Auth: make redirect_uri use https if connected over https

[inodb]

Right now redirect_uri always uses http. This causes issues when using e.g. microsoft authentication. One needs to then specifically set --proxy-base-url to https e.g. https://github.com/knowledgesystems/knowledgesystems-k8s-deployment/blob/master/cbioportal/cbioportal_spring_boot.yaml#L120-L124

The logic should be:

• redirect to http when coming from http
• redirect to https when coming from https

If this is not possible then the default should prolly be https. Do note that we still have several instances using http, so we should have some way to override it (e.g. pdx/cbioportal.org/pdx)

[jjgao]

should we always use https? What's the benefit of supporting both http and https?

[inodb]

I think the logic should be:

• redirect to http when coming from http
• redirect to https when coming from https

We're still using http for schultz-tomcat apps

[inodb]

@pvannierop and @oplantalech ran into the same issue with saml

[pvannierop]

Yes, we run our container this way now (configured via .env file specifying -Dauthenticate=saml):

/bin/sh -c "java ${JAVA_OPTS} -jar /webapp-runner.jar --proxy-base-url ${PROXY_BASE_URL} /cbioportal-webapp"

[inodb]

For reference. We use the same solution on our production machine on AWS: https://github.com/knowledgesystems/knowledgesystems-k8s-deployment/blob/master/cbioportal/cbioportal_spring_boot.yaml#L125-L126

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[inodb]

wont fix soon :) but still an issue

[inodb]

ran into this issue again, b/c of forgetting to update --proxy-base-url for https://github.com/knowledgesystems/knowledgesystems-k8s-deployment/issues/70. Maybe good to at least make the default https?

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[mdorr]

Hi everybody,

We just ran into this issue as well, and it would be great if the --proxy-base-url parameter would be featured more prominent in the documentation. This could be a good place to put it, with the paragraph talking about running cBioPortal behind a reverse proxy: https://docs.cbioportal.org/2.2-authorization-and-authentication/authenticating-users-via-saml#modifying-configuration

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[inodb]

Thanks for the pointer @mdorr - added a small note to that section of the docs for now

[j-hudecek]

If you're running cBioPortal in an old-school Tomcat process behind a reverse proxy you need to make sure X-Forwarded-Proto HTTP header is set by your reverse proxy and add the RemoveIpValve to your configuration (cbioportal-specific or server.xml) https://tomcat.apache.org/tomcat-7.0-doc/api/org/apache/catalina/valves/RemoteIpValve.html with at least

 <Valve className="org.apache.catalina.valves.RemoteIpValve" 
      protocolHeader="x-forwarded-proto" />

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[NoeRzPz]

If you're running cBioPortal in an old-school Tomcat process behind a reverse proxy you need to make sure X-Forwarded-Proto HTTP header is set by your reverse proxy and add the RemoveIpValve to your configuration (cbioportal-specific or server.xml) https://tomcat.apache.org/tomcat-7.0-doc/api/org/apache/catalina/valves/RemoteIpValve.html with at least

 <Valve className="org.apache.catalina.valves.RemoteIpValve" 
      protocolHeader="x-forwarded-proto" />

Hi! I'm running cbioportal in a docker container: IMAGE cbioportal/cbioportal:5.4.10, PORTS 0.0.0.0:8080->8080/tcp, :::8080->8080/tcp, NAMES cbioportal-container Where inside this container should I add the RemoveIpValve?