Hi,
I’m having problems with Shibboleth on GeoNetwork 2.10.4 (war).
I need to setup SSO but when I call the shib.user.login the browser send me the error “This page is not redirecting properly”.
I’ve followed this guide on github https://github.com/geosolutions-it/core-geonetwork/wiki/Shibboleth-setup-on-2.10.x and all is configured properly.
What can I do? I have the source code from github and I think is a Spring-security-web related problem but I don’t know how to resolve it.
Thanks,
Gioele Minardi
This is the error in catalina.out with GeoNetwork in DEBUG mode for logging:
Hi Gioele,
never seen this error before; anyway you may try reordering the filter list at
https://github.com/geonetwork/core-geonetwork/blob/2.10.x/web/src/main/webapp/WEB-INF/config-security-core.xml#L60
as described in this page:
http://docs.spring.io/spring-security/site/docs/3.1.x/reference/ns-config.html#filter-stack
Cheers,
Emanuele
Alle 18:10:41 di Monday 16 February 2015, Gioele Minardi ha scritto:
Hi,
I'm having problems with Shibboleth on GeoNetwork 2.10.4 (war).
I need to setup SSO but when I call the shib.user.login the browser send
me the error "This page is not redirecting properly".
I've followed this guide on github
https://github.com/geosolutions-it/core-geonetwork/wiki/Shibboleth-setup-on
-2.10.x and all is configured properly.
What can I do? I have the source code from github and I think is a
Spring-security-web related problem but I don't know how to resolve it.
Thanks,
Gioele Minardi
This is the error in catalina.out with GeoNetwork in DEBUG mode for
logging:
[...]
2015-02-16 18:05:41,901 DEBUG
[org.springframework.security.web.access.ExceptionTranslationFilter]
- Authentication exception occurred; redirecting to authentication
entry point
org.springframework.security.authentication.AuthenticationCredentialsNotFo
undException: An Authentication object was not found in the SecurityContext
at
org.springframework.security.access.intercept.AbstractSecurityInterceptor.
credentialsNotFound(AbstractSecurityInterceptor.java:327) at
org.springframework.security.access.intercept.AbstractSecurityInterceptor.
beforeInvocation(AbstractSecurityInterceptor.java:197) at
jeeves.config.springutil.GeonetworkFilterSecurityInterceptor.invoke(Geonet
workFilterSecurityInterceptor.java:41) [...]
2015-02-16 18:05:41,901 DEBUG
[org.springframework.security.web.access.ExceptionTranslationFilter]
- Authentication exception occurred; redirecting to authentication
entry point
org.springframework.security.authentication.AuthenticationCredentialsNotFo
undException: An Authentication object was not found in the SecurityContext
at
org.springframework.security.access.intercept.AbstractSecurityInterceptor.
credentialsNotFound(AbstractSecurityInterceptor.java:327) at
org.springframework.security.access.intercept.AbstractSecurityInterceptor.
beforeInvocation(AbstractSecurityInterceptor.java:197) at
jeeves.config.springutil.GeonetworkFilterSecurityInterceptor.invoke(Geonet
workFilterSecurityInterceptor.java:41) [...]
2015-02-16 18:05:41,902 DEBUG
[org.springframework.security.web.savedrequest.HttpSessionRequestCache]
- DefaultSavedRequest added to Session:
DefaultSavedRequest[https://<website>/geonetwork/srv/ita/shib.user.login]
2015-02-16 18:05:41,902 DEBUG
[org.springframework.security.web.savedrequest.HttpSessionRequestCache]
- DefaultSavedRequest added to Session:
DefaultSavedRequest[https://<website>/geonetwork/srv/ita/shib.user.login]
2015-02-16 18:05:41,902 DEBUG
[org.springframework.security.web.access.ExceptionTranslationFilter]
- Calling Authentication entry point.
2015-02-16 18:05:41,902 DEBUG
[org.springframework.security.web.access.ExceptionTranslationFilter]
- Calling Authentication entry point.
2015-02-16 18:05:41,902 DEBUG
[org.springframework.security.web.DefaultRedirectStrategy] -
Redirecting to 'https://<website>/geonetwork/srv/ita/shib.user.login'
2015-02-16 18:05:41,902 DEBUG
[org.springframework.security.web.DefaultRedirectStrategy] -
Redirecting to 'https://<website>/geonetwork/srv/ita/shib.user.login'
2015-02-16 18:05:41,902 DEBUG
[org.springframework.security.web.context.HttpSessionSecurityContextReposi
tory] - SecurityContext is empty or contents are anonymous - context will
not be stored in HttpSession.
2015-02-16 18:05:41,902 DEBUG
[org.springframework.security.web.context.HttpSessionSecurityContextReposi
tory] - SecurityContext is empty or contents are anonymous - context will
not be stored in HttpSession.
2015-02-16 18:05:41,902 DEBUG
[org.springframework.security.web.context.SecurityContextPersistenceFilter
] - SecurityContextHolder now cleared, as request processing completed
2015-02-16 18:05:41,902 DEBUG
[org.springframework.security.web.context.SecurityContextPersistenceFilter
] - SecurityContextHolder now cleared, as request processing completed
//END OF CATALINA.OUT
--
GeoServer Professional Services from the experts! Visit
http://goo.gl/NWWaa2 for more information.
Ing. Emanuele Tajariol
Technical Lead
GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 380 2116282
http://www.geo-solutions.it
http://twitter.com/geosolutions_it
-------------------------------------------------------
Thanks Emanuele but It doesn’t work. I think that the error “This page is not redirecting properly” is somehow related to a redirection loop that is infinite, because in the tomcat’s log I have found that when I call the shib.user.login service, it throws an exception and after re-call the entry point, that is shib.user.login again. It calls himself for about 21 times and then the browser stops the request and visualizes the error. This error is launched only when I call the shib.user.login service after decommenting the line, in config-security.xml, with the import of the config-security-shibboleth.xml (I have rearranged the filters list here, also).
···
Il 17/02/2015 01:41, Emanuele Tajariol ha scritto:
Hi Gioele,
never seen this error before; anyway you may try reordering the filter list at
[https://github.com/geonetwork/core-geonetwork/blob/2.10.x/web/src/main/webapp/WEB-INF/config-security-core.xml#L60](https://github.com/geonetwork/core-geonetwork/blob/2.10.x/web/src/main/webapp/WEB-INF/config-security-core.xml#L60)
as described in this page:
[http://docs.spring.io/spring-security/site/docs/3.1.x/reference/ns-config.html#filter-stack](http://docs.spring.io/spring-security/site/docs/3.1.x/reference/ns-config.html#filter-stack)
Cheers,
Emanuele
[…]
[org.springframework.security.web.access.ExceptionTranslationFilter] - Authentication exception occurred; redirecting to authentication entry point
org.springframework.security.authentication.AuthenticationCredentialsNotFoundException: An Authentication object was not found in the SecurityContext
at org.springframework.security.access.intercept.AbstractSecurityInterceptor.credentialsNotFound(AbstractSecurityInterceptor.java:327)
at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:197)
[…]
HI,
On Tue, Feb 17, 2015 at 3:36 PM, Gioele Minardi
<gioele.minardi@anonymised.com> wrote:
org.springframework.security.authentication.AuthenticationCredentialsNotFoundException:
An Authentication object was not found in the SecurityContext
at
org.springframework.security.access.intercept.AbstractSecurityInterceptor.credentialsNotFound(AbstractSecurityInterceptor.java:327)
Could it be that the shibboleth authentication failed? So it tries
with the rest of the authentication chain. Do you have any other app
configured where you can test the login?
Regards,
María.
Il 17/02/2015 15:38, María Arias de Reyna ha scritto:
HI,
On Tue, Feb 17, 2015 at 3:36 PM, Gioele Minardi
<gioele.minardi@anonymised.com> wrote:
org.springframework.security.authentication.AuthenticationCredentialsNotFoundException:
An Authentication object was not found in the SecurityContext
at
org.springframework.security.access.intercept.AbstractSecurityInterceptor.credentialsNotFound(AbstractSecurityInterceptor.java:327)
Could it be that the shibboleth authentication failed? So it tries
with the rest of the authentication chain. Do you have any other app
configured where you can test the login?
Regards,
María.
Yes I have two more apps and all of them authenticates against shibboleth. This problem is driving me crazy.
Thanks,
Gioele
Hi Gioele,
please note that the shibboleth authentication in GeoNetwork does need
the module mod_shib in apache for performing the needed redirection toward the
IdP. This is also stated in the page you referred
https://github.com/geosolutions-it/core-geonetwork/wiki/Shibboleth-setup-
on-2.10.x
Please make sure that mod_shib puts in the needed headers when forwarding the
user request to the shib.user.login service.
Cheers,
Emanuele
Alle 15:36:13 di Tuesday 17 February 2015, Gioele Minardi ha scritto:
Il 17/02/2015 01:41, Emanuele Tajariol ha scritto:
> Hi Gioele,
>
> never seen this error before; anyway you may try reordering the filter
> list at
>
> https://github.com/geonetwork/core-geonetwork/blob/2.10.x/web/src/mai
> n/webapp/WEB-INF/config-security-core.xml#L60
>
> as described in this page:
> http://docs.spring.io/spring-security/site/docs/3.1.x/reference/ns-co
> nfig.html#filter-stack
>
> Cheers,
> Emanuele
Thanks Emanuele but It doesn't work.
I think that the error "This page is not redirecting properly" is
somehow related to a redirection loop that is infinite, because in the
tomcat's log I have found that when I call the shib.user.login service,
it throws an exception and after re-call the entry point, that is
shib.user.login again.
[...]
[org.springframework.security.web.access.ExceptionTranslationFilter]
- Authentication exception occurred; redirecting to authentication
entry point
org.springframework.security.authentication.AuthenticationCredentialsNotFo
undException: An Authentication object was not found in the SecurityContext
at
org.springframework.security.access.intercept.AbstractSecurityInterceptor.
credentialsNotFound(AbstractSecurityInterceptor.java:327) at
org.springframework.security.access.intercept.AbstractSecurityInterceptor.
beforeInvocation(AbstractSecurityInterceptor.java:197) [...]
It calls himself for about 21 times and then the browser stops the
request and visualizes the error.
This error is launched only when I call the shib.user.login service
after decommenting the line, in config-security.xml, with the import of
the config-security-shibboleth.xml (I have rearranged the filters list
here, also).
--
GeoServer Professional Services from the experts! Visit
http://goo.gl/NWWaa2 for more information.
Ing. Emanuele Tajariol
Technical Lead
GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 380 2116282
http://www.geo-solutions.it
http://twitter.com/geosolutions_it
-------------------------------------------------------
Il 17/02/2015 15:51, Emanuele Tajariol ha scritto:
Hi Gioele,
please note that the shibboleth authentication in GeoNetwork does need
the module mod_shib in apache for performing the needed redirection toward the
IdP. This is also stated in the page you referred
https://github.com/geosolutions-it/core-geonetwork/wiki/Shibboleth-setup-
on-2.10.x
Please make sure that mod_shib puts in the needed headers when forwarding the
user request to the shib.user.login service.
Cheers,
Emanuele
Apache has mod_shib and other apps in tomcat works like a charm with shibboleth.
Apache uses ajp connector to communicate with tomcats and for passing the IDP attributes (on the same tomcat another app is working without problems).
Can I modify the shib.user.login service and add a log function to it? How can I do this?
Thank you,
Gioele
Hi Gioele,
Can I modify the shib.user.login service and add a log function to it?
How can I do this?
The service does nothing, as you can see here
https://github.com/geonetwork/core-
geonetwork/blob/2.10.x/web/src/main/java/org/fao/geonet/services/login/ShibLogin.java
The authentication flow is driven by Spring, so you should give a look to
https://github.com/geonetwork/core-
geonetwork/blob/2.10.x/web/src/main/java/org/fao/geonet/kernel/security/shibboleth/ShibbolethPreAuthFilter.java
I guess you only need to add this line
log4j.logger.geonetwork.auth = DEBUG
to your log4j.cfg file.
Cheers,
Emanuele
Alle 16:54:01 di Tuesday 17 February 2015, Gioele Minardi ha scritto:
Il 17/02/2015 15:51, Emanuele Tajariol ha scritto:
> Hi Gioele,
>
> please note that the shibboleth authentication in GeoNetwork does need
> the module mod_shib in apache for performing the needed redirection
> toward the IdP. This is also stated in the page you referred
> https://github.com/geosolutions-it/core-geonetwork/wiki/Shibboleth-setup-
> on-2.10.x
>
> Please make sure that mod_shib puts in the needed headers when forwarding
> the user request to the shib.user.login service.
>
> Cheers,
> Emanuele
Apache has mod_shib and other apps in tomcat works like a charm with
shibboleth.
Apache uses ajp connector to communicate with tomcats and for passing
the IDP attributes (on the same tomcat another app is working without
problems).
Can I modify the shib.user.login service and add a log function to it?
How can I do this?
Thank you,
Gioele
--
GeoServer Professional Services from the experts! Visit
http://goo.gl/NWWaa2 for more information.
Ing. Emanuele Tajariol
Technical Lead
GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 380 2116282
http://www.geo-solutions.it
http://twitter.com/geosolutions_it
-------------------------------------------------------
I have started tomcat in remote debug mode and I discover that Geonetwork doesn't receive the session attributes from the Service Provider.
It is strange because another app in the same tomcat receive all the attributes.
I continue to investigate and will warn you when I find something.
Cheers,
Gioele
Il 17/02/2015 17:09, Emanuele Tajariol ha scritto:
Hi Gioele,
Can I modify the shib.user.login service and add a log function to it?
How can I do this?
The service does nothing, as you can see here
https://github.com/geonetwork/core-
geonetwork/blob/2.10.x/web/src/main/java/org/fao/geonet/services/login/ShibLogin.java
The authentication flow is driven by Spring, so you should give a look to
https://github.com/geonetwork/core-
geonetwork/blob/2.10.x/web/src/main/java/org/fao/geonet/kernel/security/shibboleth/ShibbolethPreAuthFilter.java
I guess you only need to add this line
log4j.logger.geonetwork.auth = DEBUG
to your log4j.cfg file.
Cheers,
Emanuele
Alle 16:54:01 di Tuesday 17 February 2015, Gioele Minardi ha scritto:
Il 17/02/2015 15:51, Emanuele Tajariol ha scritto:
Hi Gioele,
please note that the shibboleth authentication in GeoNetwork does need
the module mod_shib in apache for performing the needed redirection
toward the IdP. This is also stated in the page you referred
https://github.com/geosolutions-it/core-geonetwork/wiki/Shibboleth-setup-
on-2.10.x
Please make sure that mod_shib puts in the needed headers when forwarding
the user request to the shib.user.login service.
Cheers,
Emanuele
Apache has mod_shib and other apps in tomcat works like a charm with
shibboleth.
Apache uses ajp connector to communicate with tomcats and for passing
the IDP attributes (on the same tomcat another app is working without
problems).
Can I modify the shib.user.login service and add a log function to it?
How can I do this?
Thank you,
Gioele
Hi Gioele,
Make also sure you have properly mapped the shibboleth auth attributes:
https://github.com/geonetwork/core-
geonetwork/blob/2.10.x/web/src/main/webapp/WEB-INF/config-security-shibboleth-
overrides.properties
Cheers,
Emanuele
Alle 18:35:47 di Tuesday 17 February 2015, Gioele Minardi ha scritto:
I have started tomcat in remote debug mode and I discover that
Geonetwork doesn't receive the session attributes from the Service
Provider. It is strange because another app in the same tomcat receive all
the attributes.
I continue to investigate and will warn you when I find something.
Cheers,
Gioele
Il 17/02/2015 17:09, Emanuele Tajariol ha scritto:
> Hi Gioele,
>
>> Can I modify the shib.user.login service and add a log function to it?
>> How can I do this?
>
> The service does nothing, as you can see here
>
> https://github.com/geonetwork/core-
> geonetwork/blob/2.10.x/web/src/main/java/org/fao/geonet/services/login/Sh
> ibLogin.java
>
> The authentication flow is driven by Spring, so you should give a look to
> https://github.com/geonetwork/core-
> geonetwork/blob/2.10.x/web/src/main/java/org/fao/geonet/kernel/security/s
> hibboleth/ShibbolethPreAuthFilter.java
>
> I guess you only need to add this line
>
> log4j.logger.geonetwork.auth = DEBUG
>
> to your log4j.cfg file.
>
> Cheers,
> Emanuele
>
> Alle 16:54:01 di Tuesday 17 February 2015, Gioele Minardi ha scritto:
>> Il 17/02/2015 15:51, Emanuele Tajariol ha scritto:
>>> Hi Gioele,
>>>
>>> please note that the shibboleth authentication in GeoNetwork does need
>>> the module mod_shib in apache for performing the needed redirection
>>> toward the IdP. This is also stated in the page you referred
>>> https://github.com/geosolutions-it/core-geonetwork/wiki/Shibboleth-setu
>>> p- on-2.10.x
>>>
>>> Please make sure that mod_shib puts in the needed headers when
>>> forwarding the user request to the shib.user.login service.
>>>
>>> Cheers,
>>> Emanuele
>>
>> Apache has mod_shib and other apps in tomcat works like a charm with
>> shibboleth.
>> Apache uses ajp connector to communicate with tomcats and for passing
>> the IDP attributes (on the same tomcat another app is working without
>> problems).
>> Can I modify the shib.user.login service and add a log function to it?
>> How can I do this?
>>
>> Thank you,
>> Gioele
--
GeoServer Professional Services from the experts! Visit
http://goo.gl/NWWaa2 for more information.
Ing. Emanuele Tajariol
Technical Lead
GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 380 2116282
http://www.geo-solutions.it
http://twitter.com/geosolutions_it
-------------------------------------------------------
Yes I have. In debug mode I found that the request object is empty, at least it not contain any attributes as if they are not received by tomcat (even if it receives for other apps).
The method that fails (it return null) is MinimalUser.create() in the ShibbolethPreAuthFilter class (Line 92) because it took the request, as first parameter, that hasn't the required attributes send from service provider.
Gioele
Il 17/02/2015 18:50, Emanuele Tajariol ha scritto:
Hi Gioele,
Make also sure you have properly mapped the shibboleth auth attributes:
https://github.com/geonetwork/core-
geonetwork/blob/2.10.x/web/src/main/webapp/WEB-INF/config-security-shibboleth-
overrides.properties
Cheers,
Emanuele
Alle 18:35:47 di Tuesday 17 February 2015, Gioele Minardi ha scritto:
I have started tomcat in remote debug mode and I discover that
Geonetwork doesn't receive the session attributes from the Service
Provider. It is strange because another app in the same tomcat receive all
the attributes.
I continue to investigate and will warn you when I find something.
Cheers,
Gioele
Il 17/02/2015 17:09, Emanuele Tajariol ha scritto:
Hi Gioele,
Can I modify the shib.user.login service and add a log function to it?
How can I do this?
The service does nothing, as you can see here
https://github.com/geonetwork/core-
geonetwork/blob/2.10.x/web/src/main/java/org/fao/geonet/services/login/Sh
ibLogin.java
The authentication flow is driven by Spring, so you should give a look to
https://github.com/geonetwork/core-
geonetwork/blob/2.10.x/web/src/main/java/org/fao/geonet/kernel/security/s
hibboleth/ShibbolethPreAuthFilter.java
I guess you only need to add this line
log4j.logger.geonetwork.auth = DEBUG
to your log4j.cfg file.
Cheers,
Emanuele
Alle 16:54:01 di Tuesday 17 February 2015, Gioele Minardi ha scritto:
Il 17/02/2015 15:51, Emanuele Tajariol ha scritto:
Hi Gioele,
please note that the shibboleth authentication in GeoNetwork does need
the module mod_shib in apache for performing the needed redirection
toward the IdP. This is also stated in the page you referred
https://github.com/geosolutions-it/core-geonetwork/wiki/Shibboleth-setu
p- on-2.10.x
Please make sure that mod_shib puts in the needed headers when
forwarding the user request to the shib.user.login service.
Cheers,
Emanuele
Apache has mod_shib and other apps in tomcat works like a charm with
shibboleth.
Apache uses ajp connector to communicate with tomcats and for passing
the IDP attributes (on the same tomcat another app is working without
problems).
Can I modify the shib.user.login service and add a log function to it?
How can I do this?
Thank you,
Gioele
*RESOLVED*
In the apache config I had not added the directive "ShibUserHeaders On" ( in the document on github was not expected ).
Now it works.
Thank you all for the help,
Gioele
Il 17/02/2015 19:25, Gioele Minardi ha scritto:
Yes I have. In debug mode I found that the request object is empty, at
least it not contain any attributes as if they are not received by
tomcat (even if it receives for other apps).
The method that fails (it return null) is MinimalUser.create() in the
ShibbolethPreAuthFilter class (Line 92) because it took the request, as
first parameter, that hasn't the required attributes send from service
provider.
Gioele
Il 17/02/2015 18:50, Emanuele Tajariol ha scritto:
Hi Gioele,
Make also sure you have properly mapped the shibboleth auth attributes:
https://github.com/geonetwork/core-
geonetwork/blob/2.10.x/web/src/main/webapp/WEB-INF/config-security-shibboleth-
overrides.properties
Cheers,
Emanuele
Alle 18:35:47 di Tuesday 17 February 2015, Gioele Minardi ha scritto:
I have started tomcat in remote debug mode and I discover that
Geonetwork doesn't receive the session attributes from the Service
Provider. It is strange because another app in the same tomcat receive all
the attributes.
I continue to investigate and will warn you when I find something.
Cheers,
Gioele
Il 17/02/2015 17:09, Emanuele Tajariol ha scritto:
Hi Gioele,
Can I modify the shib.user.login service and add a log function to it?
How can I do this?
The service does nothing, as you can see here
https://github.com/geonetwork/core-
geonetwork/blob/2.10.x/web/src/main/java/org/fao/geonet/services/login/Sh
ibLogin.java
The authentication flow is driven by Spring, so you should give a look to
https://github.com/geonetwork/core-
geonetwork/blob/2.10.x/web/src/main/java/org/fao/geonet/kernel/security/s
hibboleth/ShibbolethPreAuthFilter.java
I guess you only need to add this line
log4j.logger.geonetwork.auth = DEBUG
to your log4j.cfg file.
Cheers,
Emanuele
Alle 16:54:01 di Tuesday 17 February 2015, Gioele Minardi ha scritto:
Il 17/02/2015 15:51, Emanuele Tajariol ha scritto:
Hi Gioele,
please note that the shibboleth authentication in GeoNetwork does need
the module mod_shib in apache for performing the needed redirection
toward the IdP. This is also stated in the page you referred
https://github.com/geosolutions-it/core-geonetwork/wiki/Shibboleth-setu
p- on-2.10.x
Please make sure that mod_shib puts in the needed headers when
forwarding the user request to the shib.user.login service.
Cheers,
Emanuele
Apache has mod_shib and other apps in tomcat works like a charm with
shibboleth.
Apache uses ajp connector to communicate with tomcats and for passing
the IDP attributes (on the same tomcat another app is working without
problems).
Can I modify the shib.user.login service and add a log function to it?
How can I do this?
Thank you,
Gioele
------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk
_______________________________________________
GeoNetwork-devel mailing list
GeoNetwork-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geonetwork-devel
GeoNetwork OpenSource is maintained at http://sourceforge.net/projects/geonetwork