Permanent links don't work with CAS Authentication ?

Hi,

We trying to use permanent link like this one “http://localhost/nuxeo/nxdoc/default/5e84c7a3-e40c-4152-9497-b0cfdb916a6a/view_documents” to access document on a “nuxeo-cap-5.6-tomcat” server, with HF15 and DM add-on.

We first test this possibility with a default authentification: it works as expected (direct access).

But, we need use CAS authentication and in this case, the permanent link doesn't work anymore … It's for us an important issue because we need direct acces on task (workflow context) send via email to our users.

Is it a known problem ?

We've done tests on two differents “Centos (5.9 and 6.4)” servers:

  • In both case:

    • a first direct access doesn't work. The return URL from CAS is wrong: the path to the document is missing.
  • On one server (Centos 6.4, nuxeo-5.6-HF10), after a first connection and deconnection (without removing JSESSION cookie) to the plateform, the direct access on a document works even with a CAS access for authentication (the return URL is correct). No error message are seen (with a default log4j configuration).

  • On the other one (Centos 5.9, nuxeo-5.6-HF15), an access after a first connection and deconnection (without removing JSESSION cookie) doesn't work and an error message is sent in the log:

    2013-04-25 14:26:49,819 ERROR [org.nuxeo.ecm.core.api.CoreSession] Permission 'Read' is not granted to 'invite' on document /default-domain/workspaces/niv2/dd (5e84c7a3-e40c-4152-9497-b0cfdb916a6a - Folder)
    2013-04-25 14:26:49,821 ERROR [org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/nuxeo]] L'écouteur d'évènement de session (session event listener) a généré une exception java.lang.IllegalStateException: Please end the HttpSession via org.jboss.seam.web.Session.instance().invalidate()
    at org.jboss.seam.contexts.Lifecycle.endSession(Lifecycle.java:221)
    ....
    

    Thanks for your help

1 votes

0 answers

1653 views

ANSWER

We just try nuxeo5.6-HF15 on a Ubuntu 11.10 machine and we got the same result than with the Centos 5.9, nuxeo-5.6-HF15 version: . permanent link doesn't work; after CAS authentification, we reach the same page as with a connection to the plateform "http://localhost/nuxeo".
04/30/2013

Hi,

Sorry that I don't have any hint to help you solve this, but I've tested against a 5.6-HF15 with CAS authentication and permanent links do work correctly on this version.

05/15/2013

Hi,

Thank for the replay. It was on a CentOS server?

05/15/2013

No, it's http://www.jasig.org/cas (i don't know which version)
05/15/2013

I thought about the nuxeo server. When we arrived on the "CAS authentification page", we have already lost part of the return URL, so after connection, we are on the home page and not on the document page. After this first connection, the permanent link work until deconnexion.

Did you try with the delete of nuxeo cookies before go to a document directly with its permanent link (and then reconnect)?

Thanks

05/15/2013

I think it's more a nuxeo problem as the URL used to go to the CAS server for authentication, is a truncated URL. It's sound like the already resolved NXP-5593 problem (CAS Authentication should redirect to the requested URL) as far as I understand the description. But we are on a 5.6 nuxeo server and not on an unpatched 5.3 or 5.4.1…
05/17/2013

I've tested this and it works correctly, the URL does not get truncated and after logging in on CAS I'm redirected to the correct page.
Can you trace the HTTP requests and responses to see at which point the URL gets truncated? (with something like firebug or httpfox).
05/22/2013

First, thank you for your help.

We trace as you suggest with "HttpFox" and the lost of URL's end appends near the beginning:

    - the first redirect seems correct,
    - the second looks wrong ?

Here, the start of the output (with MYHOST for our hostname and AUTH_HOST for our CAS server):

GET 302 Redirect to: /nuxeo/logout?requestedUrl=nxdoc%2Fdefault%2Fe72298ab-a7bb-4502-ad07-10e8de2d698f%2Fview_documents&forceAnonymousLogin=true&securityError=true http://MYHOST:8080/nuxeo/nxdoc/default/e72298ab-a7bb-4502-ad07-10e8de2d698f/view_documents

GET 302 Redirect to: https://AUTH_HOST/cas/login?service=http%3A%2F%2FMYHOST%3A8080%2Fnuxeo%2Fnxstartup.faces /nuxeo/logout?requestedUrl=nxdoc%2Fdefault%2Fe72298ab-a7bb-4502-ad07-10e8de2d698f%2Fview_documents&forceAnonymousLogin=true&securityError=true

GET 200 text/html https://AUTH_HOST/cas/login?service=http%3A%2F%2FMYHOST%3A8080%2Fnuxeo%2Fnxstartup.faces

In this configuration, we chain three authentification plugins: <pre>

&lt;authenticationChain&gt;
    &lt;plugins&gt;
        &lt;plugin&gt;BASIC_AUTH&lt;/plugin&gt;
        &lt;plugin&gt;CAS2_AUTH&lt;/plugin&gt;
        &lt;plugin&gt;ANONYMOUS_AUTH_FOR_CAS2&lt;/plugin&gt;
    &lt;/plugins&gt;
&lt;/authenticationChain&gt;

</pre>

With a new test without the "ANONYMOUS_AUTH_FOR_CAS2" plugin, we got the following result:

    . Permanent links work,
    - the acces to the nuxeo plateform via the URL &quot;http://MYHOST:8080/nuxeo/&quot; is redirected to the CAS server
      (no more &quot;guest page&quot;)

Here, the beginning of trace got with "HttpFox":

GET 302 Redirect to: http://MYHOST:8080/nuxeo/nxstartup.faces;jsessionid=678D6DF028FB5F8B8D5CAFD0975D6520.nuxeo http://MYHOST:8080/nuxeo/

GET 302 Redirect to: https://AUTH_HOST/cas/login?service=http%3A%2F%2FMYHOST%3A8080%2Fnuxeo%2Fnxstartup.faces%3Bjsessionid%3D678D6DF028FB5F8B8D5CAFD0975D6520.nuxeo http://MYHOST:8080/nuxeo/nxstartup.faces;jsessionid=678D6DF028FB5F8B8D5CAFD0975D6520.nuxeo

GET 200 text/html https://AUTH_HOST/cas/login?service=http%3A%2F%2FMYHOST%3A8080%2Fnuxeo%2Fnxstartup.faces%3Bjsessionid%3D678D6DF028FB5F8B8D5CAFD0975D6520.nuxeo

05/23/2013

Yes, the second redirect is wrong, the service isn't encoded correctly, I'll try to give you a fix next week.
I've created NXP-11602 to track this issue.
05/24/2013

This should be fixed (works in my tests!) and available in the next hotfix (5.6-HF18).
05/27/2013

Hi,

We've tried the 5.6-HF18 nuxeo server with the "nuxeo-platform-login-cas2-5.6.0-HF18.jar". We retried the ANONYMOUS_AUTH_FOR_CAS2 plugin, and permanent links still not work for us. (We didn't see any difference in the httpfox log with our previous test).

Can you send us an sample of your own xml configuration? Or have you another idea ?

Besides, we've made tests without ANONYMOUS_AUTH_FOR_CAS2: permanent links seem to work (direct access to a workspace for instance) without any previous connection but we got another problem. We'll describe it a new question.

Thanks for your help.

06/03/2013

For the curious, link to our second pb with CAS authentication and permanent links : http://answers.nuxeo.com/questions/5797/permanent-links-and-cas-authentication
06/03/2013

My configuration is pretty much what's in the documentation except for the server names. It's possible my changes leveraged other fixes that were not backported (my tests were on the 5.7 dev branch), in which case your issues should be solved with the 5.7.1 version (not yet released).
06/04/2013

Hello, is this fixed and if yes can you please tell me what is the hotfix to begin with ? Cause here it seems we're still getting into this kind of trouble with 5.6-HF-23 Thank you
11/29/2013

Hi,

It wasn't fixed for 5.6-HF18 so it's probably the case for HF23. I didn't try with 5.7 or 5.8. But as it not the only problem with CAS authentication (see http://answers.nuxeo.com/questions/5797/permanent-links-and-cas-authentication), we change the authentication mode to use shibboleth.

We have try yesterday CAS authentication on 5.8 without ANONYMOUS_AUTH, but permanent links still no work, so we drop it again to use shibboleth.

11/29/2013

Using CAS authentication with anonymous auth enabled, we've got the same problem( the return URL from CAS is appURL not the permanentlink ). This bug is still present in 5.8.
01/14/2014