search

grith / sibboleth

Non-web shibboleth client
5 stars 3 forks source link

Sibboleth breaks with IdP 2.3.0+ #2

Closed makkus closed 13 years ago

makkus commented 13 years ago

Pasted from an Email from @vladimir-mencl-eresearch :

Just found the SLCS client library breaks with IdP 2.3.0+

And I've so far tracked it down to the point where the IdP returns back the auto-submit form with the signed assertion to be posted to the SP.

In earlier versions, the address where the form should be submitted was specified as:

but in IdP 2.3.0+, it is I.e., all colons and slashes in the target URL are encoded as xml entity references - : and / The SLCS client library does not decode the characters, and in turn interprets the location as relative to the document base, and ends up submitting the form back to the IdP instead of to the SP - this is what I saw in the IdP Apache logs: > 132.181.64.117 - - [11/Aug/2011:11:29:12 +1200] "GET /idp/profile/SAML2/Redirect/SSO HTTP/1.1" 200 14370 > 132.181.64.117 - - [11/Aug/2011:11:29:12 +1200] "POST /idp/profile/SAML2/Redirect/https://slcstest.arcs.org.au/Shibboleth.sso/SAML2/POST HTTP/1.1" 200 3493 The first line is the request that returns the form. The second is the form being submitted back to the IdP at a bogus URL (and returning back an error page). Grix then fails with a blank error message window titled "Login error". Do you think one of you would be able to fix this? It's becoming rather urgent, as the recent security advisories published for Shibboleth will be pushing more IdPs to upgrade to 2.3.2+, where this issue kicks in. I'd be happy to help with testing, so that we can get updated Grix & Grisu pushed out soon. And, the issue is affecting Gricli as well. Please let me know whether you think this can be fixed soon.
vladimir-mencl-eresearch commented 13 years ago

Hi, github markdown has deleted the snippets of how the form target URL was encoded - pasting again, escaped properly:

In earlier versions, the address where the form should be submitted was specified as:

<form action="https://slcstest.arcs.org.au/Shibboleth.sso/SAML2/POST" method="post">

but in IdP 2.3.0+, it is

<form action="https&#x3a;&#x2f;&#x2f;slcstest.arcs.org.au&#x2f;Shibboleth.sso&#x2f;SAML2&#x2f;POST" method="post">

vladimir-mencl-eresearch commented 13 years ago

PS: I think the fix could be quite easy - just wrapping the URL into an XML entity decode call.

The hard part would be finding where to insert the wrapping and what exactly should the URL be wrapped into :-)

russell commented 13 years ago

could you please send me a full copy of the html, i'll add an intergration test to handle it. I have a fair idea where to add the decode call but it would be better if i can expand the tests while i do it.

vladimir-mencl-eresearch commented 13 years ago

Hi,

This is the HTML ... trying to figure out if I can attach a file, but so far pasting here:

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">

    <body onload="document.forms[0].submit()">
        <noscript>
            <p>
                <strong>Note:</strong> Since your browser does not support JavaScript,
                you must press the Continue button once to proceed.
            </p>
        </noscript>

        <form action="https&#x3a;&#x2f;&#x2f;slcstest.arcs.org.au&#x2f;Shibboleth.sso&#x2f;SAML2&#x2f;POST" method="post">
            <div>
                <input type="hidden" name="RelayState" value="cookie&#x3a;58a2faee"/>                

                <input type="hidden" name="SAMLResponse" value="PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48c2FtbDJwOlJlc3BvbnNlIHhtbG5zOnNhbWwycD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sIiBEZXN0aW5hdGlvbj0iaHR0cHM6Ly9zbGNzdGVzdC5hcmNzLm9yZy5hdS9TaGliYm9sZXRoLnNzby9TQU1MMi9QT1NUIiBJRD0iXzA4M2EwMmI2OTc0ODY3NDBhODM0MjZiZDRjNzU0NmRkIiBJblJlc3BvbnNlVG89Il8xZGI5MWUzOGIxMmFiNmEyNWE3YTU4MWMwMzIxYTliMCIgSXNzdWVJbnN0YW50PSIyMDExLTA4LTE0VDIyOjE4OjIxLjIxMFoiIFZlcnNpb249IjIuMCI+PHNhbWwyOklzc3VlciB4bWxuczpzYW1sMj0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiIgRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6bmFtZWlkLWZvcm1hdDplbnRpdHkiPmh0dHBzOi8vdmlydHVhbGhvbWUudGVzdC50dWFraXJpLmFjLm56L2lkcC9zaGliYm9sZXRoPC9zYW1sMjpJc3N1ZXI+PHNhbWwycDpTdGF0dXM+PHNhbWwycDpTdGF0dXNDb2RlIFZhbHVlPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6c3RhdHVzOlN1Y2Nlc3MiLz48L3NhbWwycDpTdGF0dXM+PHNhbWwyOkVuY3J5cHRlZEFzc2VydGlvbiB4bWxuczpzYW1sMj0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiI+PHhlbmM6RW5jcnlwdGVkRGF0YSB4bWxuczp4ZW5jPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzA0L3htbGVuYyMiIElkPSJfOWM5YTc4ZjdiNzZiODE2ZjdkZDg0YTYxNDM3ZGQ3MDAiIFR5cGU9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMDQveG1sZW5jI0VsZW1lbnQiPjx4ZW5jOkVuY3J5cHRpb25NZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzA0L3htbGVuYyNhZXMxMjgtY2JjIiB4bWxuczp4ZW5jPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzA0L3htbGVuYyMiLz48ZHM6S2V5SW5mbyB4bWxuczpkcz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI+PHhlbmM6RW5jcnlwdGVkS2V5IElkPSJfY2E0ZjA1NTYxYmQ2ZmVhYzE5MTE5MGZiZjIwMGYyNTMiIHhtbG5zOnhlbmM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMDQveG1sZW5jIyI+PHhlbmM6RW5jcnlwdGlvbk1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMDQveG1sZW5jI3JzYS1vYWVwLW1nZjFwIiB4bWxuczp4ZW5jPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzA0L3htbGVuYyMiPjxkczpEaWdlc3RNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjc2hhMSIgeG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiLz48L3hlbmM6RW5jcnlwdGlvbk1ldGhvZD48ZHM6S2V5SW5mbz48ZHM6WDUwOURhdGE+PGRzOlg1MDlDZXJ0aWZpY2F0ZT5NSUlETERDQ0FoU2dBd0lCQWdJSkFQck5UMUcwMnFFcE1BMEdDU3FHU0liM0RRRUJCUVVBTUI4eEhUQWJCZ05WQkFNVEZITnNZM04wClpYTjBMbUZ5WTNNdWIzSm5MbUYxTUI0WERUQTVNRGd3TWpJek5UZ3pPVm9YRFRFeU1EZ3dNVEl6TlRnek9Wb3dIekVkTUJzR0ExVUUKQXhNVWMyeGpjM1JsYzNRdVlYSmpjeTV2Y21jdVlYVXdnZ0VpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCRHdBd2dnRUtBb0lCQVFDNwp4bmY2aXgvR1pRaUY0OFdXVHVKNmRYN2liVzZ3bTZqN254dEhlRTFuamZpc1J3SkxJdzF6NEQzUzhmZDVuZ1FsQXdDb0t4dW9vZ2g4CjVFRjFWdEw3U0hPK1YxcTg0SkhZM051bUlWU3JyeFFyUFg4Um5vL0dqL0EwTnRvMHh2TlhFS2JsSjBRTC96ci9mdzlhWXAxYnBqWkkKYlY2cThUWUFWbEl1M1hYNEFJTks5bEltUnNTM2NmTDAvejlJWE1lYmorVmpVY3VmZGFZYkRSZUpRQVFtNnVSV04zeUdmQTliNG1ySQpaeUFHeVNPL091dW5sdGZNMnBua0x6SEYyRy9senZCcjAyUDNDVmpyaGREQlJ6L09idHJDNUdUTUh4SkwzUFUvSVoxMlk4TERRZG9CCjgvOVFSUHVNRGRncFl3eFN3K0U5VE0wREk3WEJRMDF5dHlPM0FnTUJBQUdqYXpCcE1CMEdBMVVkRGdRV0JCUXVJYXNyUyszRmlWSFYKbk1YN3NsMWdjSE1nSURCSUJnTlZIUkVFUVRBL2doUnpiR056ZEdWemRDNWhjbU56TG05eVp5NWhkWVluYUhSMGNITTZMeTl6YkdOegpkR1Z6ZEM1aGNtTnpMbTl5Wnk1aGRTOXphR2xpWW05c1pYUm9NQTBHQ1NxR1NJYjNEUUVCQlFVQUE0SUJBUUJwOXF6OHRJT1JCRkpqCm15bXVwM3JOZE0vWkx4dHUzRlppb0ljc2hCbjlTMmJOaWxWRXFNYml4TXB0TWYvOEpHeU1udHdIUVA4VFBBQllyZlhBOVpxK2N3dWgKTUhXRUZXTUxWV2F2VTRMVVRveENuQTBxTTRTcW1TaUYwVERGbWM1SDh4UW03MGlaRzYwcjRNWnkrc3hNSThuMkpzekFueGx3TlVLagpLUmtVUzZ0MVM1VTdmNXc2dUFpVjNsbDE4bGdTTUFTV3piN1BkVDcyQSt4d0tFamUzcGxNYXpncG13T1o4cS9xcEhJaHpKT083N01iCnNwekc3cUg4ZzNFdEZDVU0wenZSdEUzVHZyeDdYNWJ5M050SmRpYTA4TGUvSDIybzZuMkhYbUliZ0g4RFJMT1ZVSDdaUzRNbExpY24KTzU0ZWcxVkJsc2ovTmlLVVJyQ2lRWStZPC9kczpYNTA5Q2VydGlmaWNhdGU+PC9kczpYNTA5RGF0YT48L2RzOktleUluZm8+PHhlbmM6Q2lwaGVyRGF0YSB4bWxuczp4ZW5jPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzA0L3htbGVuYyMiPjx4ZW5jOkNpcGhlclZhbHVlPkRPK2RrakErb3k3eGxNZWFyV1lZd0VkQzZ6b0phSWJzOVViWmJ5akI2ZVhyK09wdmY1bjJZeUpaSVFQSzFBYjRIZXdyaDdERVljNUhEeU9aS0phVDJPOWdreUtzU1YyVjg5WjlrcGRraUhxOFZPQ0VoVndaOERoT3dkTFpnMWhSN3hNdXdWR21YMm9ycW13NU55ZXVhWENPclpnZUxrbHJqS24vVmJTcDdwM0lvN0ZjNXMrMjlCcXJIa00xYmJ3aGVGME1wMmJpUGRnUnZKRWlxTTIrMXVwekkzM0RTa1RIdk10V2k2emdBQ3dYRWFsT1RmQ2o3NHNXKzh6WnE2am40QWZkRXpmbjN2ZllHbndET1FOcEJpbnY0dkhOUVlnaWxmcm9tem5XVGhBOW9lYXRNV3BMenlCaTB4L0ovVGZISG1YSUJLWm0zQ1VrWVgraFU1Sm9kQT09PC94ZW5jOkNpcGhlclZhbHVlPjwveGVuYzpDaXBoZXJEYXRhPjwveGVuYzpFbmNyeXB0ZWRLZXk+PC9kczpLZXlJbmZvPjx4ZW5jOkNpcGhlckRhdGEgeG1sbnM6eGVuYz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxlbmMjIj48eGVuYzpDaXBoZXJWYWx1ZT5yVDFmTTdyWDVmMFpXbEVxQVcwRU5IMUNPcnFHQVZDMXErem9qTEdTR3NNalJvclBWYmEwZ1V5ZHpyZlRpSjkySFVhU3c2YnhmekUzeTY2Yk4yREU3VHFSRzM0Q2ZvL0ZSblRkZDA1ZHVvY24wdmR3SU9HOUtVR3A4QlpxUE9sQ05yVXQ2UG1GaWJPak0yM0tzdnYvZzZFUWN2SllDUHNobktzY0hQOHh3K1BBK3FNeStSSmZ4REpucGxEMkIwYTE0OW9GYnhWTWhBcnJHZmVJYzBsM1ppUlNKOGdZcDZnS1ZHODl5M2w2NzN1bHRjZlFBeDFHaXpVa1F6UlZJVzFxUlZhTDFtM3BRWUFyN3JUMlVpT3VrckIzTHlYZWZIKys5Z1pSQXZ3clVMY21vTDlvMHJEckF4Y1R4eEp5UThsWHMwaVdFZFkvM1BXYUYzVXZ5NWpLaTNqS0hRZS9lQlcxVC9RaGYzajdSZDJrckxmbk9QbTRCVjl6Z0w0OUxHQmtTSFQxcGdvOFpKRXlMRmFLQmkxR2lnbGV3Nk12YWl1ZXB4RG9kTU1qMW1Uc1dnQ1Vza1Zybkh3TVVjVWJOUmplTTBVNHEwYllTK2xqdm15K0FDSy9NSnZhRzFkY1BLMERLaFg2OE5LNDBBZ3A2RVM0TFpIVEJ2WjBlYmhOcXRHcmNhL2VEZ0RrbGxuaUUwU05wcldQVXI3emh1YmhseEd0czl5Rmo4TnFBWnRGTE1GaVVYU05mc2NBNnI4Rm9yVllSMDlucy9hYXlQSWw4R0hRZ3pzd2hlUkNINmRCcHUrTFpGcU9LVTBTeU9ENGVyR3BwQXJaeFY3aHlrdUltY3kzeFpqSzRsbm9XakNaU2dxQk51aldqc29TazJnVEVmcGJkTnU5RXMxMFBWb0NBZXBod2pWY2x4bDZ1MFpKd3htNnZjNThkVEhxVW1pcXI4MUM4MGhLNW14WE1PR0pkdlppMjFSWVVFNWZrMGFXbWpJU1pBeHZPV1E2aVNSVjdoa296cUJ4ZjB1SjJXc1RObWpvZFo1ZmJFWXYzZVRzTmVDeEROeDdJbWdxUlRrZG9UeVpyNndmS3pUSmZvYTkwU3VFN0ZCUGxxOFFkVjVRVGVJN3YvNDFwejdOQkRzOGQ3SHJ0dkFNeWtqTGpOYzFJRER1bHdEUCswRkJvbnFMZEZCSFNmR3orY3lET1JnTGNya2ZvQzVTbFVybE0yaURpV0dCQnlwS2NXNndRY1hMRHA0bjJodmZEZlU3YkQ4Q3pDRWhNQytzV0YvNnVkMGcxY2pqc1lmWEo5dXR4N0djVjJWcFdqQ2VlUGdIS2RzV0ZtbEI3UnpWdERNZ3RwODhIcGpRS2RqNHI3WXNEWWNIS0xmZjFWZi9Dbkptejc3MTdqK0FhTHpkMWNyK2ZkTWlwM2QrMFpHeitFNkp2azM5KytScUllRTIyRi9odkZSbDhjZ20vMnlhcCtBVnQ0K3hPd25yRko2ZzBvaDRhdmNMd2RWVklGMEpaREM1UzA5bk5LOCt4NllRUTBBeGtKSWxPUW9HdmhiMVRFRlE2STRzNWhUMlUzTERjOXl0ZHNhRHYxSjVIazhSZG5UV21yVjE1YVJjSFcybTFpdno0cUhzVU00YkNENEk1U3lNOTZJYUNwQU5zYjlxRmpodnhzeXY1blkwVUlqUEYvdmJJZ3Zyd3Uyc283ZWJPMDdVa3RzVXMwZWNSSzg4cVZaSXFreVVod0ZsbStORlB1YThRdld5YnJ0ODYxSTNtMmZCVEkzSjNFNzhUVTU5ZmhXTUFvMGI0Q2k0Q1UybUU0ZWltWkdISWhRTStkTFVxT1ZoNGZ0TEs1SWRBN1dubG9iZG4yK3ZVY3FiK2NLYVJucndoQVJySlN0eDJEYVc1UEUveVJLVG5SVENWRHFxRWVmU3Bsb0tTY1RoWHpNamRZZjlvL2NLRWdHVnRNMkw1UktyU0dTTzdla3NXSjNUQWhzdUgreG1lV0RzVFZ6RnMxS0lGQkgyVmlPcGVET3Z6aThHc0lmcHU1RjUyOG0wYThOMzFaVDNLUllodm05U25ncDAxTldBMTJSLzdPV0tvTGZ1dlRLeGJDYUl6ZEdZNENTNlR6U21tNGhsS3FKVi9QK0tsVXpobVJpMDd2dEJQMkZtcmJnNW9qaXdjc0ZzTEc1blJzSTdsVkp5MU45VW9PandTakhyUTRFMGoydEN1Rjc4TDdJTzZLY0tnTTBSRnA4VzdrUjMrOHVNbEFzcUJpV2F4Zy93ZDVkcjRYSkNhQjFBOGk2MFVWSVVYVkpHS0JnSFhpQVRGclpvWklITlpPV0RNUUl5Y3VQblo5TzNZZFlyK1dYMWFTYXBkTE81R0x1Q3AvQWRBdlZjUURoZ2h0OXNQY2FJT2c3UUpnYWtURzhqZ3l5UGRjY2cxSnVtVDNJMlNHeUJsNXVCLzlSaWd3dlJ0S1hscEpLYlBpWnpUSEo3Q2tsTXpKdmlqSVV3cnJ4dkVlaUtFODZXR0g2WGVwbnNkTFd0blRON0g3MjVuYml5cG55alhpUE1tR3A0VGRVbzR5ZCs1SkJIQzVwSjEzb1gyY1dNUnFKMHc1aExQSzJjeDBJR3pDOWl2OEVZYmZ3eVJqejJkMDE2TEJEWk5xdHRyUFg3aEp3S2ZRU2dTM3ZMbk9kcnJ1OStiME5adVNQR0NnOExRcERtcVF3SDM2T1I0VFJBUkoxbTFmckRRNmdrQ2dkMzQ5NW90RndocC9HZHV0b0xiaHVkQ3krQ09ucjNkL0gvSVA3R01LVUFVK0FpTEUybStKRUpBRkN2MURHTHpsMUVQRERJZ1VEZ2JpOG9nK1l4R1hwOS8wNmsrWExOY1lsRzNvUGk3QjZuNXdkY1NZL0s5TXNncHh0QTkxY1RQVUtGd25vNk1hcVdyU1Y0RVVNT3J0ZmZjakVPZXU4OGs0eFlaWURLVGZ1YjdnZmNoKy83N2NXVXpsUG00enhiZmxXSUtiSVNFMjNBWVB6S0JvTjlNa21wZDJQWVR6bHhpWGF4dlBpaG1MZElJMG1kdGxPMWxUUCtaY2lmUDBnRWpLSGNUN1JhRmdtM3hpQXdlZFZNb2QvZ1ZiZ1VwUkVJaVprZTdTc2E3Q0lMdUxmSDk2ZFpqbW5LbThscUJFdlBodkpOb0xxcXAwc2V2WWRUOVV4aTh5dnR1eTVhekkxZjNXWXA0TFhoUUtqQnhGM2c5emRIcWxvbjZYekJCa25DUHB4VmdtVUE3QkNVcTBoTHQ1amhGczhXcTRSZmorQnBDZUlaRlVQU2IrcjVTQXBqeXhRUU1HNkU1dEE1aU5DUm16dGR1NUZxMlYrMTVCL2F6Q3J2UmQ0OGpZdWlZZzRzc3duWXlnaFJOcHIxWjU2YmlneS9KaU5weWpTOTBwTGFxdC9qSnFUVWdaSlhoZE1STzhSeHlMTW1zV0VCYzV4QnNhOWgvaExzRFZMQmNTMkk1YjFpczBSbkUzd25la05iZG4yei9rcWU2RldoaHNtV0dwb2lIbzhZQmFGNVBxR2ExemZ3bE9pM09JemNYYnlTczdjSHpYbjkrRjRNc1JQT0NKMkM4K2NjdkZjeUx1SGxEMHk2aG9Bd0xzbWlUN3FBZGlUZjJrQmpVUXBueHVJeG9VSktUQUwwT0NqZ21mSEVwa3B5b2hjUkNITDFXVVdsb2d0WmxpUGFxVFY5NzI2UU4wUDFZUTh0YWN3bmxjNGFpYUNvNFNFK2JOdWhubjhPSEJORU15dmtEbVBYT3h4QUZkNWpPZm51Y2VXUDVOdTJYeWpJRVVEWmRkWXFwMDhFZkV2MUxMZ2FmYXFab0ZHWjVXa3g5N21qN2x1VUw3SFRhajNOd1JWY0UrN3pIczVrSHVUZ0RGckJjYkJhK3RtRUpvU3ZMVSsvMm12bmZyR1V4a2cxcW5URTl3SnVjckZEV3EvdmY4MWQvdzBRaEo1NjF6YS9pbzVrQ2VWSTV0d01FeFZUMURraHJxNWRWRkRtYTJYenM1amFEUVV4WWVMeVFRN2NzWHlKZEVYR2ZpSkRVNXB6dFo1ZElYK1ZNWXAwQUQ4VDgzTFo2L0U2YTlPUENORmlXaW1kWEU3WnhSWVJrcVZyZHFzcjVkZ0d4eStyNFFRS0FyY3dpcmwza3daN2VXeG5QT1BPU2t4b2FwTWZEZWIycktlaHJXL3IxYkNGZFowd2UvYmF3b0lMYURQM0ZOMDFyTE9tVnNWMUY2eExyN1BBMEgrVHpFYnpoU0hMQ3pHTENJSnpzaXVSRWRBcjZTcVRNNCtKV0IzSUNPdU1jc0lNcVpsOXMvWCtURkpFQ1V1RFhJcjN6cVFadURodmxTOGZ3VmRKOGNtQ3JxZkE0VjFHUUpCT1cxMmw4ZEhhU0pCMVVZUTdkaUtrMTcwK3RlYmZLQXc5akNsT3B6RStEZHh4Q1NwTkNoUDhCQUhwZjl4cStWQlJieDRwUlZuelZ6a2M3YVFOYWZiUE9TME1QbnRpSzBPbWpoVGY5UzhTemU5N2xnR2wyRDNwK2xqSUNFV0NkcjB6K0F3eTJMS2x5bTEzUjd4eVlyaDBpcHRaZ3hoR3BvQlFDUmFsSE9URzhKaUtocGRVUFE0YmJWQXo0bS92Rjl1ZndiMVFQZ2dXTUpzWklKVVdLODhmVDdha0ppT0hVZ0RkR21ROEJub3BlYUVTMUJBcnlGK2FtK2Q3cnFObzBRVUUxMm1CSnZQU2V1UGhmQkx4RXd2WkJVV2NzWHFVZXhkZzd6dG5pd0RHdzk4WUFzRWhxSm9HVmUwMHEyOUpIdzVpQVVlVzJxdlIwWG02ZHk0RzZJTzNyaDVjTDlsTXVXcGhJVUtoRkhoQldPSzhkRWhCdUMyM05zNkJoeGlpMHE1bm5pOEN2aHVucXdIRC9jbHdiOHVISVZsVzlFYUZ6VHRqM1d0SFQ5K2FDNkI1OENjUTZCaW5wZWxKT01jQ243UURHOTl3ekZWdmdQdVI1S0Zwc2ErZ000T2VFN2syR3pHakVacFBqQ3BaaWtGcVpXaG5mRmpwRFJ1TThwSHEyajNhQm01Tlc0Yk1NbDcwUnp4b1FRYnZVVlpGTXpRYWRxZklXc25DRVlFMjNSaXRWTTMxTUx6RWZEa3Zkc05aWiswOW9uVUcwQXpqQUhZdW4zd1pwSkhHVHdRenRJSkZLTFlZVzcxZlFEU3pJZmdXT3k1dEpPYis2blNabkNXWFVKVlhlSm5KOERITmtHSzVoVkNxaXJqclpWN2RxdXdVbXlET1BSRGdEQ2FyK0J3VXdMRDFSVjUzUHlZZUJQYUdNbnRYeCt4MUFsMWUxR3BaWTdpNWhVeDFsZG41Q3lmcWVZUy9SclJyREt0SDBGdk5jVUtKWnpTTDBCaFFrRVNEOS94b0s1NnpCRUxvNlIvZ05NeHNIckdSK2Z1WVRjbjYxZHNxTUo3MzJLS05WSmJsZlZrQ0tkZS9uQTFpVmVjZnMrdDhzZzhtc0NNZ2V5S0hBY3l6WmFVSTdHZElpK2dEbCszdkd0S3duNXpsb2IzaFNiM3ZWeGtDSDZweDdGWHVBSDhGNlZvR3NtTnAzTkUxK3RlTktVRDJBdDN2dkxRcWZLbVN4OHRmdXZIRVdmalpSelZVSHN0UklVcjlsSG4vVjFCbjB6MVRLQ0xTdG85WFVSdFA1NDR2Q1VGZHhQTjNYaG4zU25OZm1uVXMvVG1JRitOcllreGVlaVVhcTJvVG5IK1JpY3RXRHZ0TTkyQlRrcjZaSng1dXhWcFZibWc4OWp4a1VEQlNMTTE1TVRCOGpaRmpCWjBTZEE3VFdmWERycExaMitVTDQwbEM2NitrdWZjc0V4d0FuZzFnRm9yV2NrN2RyMUs1RUVCdjFXQTkvWFY1elMyMkpkekdZN3NZa0Q0eGpyUTRNclZZaTVtQUJXNG9Jdy9uRUpNd1BiVi9saGYvZ1E4VnZ3SlZKU29mV3JzdDlCTXdBVVVlWEJWenBybnZHOFZuVGlhSExaeU1FNmk0WnJwa3NmRXo5WHQzRndPZk1LaDlmeTlHWEhyVjVDdXdqL00rMHNYNHBCZ0E5SFI1Qm5rWlpRWTk4Q0VMd05PNmhtaGM3R1l0aGM3cnU1bGZwaTRRQ0ZxbmFFVFZJSDhjVk5xWXQvWGVOVTZoSjR2WFVFTXhHNzRuT01nTllZOVFEVFFjZGF1VGxwNm1YaHlVK1IxSFpXZGxheDVveW4rVmgxbE4wS2kwdFl1WjUzWnFJaDcyMkpFWlV6RTU3SnNuOGxzeDJkdCtsWEFyVyt1Z1hLcTRyVU5BdmNQWUFTZjYyZFV5WitsZWdiTEhVVndhMnp6bVFUVmsxMmlBNHZGdllnck1VMThuUlZSVjhuQ1p6WHJNb21QdzBCNEVZMXFXZ3FKMVYzOWw0YmlDSkNiSG9rTUdGam1tOGxobU03cU5kRjd4bkcxZzRhYlVXeEhyQml4d1dSclFveWpIQnNGK3pUV0xUSTBLMWhlL0ZNTm5jLytlR0pPVjB2YVozcjl1cXpncnFZRjZFblg4MjljeTZ1eElNaWpmdzFIMkxOWkpQcUwrVytPTWdCTUJOb0lFVFRBbzNXWUVWL1lKM1ZLUy9BVEJETlN3azdVZU03YXdoa1dTczBLNkJGTE8rRGMwWmJjQmxkaHF4UmtGeldYdTMzWlJwQWN6NTV1cHRuTDl1TTc2cmhXL1JodVBNQU8welYwQ1I5UFBRT3BXYTZKdHBORitFY01rTUE4cnVJclFWUXhzVmU1R0Q0WXE2NHhETmZrdzlHVHlVMGpGU1BhL1ZObnBHNnBmZ1ZvSnBPWmI4anQ5ZGE5U0FLZVBvV2V1aEpiTDJFZFNsRFJsd2JmWUxtcndUbkFtci9PeW8xVmtOT1JSSTduc2I5VFp4QThVOEo5TC9CRk9OMFJMWDRRWW9oU1VNMUJHMUd5cFJDQ3JmeGJvWmY0aHB2Q3dOS3dUZGFaemo4aW03WGpDN1RmTGM1cVhGZGZhY0FZZ1hHTmkzVkhpdGpJODh0SU9pUzQwRE9xNXJVV2FlazhEQVJHY3NPbnZVZFRQdnNIZGY0NGRoMnpheGpZaTRvdlVpcFYwakpaSCtLeTV3eG9PWU8zOEU4aGJUcUc4VGVRdlB2cmwya0V2am9FNkNJSnp6TC9KYnl6bW9ISGxsc212QXB3WmVyb0tyQ3J3ZCtiWXNzRkhXVXBYS0xLYktDa0l3a1UyMkZaMUx0ejRCc2QyaHhZRFNJclFEY2VZaXhGQ3dMZWdxVituQWtSR293Y0VLZEpUditORW5pNDRhYy9NcVhkS3lPVFFxa0lLemhVNUdXRTYvUjREWTlHb1pqNkhCUkhyOHhXVWllbVBGc28raVFVYmxGZG10TWlxYVlFZ2ppTlI4MDFGWjZ6bWJ2M1M1RDQyNlMxODFVNVRseDN3a0UySU1oRmpVcFozTjlDM2p3VnZKUWRKUUVuTi9ScHJObFVQNnhLNzhyWCsxakpsMjEwT3NSbWZKdkZsSG9aT3M0WEdqYzR3NXZpU2RUaVVkR0pJejlhNi9zMXVtZE8ySUVVODBuRTVKK2kxTXlBN3RvOUoxVFd4MlRtY2U2ZVlmcTN5eG40cG5WRTRua3QybzFqNjR6N20yRHNuNmkyUzY5M2lGY1NlcFI1UnBvbldFWHkveGJQVjhjcTZVdnpwSlhEWDdVYXQ0SnpNQWIveDBIOHdHQThqTElOaHFrWjFka1JQK3l3cHJmOW8vWnlUQkVXWERTQnQrMjR1SDRuRkxtZmRZaEh2RWozVmtGTUhQWStyUnlQOFV1Qno5L3lXczZTV3M2TVZIdnBqRzBYYm1hZVpaa1MwbWs0VE5ScFNBbStMTlEwTVF4OEw3YmxuZ3UzaklxNkRPVVJkUDkxOXZKT3VsSzV3b1pBMEtXQml0Tnh0WUNwajVFMzBFVlN1WFRWcWd3SzBBaUpFYk9vMHQ1OXhHREt5Q0tpRVFIY1lXVjc3WUdmY2FsNGdFbTBUbHpyNE5Gci9KdUJ2L2VIaXptOEhHSHRSc2dTL2lBbWFzUFBJOHBqQTZHTVlCMzUyRkk1c0xocjU3Y3hscmtLUHVER0syUWQ1QTNXMUVBRGdmd2wySVpoTVhFMDUycUs2SDlnU0xKN1pLcTlIWU5mN0pxSWJBODZaUFdmamVtdlVYN09LZkh4Zk43aVU4bmFpSHZSMm5hMlhtbEFMQlUwVHNVTlNRZW8wRUV5cmlQYklGb3BLYUlrOCtFZjFwWCsxbzBSTFNSTFNUVURqSG44dWxjWWttR2V6SkNFeUFqSHVxN2dSRzVmaEpGb1NTR0ZxYzltak96TktBTDA0K2ZhemM1bFh4dGVlcFRNVGhCVkhDM21kVi9EVGs1OVJmZGxJT2E5ZWFmMmwySzF2My8wK0s4OFpQWUx1T3IwcHdXV3h4ZlkrQXV3NXREYmZKRHkvcUhNdDN2WnRHTkJxaFZ3Y1hhRjVKSGlmRUtWdWt1dEdROHZOeE1CZHY5cWMyeU10aVJWK3Z6ak16Uko4Q0psRm1yMjNMVDd5bzRxOERVTVJuRE5WOHppK1NpL1U1bHFKN2ZBMUkwRDRUbTRSSDZGTHdCWjJvWjl2QVZaWCttTSsvYlIwZysrQ3I5SFZjMXRhY2g1amwvQ2VsUHNrSEhzckdjb3dIbStlZHFNZ1FFUnExbmZ6R0ZEYVY1VGxXbWNNbzFRUDMvYVhTMjlJRGRyT2Q1NU9NT2dWUjRiRzIxak1tRk5tOEpmZm1zYnVpZ2JaSlFNSnBETzdvL3Vhc3FSTlI3Y2dxRE1udTB6WVAvMDdzZ205VUVCeTNHNEZnWU1TZGt6SHF5eHplZzhuSmplV3R6RjJuTW9YZnhHNXBwTWlVL3dzTWc1d1F2SEZBcU54cEZZK1Q0V1N2ZWx4dE9JY3F3YWowaE9JRTJTZzg3dElDZmllQWgyUER4eGtKYjNQbCtvdXQrQklpZE85NWIxd1NWWjNSeTdaUU4zaS9aaG5OT3lYWWEyRlpKeE9lN3pWVVhrNXZJajIwUT09PC94ZW5jOkNpcGhlclZhbHVlPjwveGVuYzpDaXBoZXJEYXRhPjwveGVuYzpFbmNyeXB0ZWREYXRhPjwvc2FtbDI6RW5jcnlwdGVkQXNzZXJ0aW9uPjwvc2FtbDJwOlJlc3BvbnNlPg=="/>                
            </div>
            <noscript>
                <div>
                    <input type="submit" value="Continue"/>
                </div>
            </noscript>

        </form>

    </body>
</html>
vladimir-mencl-eresearch commented 13 years ago

Hi Russell,

The HTML survived the pasting quite well (and I can't see an "Attach file to this issue" function), so I hope this will be enough for you.

Thanks for looking into this!

Cheers, Vlad

makkus commented 13 years ago

Hey Vlad.

Can you test this http://code.ceres.auckland.ac.nz/snapshot-downloads/grisu-template-dev.jar

please? Not sure which IdP to test it against...

vladimir-mencl-eresearch commented 13 years ago

Hi Markus, Russel,

Sorry, still doesn't work, still doing the same thing.

The Grisu Template Client gives me:

Login Error

Error while trying to login.

Details:
Could not do slcs login: null

On the console, I can see this stack trace:

118722 [Thread-48] WARN  grisu.frontend.control.login.LoginManager  - java.lang.NullPointerException: in is null
139768 [Thread-48] ERROR grisu.frontend.control.login.LoginManager  - Traceback (most recent call last):
  File "__pyclasspath__/sibboleth/shibboleth.py", line 171, in openurl
  File "__pyclasspath__/sibboleth/shibboleth.py", line 192, in _Shibboleth__follow_chain
  File "__pyclasspath__/sibboleth/forms.py", line 83, in prompt
  File "__pyclasspath__/sibboleth/shibboleth.py", line 209, in run
  File "__pyclasspath__/sibboleth/shibboleth.py", line 192, in _Shibboleth__follow_chain
  File "__pyclasspath__/sibboleth/forms.py", line 181, in prompt
  File "__pyclasspath__/sibboleth/shibboleth.py", line 209, in run
  File "__pyclasspath__/sibboleth/shibboleth.py", line 198, in _Shibboleth__follow_chain
  File "__pyclasspath__/sibboleth/shibboleth.py", line 200, in _Shibboleth__follow_chain
Exception: Unknown error: Shibboleth auth chain lead to nowhere

And in the Apache logs on the IdP, I can see:

132.181.65.178 - - [17/Aug/2011:09:39:46 +1000] "GET /idp/profile/SAML2/Redirect/SSO?SAMLRequest=fZLNboMwEIRfBfkeHCAkxQpINDk0UtqiQHvopTLGCZaMTbymP29fCGmbHpqj%0A5Z2ZnU%2B7BNrIlqSdrdWOHzsO1vlopAJy%2BohRZxTRFAQQRRsOxDKSp%2Fdb4rtT%0A0hptNdMSOSkAN1ZotdIKuoabnJs3wfjTbhuj2toWCMYgGXguNQxcbQ4u7XBe%0Ai7LUktvaBdB4MPZx9pgXyFn3mwhFB89fB1G1Ljt2Lq%2B6Qd4%2Fcb%2FDXkh%2B1u54%0AJQxnFuf5I3I26xi9lnsalsxnkU8XNAy8MpqF4T6gQRgswiia92MAHd8osFTZ%0AGPlTz5tMbybevPADEkRkFr4gJztXvRWqEupwnUs5DgG5K4psMvZ55gZOXfoB%0AlCwHuuQUbC54X7el35BR8j9S%2BEG6xBchY2JLHnrXzTrTUrBPJ5VSv68Mp5bH%0AyEM4GSV%2FzyH5Ag%3D%3D%0A&RelayState=cookie%3Ae92f33e3 HTTP/1.1" 302 -
132.181.65.178 - - [17/Aug/2011:09:39:46 +1000] "GET /idp/AuthnEngine HTTP/1.1" 302 -
132.181.65.178 - - [17/Aug/2011:09:39:47 +1000] "GET /idp/Authn/UserPassword HTTP/1.1" 200 2916
132.181.65.178 - - [17/Aug/2011:09:39:47 +1000] "POST /idp/Authn/UserPassword HTTP/1.1" 302 -
132.181.65.178 - - [17/Aug/2011:09:39:48 +1000] "GET /idp/profile/SAML2/Redirect/SSO HTTP/1.1" 200 11699
132.181.65.178 - - [17/Aug/2011:09:40:05 +1000] "POST /idp/profile/SAML2/Redirect/https&#x3a;&#x2f;&#x2f;slcs1.arcs.org.au&#x2f;Shibboleth.sso&#x2f;SAML2&#x2f;POST HTTP/1.1" 200 813

The last line shows that the SLCS client lbirary is still interpreting the target URL as a relative link - because it did not decode the colons and slashes.

As for where to test it: you need a valid login at an IdP running at least 2.3.0. I'm testing this at CQU (which is an IdP I did setup and I have a valid login there). VPAC is running the same version. Not sure who else is running 2.3.x...

Thanks both for looking into it!

Cheers, Vlad

vladimir-mencl-eresearch commented 13 years ago

Hi Markus, Russell,

Have you been able to look into this again? Is there any new version I could test?

Thanks a lot in advance.

Cheers, Vlad

makkus commented 13 years ago

Hi Vlad,

sorry, forgot about this, got sidetracked...

Not sure what's happening, I might have messed up when packaging...

Will keep you posted.

vladimir-mencl-eresearch commented 13 years ago

Thanks Markus!

makkus commented 13 years ago

Ok, try link above again. This one has definitely the latest code from Russell in it. If that's not working, we need to think about how to set up a test environment or so...

vladimir-mencl-eresearch commented 13 years ago

Hi Markus, WORKING ALL GOOD, thanks.

Can you please do a build of:

makkus commented 13 years ago

Ok. Will do. Might take a day or 2.

Gricli: that will be included in the next release, did you try the current release candidate on login node? Does that work already? It should...

vladimir-mencl-eresearch commented 13 years ago

Hi Markus,

Thanks.

Sorry about Gricli - had not tried out the RC yet and and not thought about trying it first. Just checked now: working all fine with gricli-rc (I'm getting an issue there which I'll report against gricli, but SLCS login itself works all fine).

Thanks again!

Cheers, Vlad

PS: When rebuilding Grix: can you please do both an Australian and NZ version? Sam confirmed Grix was breaking on VPAC IdP and would be nice to give them the fix as well....

makkus commented 13 years ago

All right: Grix

http://code.ceres.auckland.ac.nz/stable-downloads/

Please test. Note, those binaries are not signed. Grisu-v02 to follow...

makkus commented 13 years ago

Ok, Grisu v02 is in same folder now to be tested, also not signed. Sooner rather than later we have to let that one die though, I'm getting deeper and deeper into dependency hell... Also it's always taking me quite a bit of time to build this.

vladimir-mencl-eresearch commented 13 years ago

Hi Markus.

Thanks, just testing now.

Regarding "retiring" Grisu02: do we already have a new version to replace this with? I.e., is the Grisu Template Client stable enough so that I should be directing users to use that one instead?

Thanks a lot for your help with this!

Cheers, Vlad

vladimir-mencl-eresearch commented 13 years ago

PS: The error I got with Grisu02 was this stack trace: Login error (blank message)

Traceback (most recent call last):
  File "__pyclasspath__/sibboleth/shibboleth.py", line 171, in openurl
  File "__pyclasspath__/sibboleth/shibboleth.py", line 192, in _Shibboleth__follow_chain
  File "__pyclasspath__/sibboleth/forms.py", line 83, in prompt
  File "__pyclasspath__/sibboleth/shibboleth.py", line 209, in run
  File "__pyclasspath__/sibboleth/shibboleth.py", line 192, in _Shibboleth__follow_chain
  File "__pyclasspath__/sibboleth/forms.py", line 181, in prompt
  File "__pyclasspath__/sibboleth/shibboleth.py", line 209, in run
  File "__pyclasspath__/sibboleth/shibboleth.py", line 198, in _Shibboleth__follow_chain
  File "__pyclasspath__/sibboleth/shibboleth.py", line 200, in _Shibboleth__follow_chain
Exception: Unknown error: Shibboleth auth chain lead to nowhere

And this in the IdP log: still the same:

132.181.65.178 - - [29/Aug/2011:09:48:31 +1000] "GET /idp/profile/SAML2/Redirect/SSO?SAMLRequest=fZJfT4MwFMW%2FCun7KGVTsRkkuD24ZDoy0AdfTCllNCkt6y3%2B%2BfayMXU%2BuMem%0A95xzzy93DqxVHU171%2Bit2PcCnPfRKg30%2BBGj3mpqGEigmrUCqOM0Tx%2FWNPQD%0A2lnjDDcKeSmAsE4avTAa%2BlbYXNg3ycXTdh2jxrkOKMagOBCfWQ6%2BsTuf9Thv%0AZFkaJVzjAxh8MA5xtskL5C2HTaRmB89fB1l1Pt%2F3vqj6g3x44mGHWipx0m5F%0AJa3gDuf5BnmrZYxeozAipApvK1IG9dU0qHl5MwujikfkelbfsmEMoBcrDY5p%0AF6MwIGQSRJMwKsIpnUV0Sl6Ql52q3kldSb27zKUch4DeF0U2Gfs8CwvHLsMA%0ASuYHuvQYbM94X7Zl35BR8j9S%2BEE6x2chY2JHHwfX1TIzSvJPL1XKvC%2BsYE7E%0AiCCcjJK%2F55B8AQ%3D%3D%0A&RelayState=cookie%3Aa5c510ad HTTP/1.1" 302 -
132.181.65.178 - - [29/Aug/2011:09:48:32 +1000] "GET /idp/AuthnEngine HTTP/1.1" 302 -
132.181.65.178 - - [29/Aug/2011:09:48:32 +1000] "GET /idp/Authn/UserPassword HTTP/1.1" 200 2916
132.181.65.178 - - [29/Aug/2011:09:48:33 +1000] "POST /idp/Authn/UserPassword HTTP/1.1" 302 -
132.181.65.178 - - [29/Aug/2011:09:48:34 +1000] "GET /idp/profile/SAML2/Redirect/SSO HTTP/1.1" 200 15171
132.181.65.178 - - [29/Aug/2011:09:48:35 +1000] "POST /idp/profile/SAML2/Redirect/https&#x3a;&#x2f;&#x2f;slcs1.arcs.org.au&#x2f;Shibboleth.sso&#x2f;SAML2&#x2f;POST HTTP/1.1" 200 813
vladimir-mencl-eresearch commented 13 years ago

PS2: I just found that both versions of Grix were packaged without a vomses.zip file. Which makes Grix say "No groups configured" on a system that does not have a .glite directory populated yet.

Was that intentional ... or just an omission? If re-packaging with a vomses file, would it be worth also including a file for voms.bestgrid.org/nz ?

vladimir-mencl-eresearch commented 13 years ago

PS3: I've tried adding a vomses.zip file myself but I'm getting quite lost: Grix seems to be quite random at which files it adds to ~/.glite/vomses (the active VOs, all files from vomses.zip are copied into ~/.glite/vomses_available). It either leaves the vomses dir empty (and later saying No Groups Configured), or when I add "nz" to the list, it puts just "nz" into the vomses dir. Can you please shed any light into this?

Also, I noticed the button for managing the active VOs has disappeared, which makes an ordinary user stuck with "I can't see any VOs".

Hmmm..., this (both the behavior with the vomses dir and the missing button) is not new to this version - has been in the currently deployed as well.

makkus commented 13 years ago

Not sure what is going on with the vomses.zip file, too long ago and the dependencies have changed quite a bit in the meantime, so there might be something incompatible between Grix and JGrith (the auth library that is used). I'll have a look later on.

For now, I re-build and deployed Grisu-legacy, can you please have another look? Not sure what happened there...

vladimir-mencl-eresearch commented 13 years ago

Hi Markus, great, thanks, Grisu 02 is now working all fine.

vladimir-mencl-eresearch commented 13 years ago

Hi Markus, I've now also found a workaround for the vomses.zip issue.

Empirical observation: from whatever I put into vomses.zip, only a file named "nz" would get copied into the vomses directory, other files went only into vomses_available. Regardless of the contents of the file.

Solution: merge all voms files into a single file called "nz". There can be multiple entries in a voms file and the file name does not matter. So this works, though it looks ugly.

I've built a BeSTGRID jar, signed it and put into into test - http://ngportal.canterbury.ac.nz/grid/grix-jdk5-bestgrid-test.jnlp

I'll ask couple more people to test and then deploy. I'll ask Sam to deploy Grisu02. Thanks for the help!

makkus commented 13 years ago

Ah right, I think I remember now. It behaves like that because "nz" is our default VO now. If one wants "ARCS", one has to manually copy it from vomses_available to vomes. At the moment that's hardcoded and there's no way to configure that via a file or so. Not sure if that is necessary though. We need to get rid of /ARCS sooner rather than later anyway, so I guess it's ok to make it a bit harder to use it?

vladimir-mencl-eresearch commented 13 years ago

Hi Markus,

Aha - thanks, that explains it. So a hard-coded name for a single file that gets copied there.

Just wondering: this hard-coding also applies to the Australian version? Also needing a file called "nz" ?

I've already deployed the BeSTGRID version with a single "nz" file that has all the relevant VOs in it. As many of our users are still USING VOs based at the /ARCS server, and need Grix to know about the VOs not just to request membership but also to create a VOMS proxy certificate, I'd leave that in.

I think you can close this issue now - thanks for your help!

Cheers, Vlad

makkus commented 13 years ago

Hardcoded "nz" is also for Oz version. Will change that the next time I touch the code...