Closed cyberjeff-u8t closed 6 months ago
Hello @simonbrowndotje ,
any update on this bug? I have the same issue with keycloak integration.
Thanks in advance
We don't have any paying customers who use Keycloak, so it's not very high on the todo list I'm afraid ... the code is open source, so I was hoping somebody in the community would resolve this.
Just FYI though, the on-premises installation is being upgraded to Spring 6/Tomcat 10 (branch), which completely changes the SAML integration ... so it might not be worth anybody resolving this now.
Edit: Keycloak seems to work on the jakarta-ee
branch (this won't be released until early 2024).
@simonbrowndotje , Many thanks Simon! I think I can wait for it. Anyway, thanks for the great project!
If you'd like to try it, a preview of the new Spring 6/Tomcat 10 build is available via Docker at the structurizr/onpremises:preview
image. The SAML configuration is different; see https://docs.structurizr.com/onpremises/authentication/aml#preview-build-spring-6tomcat-10 for some basic instructions.
@simonbrowndotje
Thanks a lot Simon! appreciate this!
Unfortunately, now it gives me another error when redirects to /saml2/authenticate/default:
Logs:
[DEBUG] 2023-12-22 13:40:05.156 [http-nio-8080-exec-5] DispatcherServlet - GET "/dashboard", parameters={}
[DEBUG] 2023-12-22 13:40:05.156 [http-nio-8080-exec-5] RequestMappingHandlerMapping - Mapped to com.structurizr.onpremises.web.home.HomePageController#showAuthenticatedDashboard(String, int, int, ModelMap)
[DEBUG] 2023-12-22 13:40:05.157 [http-nio-8080-exec-5] AnonymousAuthenticationFilter - Set SecurityContextHolder to anonymous SecurityContext
[DEBUG] 2023-12-22 13:40:05.157 [http-nio-8080-exec-5] MethodSecurityInterceptor - Failed to authorize ReflectiveMethodInvocation: public java.lang.String com.structurizr.onpremises.web.home.HomePageController.showAuthenticatedDashboard(java.lang.String,int,int,org.springframework.ui.ModelMap); target is of class [com.structurizr.onpremises.web.home.HomePageController] with attributes [[authorize: 'isAuthenticated()', filter: 'null', filterTarget: 'null']]
[DEBUG] 2023-12-22 13:40:05.157 [http-nio-8080-exec-5] DispatcherServlet - Failed to complete request: org.springframework.security.access.AccessDeniedException: Access is denied
[DEBUG] 2023-12-22 13:40:05.158 [http-nio-8080-exec-5] HttpSessionRequestCache - Saved request https://structurizr.mydomain.com/dashboard?continue to session
[DEBUG] 2023-12-22 13:40:05.158 [http-nio-8080-exec-5] DelegatingAuthenticationEntryPoint - Trying to match using And [Not [RequestHeaderRequestMatcher [expectedHeaderName=X-Requested-With, expectedHeaderValue=XMLHttpRequest]], Not [And [Or [Ant [pattern='/login'], Ant [pattern='/favicon.ico']], And [Not [RequestHeaderRequestMatcher [expectedHeaderName=X-Requested-With, expectedHeaderValue=XMLHttpRequest]], MediaTypeRequestMatcher [contentNegotiationStrategy=org.springframework.web.accept.HeaderContentNegotiationStrategy@29ce1124, matchingMediaTypes=[application/xhtml+xml, image/*, text/html, text/plain], useEquals=false, ignoredMediaTypes=[*/*]]]]]]
[DEBUG] 2023-12-22 13:40:05.158 [http-nio-8080-exec-5] DelegatingAuthenticationEntryPoint - Match found! Executing org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint@49e4037a
[DEBUG] 2023-12-22 13:40:05.158 [http-nio-8080-exec-5] DefaultRedirectStrategy - Redirecting to https://structurizr.mydomain.com/saml2/authenticate/default
[DEBUG] 2023-12-22 13:40:05.189 [http-nio-8080-exec-7] FilterChainProxy - Securing GET /saml2/authenticate/default
[DEBUG] 2023-12-22 13:40:05.191 [http-nio-8080-exec-7] DispatcherServlet - "ERROR" dispatch for GET "/500", parameters={}
[DEBUG] 2023-12-22 13:40:05.191 [http-nio-8080-exec-7] RequestMappingHandlerMapping - Mapped to com.structurizr.onpremises.web.error.Http500Controller#showErrorPage(ModelMap)
[DEBUG] 2023-12-22 13:40:05.192 [http-nio-8080-exec-7] JstlView - View name '500', model {structurizrConfiguration=com.structurizr.onpremises.util.Configuration@6054d5ed, scriptNonce=NjA0NzJmNjEtYTUzNy00MTk1LTg3ZDQtOWU5OTQyYjhjMzFm, timeZone=Etc/UTC, showHeader=true, showFooter=true, version=com.structurizr.onpremises.util.Version@1bdbda8d, authenticated=false, user=null, searchEnabled=true, pageTitle=Structurizr - 500, org.springframework.validation.BindingResult.structurizrConfiguration=org.springframework.validation.BeanPropertyBindingResult: 0 errors, org.springframework.validation.BindingResult.version=org.springframework.validation.BeanPropertyBindingResult: 0 errors}
[DEBUG] 2023-12-22 13:40:05.193 [http-nio-8080-exec-7] JstlView - Forwarding to [/WEB-INF/views/500.jsp]
[DEBUG] 2023-12-22 13:40:05.197 [http-nio-8080-exec-7] DispatcherServlet - Exiting from "ERROR" dispatch, status 500
structurizr.properties:
structurizr.feature.ui.dslEditor=true
structurizr.url=https://structurizr.mydomain.com
structurizr.admin=structurizr
structurizr.data=aws-s3
structurizr.authentication=saml
structurizr.saml.metadata=https://keycloak.mydomain.com/auth/realms/services/protocol/saml/descriptor
structurizr.saml.entityId=structurizr
structurizr.saml.signing.certificate=mydomain.com.cer
structirizr.saml.signing.privateKey=mydomain.com.key
aws-s3.accessKeyId=***********
aws-s3.secretAccessKey=*****************
aws-s3.bucketName=structurizr
aws-s3.endpoint=https://blobstorage.mydomain.com:9000
aws-s3.pathStyleAccess=true
Everything is configured according to the instruction. Although, maybe I've missed something...
I have the same problem using Okta.
Refused to execute inline event handler because it violates the following Content Security Policy directive: "script-src 'self' 'nonce-MDNkMzRiNzctNTQyMS00MjJjLTlkN2YtMmI1NDk4YjM1ZTlm'". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution. Note that hashes do not apply to event handlers, style attributes and javascript: navigations unless the 'unsafe-hashes' keyword is present.
I have the same problem using Okta.
The current Spring 5/Tomcat 9 build will be superseded in a week or so - I'd recommend trying the new version (structurizr/onpremises:preview
) with Okta ... there's an example SAML configuration at https://docs.structurizr.com/onpremises/authentication/saml#preview-build-spring-6tomcat-10 (this is taken from the Spring Security samples):
# Okta (testuser2@spring.security.saml/12345678)
structurizr.authentication=saml
structurizr.saml.registrationId=one
structurizr.saml.metadata=https://dev-05937739.okta.com/app/exk46xofd8NZvFCpS5d7/sso/saml/metadata
structurizr.saml.attribute.username=email
Everything is configured according to the instruction. Although, maybe I've missed something...
You will just need to debug the SAML handshakes, etc I'm afraid; see https://docs.structurizr.com/onpremises/authentication/saml#troubleshooting for some pointers.
The Jakarta EE/Spring 6 version of the on-premises installation has now been released, which provides a new SAML integration mechanism ... closing as stale.
Description
SAML authentication with keycloak was working with build 3114 but after upgrade to latest version, I can see following error in browser console after clicking on 'sign-in' button:
Refused to execute inline event handler because it violates the following Content Security Policy directive: "script-src 'self' 'nonce-MDNkMzRiNzctNTQyMS00MjJjLTlkN2YtMmI1NDk4YjM1ZTlm'". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution. Note that hashes do not apply to event handlers, style attributes and javascript: navigations unless the 'unsafe-hashes' keyword is present.
Steps to reproduce
Screenshot
No response
Code sample
No response
Configuration
No response
Severity
Minor
Priority
I have no budget and there's no rush, please fix this for free
More information
No response