search

structurizr / onpremises

Structurizr on-premises installation
https://docs.structurizr.com/onpremises
MIT License
117 stars 45 forks source link

Content Security Policy / SAML Keycloak #86

Closed cyberjeff-u8t closed 6 months ago

cyberjeff-u8t commented 8 months ago

Description

SAML authentication with keycloak was working with build 3114 but after upgrade to latest version, I can see following error in browser console after clicking on 'sign-in' button:

Refused to execute inline event handler because it violates the following Content Security Policy directive: "script-src 'self' 'nonce-MDNkMzRiNzctNTQyMS00MjJjLTlkN2YtMmI1NDk4YjM1ZTlm'". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution. Note that hashes do not apply to event handlers, style attributes and javascript: navigations unless the 'unsafe-hashes' keyword is present.

Steps to reproduce

  1. configure saml/keycloak
  2. open structurizr onpremise home page
  3. click sign-in button

Screenshot

No response

Code sample

No response

Configuration

No response

Severity

Minor

Priority

I have no budget and there's no rush, please fix this for free

More information

No response

borismus-hawk commented 7 months ago

Hello @simonbrowndotje ,

any update on this bug? I have the same issue with keycloak integration.

Thanks in advance

simonbrowndotje commented 7 months ago

We don't have any paying customers who use Keycloak, so it's not very high on the todo list I'm afraid ... the code is open source, so I was hoping somebody in the community would resolve this.

Just FYI though, the on-premises installation is being upgraded to Spring 6/Tomcat 10 (branch), which completely changes the SAML integration ... so it might not be worth anybody resolving this now.

Edit: Keycloak seems to work on the jakarta-ee branch (this won't be released until early 2024).

borismus-hawk commented 7 months ago

@simonbrowndotje , Many thanks Simon! I think I can wait for it. Anyway, thanks for the great project!

simonbrowndotje commented 7 months ago

If you'd like to try it, a preview of the new Spring 6/Tomcat 10 build is available via Docker at the structurizr/onpremises:preview image. The SAML configuration is different; see https://docs.structurizr.com/onpremises/authentication/aml#preview-build-spring-6tomcat-10 for some basic instructions.

borismus-hawk commented 7 months ago

@simonbrowndotje

Thanks a lot Simon! appreciate this!

Unfortunately, now it gives me another error when redirects to /saml2/authenticate/default: image

Logs:

[DEBUG] 2023-12-22 13:40:05.156 [http-nio-8080-exec-5] DispatcherServlet - GET "/dashboard", parameters={}
[DEBUG] 2023-12-22 13:40:05.156 [http-nio-8080-exec-5] RequestMappingHandlerMapping - Mapped to com.structurizr.onpremises.web.home.HomePageController#showAuthenticatedDashboard(String, int, int, ModelMap)
[DEBUG] 2023-12-22 13:40:05.157 [http-nio-8080-exec-5] AnonymousAuthenticationFilter - Set SecurityContextHolder to anonymous SecurityContext
[DEBUG] 2023-12-22 13:40:05.157 [http-nio-8080-exec-5] MethodSecurityInterceptor - Failed to authorize ReflectiveMethodInvocation: public java.lang.String com.structurizr.onpremises.web.home.HomePageController.showAuthenticatedDashboard(java.lang.String,int,int,org.springframework.ui.ModelMap); target is of class [com.structurizr.onpremises.web.home.HomePageController] with attributes [[authorize: 'isAuthenticated()', filter: 'null', filterTarget: 'null']]
[DEBUG] 2023-12-22 13:40:05.157 [http-nio-8080-exec-5] DispatcherServlet - Failed to complete request: org.springframework.security.access.AccessDeniedException: Access is denied
[DEBUG] 2023-12-22 13:40:05.158 [http-nio-8080-exec-5] HttpSessionRequestCache - Saved request https://structurizr.mydomain.com/dashboard?continue to session
[DEBUG] 2023-12-22 13:40:05.158 [http-nio-8080-exec-5] DelegatingAuthenticationEntryPoint - Trying to match using And [Not [RequestHeaderRequestMatcher [expectedHeaderName=X-Requested-With, expectedHeaderValue=XMLHttpRequest]], Not [And [Or [Ant [pattern='/login'], Ant [pattern='/favicon.ico']], And [Not [RequestHeaderRequestMatcher [expectedHeaderName=X-Requested-With, expectedHeaderValue=XMLHttpRequest]], MediaTypeRequestMatcher [contentNegotiationStrategy=org.springframework.web.accept.HeaderContentNegotiationStrategy@29ce1124, matchingMediaTypes=[application/xhtml+xml, image/*, text/html, text/plain], useEquals=false, ignoredMediaTypes=[*/*]]]]]]
[DEBUG] 2023-12-22 13:40:05.158 [http-nio-8080-exec-5] DelegatingAuthenticationEntryPoint - Match found! Executing org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint@49e4037a
[DEBUG] 2023-12-22 13:40:05.158 [http-nio-8080-exec-5] DefaultRedirectStrategy - Redirecting to https://structurizr.mydomain.com/saml2/authenticate/default
[DEBUG] 2023-12-22 13:40:05.189 [http-nio-8080-exec-7] FilterChainProxy - Securing GET /saml2/authenticate/default
[DEBUG] 2023-12-22 13:40:05.191 [http-nio-8080-exec-7] DispatcherServlet - "ERROR" dispatch for GET "/500", parameters={}
[DEBUG] 2023-12-22 13:40:05.191 [http-nio-8080-exec-7] RequestMappingHandlerMapping - Mapped to com.structurizr.onpremises.web.error.Http500Controller#showErrorPage(ModelMap)
[DEBUG] 2023-12-22 13:40:05.192 [http-nio-8080-exec-7] JstlView - View name '500', model {structurizrConfiguration=com.structurizr.onpremises.util.Configuration@6054d5ed, scriptNonce=NjA0NzJmNjEtYTUzNy00MTk1LTg3ZDQtOWU5OTQyYjhjMzFm, timeZone=Etc/UTC, showHeader=true, showFooter=true, version=com.structurizr.onpremises.util.Version@1bdbda8d, authenticated=false, user=null, searchEnabled=true, pageTitle=Structurizr - 500, org.springframework.validation.BindingResult.structurizrConfiguration=org.springframework.validation.BeanPropertyBindingResult: 0 errors, org.springframework.validation.BindingResult.version=org.springframework.validation.BeanPropertyBindingResult: 0 errors}
[DEBUG] 2023-12-22 13:40:05.193 [http-nio-8080-exec-7] JstlView - Forwarding to [/WEB-INF/views/500.jsp]
[DEBUG] 2023-12-22 13:40:05.197 [http-nio-8080-exec-7] DispatcherServlet - Exiting from "ERROR" dispatch, status 500

structurizr.properties:

structurizr.feature.ui.dslEditor=true
structurizr.url=https://structurizr.mydomain.com
structurizr.admin=structurizr
structurizr.data=aws-s3
structurizr.authentication=saml
structurizr.saml.metadata=https://keycloak.mydomain.com/auth/realms/services/protocol/saml/descriptor
structurizr.saml.entityId=structurizr
structurizr.saml.signing.certificate=mydomain.com.cer
structirizr.saml.signing.privateKey=mydomain.com.key
aws-s3.accessKeyId=***********
aws-s3.secretAccessKey=*****************
aws-s3.bucketName=structurizr
aws-s3.endpoint=https://blobstorage.mydomain.com:9000
aws-s3.pathStyleAccess=true

Everything is configured according to the instruction. Although, maybe I've missed something...

maycson-ciandt commented 6 months ago

I have the same problem using Okta.

Refused to execute inline event handler because it violates the following Content Security Policy directive: "script-src 'self' 'nonce-MDNkMzRiNzctNTQyMS00MjJjLTlkN2YtMmI1NDk4YjM1ZTlm'". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution. Note that hashes do not apply to event handlers, style attributes and javascript: navigations unless the 'unsafe-hashes' keyword is present.
simonbrowndotje commented 6 months ago

I have the same problem using Okta.

The current Spring 5/Tomcat 9 build will be superseded in a week or so - I'd recommend trying the new version (structurizr/onpremises:preview) with Okta ... there's an example SAML configuration at https://docs.structurizr.com/onpremises/authentication/saml#preview-build-spring-6tomcat-10 (this is taken from the Spring Security samples):

# Okta (testuser2@spring.security.saml/12345678)
structurizr.authentication=saml
structurizr.saml.registrationId=one
structurizr.saml.metadata=https://dev-05937739.okta.com/app/exk46xofd8NZvFCpS5d7/sso/saml/metadata
structurizr.saml.attribute.username=email
simonbrowndotje commented 6 months ago

Everything is configured according to the instruction. Although, maybe I've missed something...

You will just need to debug the SAML handshakes, etc I'm afraid; see https://docs.structurizr.com/onpremises/authentication/saml#troubleshooting for some pointers.

simonbrowndotje commented 6 months ago

The Jakarta EE/Spring 6 version of the on-premises installation has now been released, which provides a new SAML integration mechanism ... closing as stale.