32:21
|
Hi Tim, W dniu 19.07.2018 o 13:58, Tim Kreuzer pisze: > > Hi Krzysztof, > > i have configured two different SAMLUnicoreSoapIdP - Endpoints with > two different oauth-rp with cxf-oauth-bearer authenticators. In the > configuration of the authenticators i used the attribute > 'unity.oauth2-rp.cacheTime'. Are these two different authenticators > use the same cache? > Yes, I've checked this and cache instances are shared between all authenticators. That's bug actually as configuration is per authenticator and therefore we should have a separate cache per each authenticator too. Should be easy to fix, should be included in 2.6.1. Thanks for spotting this and precise description of the problem, Krzysztof |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X