[MGNLSSO-56] Session lost & authentication broken with CookieProcessor sameSiteCookies="Strict" Created: 20/May/21 Updated: 29/Aug/23 Resolved: 29/Aug/23 |
|
| Status: | Closed |
| Project: | Single Sign On |
| Component/s: | sso-connector |
| Affects Version/s: | None |
| Fix Version/s: | None |
| Type: | Bug | Priority: | Neutral |
| Reporter: | Edwin Guilbert | Assignee: | Unassigned |
| Resolution: | Not an issue | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Environment: |
Latest Magnolia Cloud Simulator with Magnolia 6.2.8 bundle, sso 2.7.0 and GoogleOpenId configured |
||
| Attachments: |
|
||||||||||||||||||||||||
| Issue Links: |
|
||||||||||||||||||||||||
| Template: |
|
||||||||||||||||||||||||
| Acceptance criteria: |
Empty
|
||||||||||||||||||||||||
| Task DoD: |
[ ]*
Doc/release notes changes? Comment present?
[ ]*
Downstream builds green?
[ ]*
Solution information and context easily available?
[ ]*
Tests
[ ]*
FixVersion filled and not yet released
[ ] 
Architecture Decision Record (ADR)
|
||||||||||||||||||||||||
| Bug DoR: |
[ ]*
Steps to reproduce, expected, and actual results filled
[ ]*
Affected version filled
|
||||||||||||||||||||||||
| Date of First Response: | |||||||||||||||||||||||||
| Epic Link: | SSO maintenance | ||||||||||||||||||||||||
| Team: | |||||||||||||||||||||||||
| Description |
|
Latest magnolia-tomcat bundles come with this parameter included in the context.xml:
<CookieProcessor sameSiteCookies="Strict" />
This parameter was also included in Magnolia Cloud by default: https://git.magnolia-cms.com/projects/OD/repos/mgnl-images/commits/fab9d7975f613f77bda1638ea73ea0c2214e966f#cloud-base/roles/magnolia-server/templates/context.xml This will provoke the session to be lost between steps 1 and 2 of openID’s authorization code flow implementation. If the session is lost, step 2 cant be achieved, so the code sent by google to magnolia (as a background call) is never handled and the token cant be retrieved from google’s token endpoint, which would be the step 3.
public LoginResult handle(HttpServletRequest request, HttpServletResponse response) {
OICServiceRequest oicServiceRequest = (OICServiceRequest) request.getSession().getAttribute("ssoAuthenticationServiceRequest"); if (oicServiceRequest != null) {
...
}
return LoginResult.NOT_HANDLED;
since a NOT_HANDLED is returned, Magnolia will continue to the next login handler which is FormLogin instead of continue with OpenId flow (retrieving the token, etc) Here is the log taken from cloud simulator with session debugger enabled:
2021-05-20 13:18:40,425 WARN info.magnolia.debug : -- Session found
-- Session attributes :
Key[type=info.magnolia.personalization.trait.storage.StorageAwareTraitCollector$SessionScopedTraitStorage, annotation=[none]] = info.magnolia.personalization.trait.storage.StorageAwareTraitCollector$SessionScopedTraitStorage@49c25143
ssoAuthenticationServiceRequest = info.magnolia.connector.sso.oic.service.OICServiceRequest@7c24be21
csrf = CfrFh6UyLV9mtURZGZuDDnGAk2A
-- Session is new : false
----------2021-05-20 13:18:40,425 DEBUG info.magnolia.cms.security.auth.login.FormLogin : handle login for null
2021-05-20 13:18:40,426 INFO ty.auth.callback.SSOAuthenticationRedirectCallback: Connecting with SSO authentication service googleOpenIDConnectTemplate
2021-05-20 13:18:40,426 DEBUG ty.auth.callback.SSOAuthenticationRedirectCallback: Requested URL: /
2021-05-20 13:18:47,516 WARN info.magnolia.debug : -- Session found
-- Session attributes :
Key[type=info.magnolia.personalization.trait.storage.StorageAwareTraitCollector$SessionScopedTraitStorage, annotation=[none]] = info.magnolia.personalization.trait.storage.StorageAwareTraitCollector$SessionScopedTraitStorage@4dea3181
-- Session is new : true
----------2021-05-20 13:18:47,517 DEBUG info.magnolia.cms.security.auth.login.FormLogin : handle login for null
2021-05-20 13:18:47,517 INFO ty.auth.callback.SSOAuthenticationRedirectCallback: Connecting with SSO authentication service googleOpenIDConnectTemplate
2021-05-20 13:18:47,518 DEBUG ty.auth.callback.SSOAuthenticationRedirectCallback: Requested URL: /.auth?state=98g1hh2l5balifitprl5vfn93u&code=4%2F0AY0e-g4aWzOqjIcDmGtD_sQ0ViaUoSyRvDF-rKkeRWCfsKSRigZLUyJ1UqGTNBrgQu9PLQ&scope=email+openid+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email&authuser=0&hd=magnolia-cms.com&prompt=consent
Dockerfile, context.xml and jaas.config files used attached. |
| Comments |
| Comment by Edwin Guilbert [ 20/May/21 ] |
|
I just tested the same project (non dx-core-cloud based) with a magnolia tomcat bundle and can confirm that the issue is present for dx-core project using sso 2.7.x |
| Comment by Edwin Guilbert [ 21/May/21 ] |
|
Discussion about sameSiteCookies: https://magnolia-cms.slack.com/archives/CDF2T239Q/p1621497875010500 and https://magnolia-cms.slack.com/archives/CKDSMM5CJ/p1621526307008100
|
| Comment by Edwin Guilbert [ 21/May/21 ] |
|
Tomcat's context.xml will probably be reverted to "lax" instead of "strict": https://magnolia-cms.slack.com/archives/CKDSMM5CJ/p1621576718001400 |
| Comment by Edwin Guilbert [ 21/May/21 ] |
|
Tried with context.xml sameSiteCookies="lax" and it partially worked, i.e the authentication worked but the redirect is till broken, so one has to manually enter the requested URL in the browser again. It appears the redirect URI is still lost further down the business logic (after the authentication is done). Probably around here in SSOAuthenticationLoginFilter:
// SSO authenticaion request add originally requested URL if (StringUtils.isNotBlank(requestedUrl)) { request.getSession().setAttribute("ssoAuthenticationRedirectUrl", requestedUrl); } // if the store token option is enabled, put the request object into the session to retrieve token information later if (oicSettings != null && oicSettings.isStoreToken()) { request.getSession().setAttribute("ssoRequestObj", oicServiceRequest); } MgnlContext.login(subject); AuditLoggingUtil.log(loginResult, request); // Send response via redirect to follow PRG (Post/Redirect/Get) pattern to prevent logging in via Back button after logout. http://en.wikipedia.org/wiki/Post/Redirect/Get // Applied only in case authentication is done with POST request. if (loginResult.getStatus() == LoginResult.STATUS_SUCCEEDED_REDIRECT_REQUIRED) { String location = request.getParameter(FormLogin.PARAMETER_RETURN_TO); // Fallback to current request uri if no FormLogin.PARAMETER_RETURN_TO was specified if (location == null) { location = request.getRequestURL().toString(); } location = RequestDispatchUtil.REDIRECT_PREFIX + location; RequestDispatchUtil.dispatch(location, request, response); return; } The in the SSOPreserveOriginalURIServlet it won't find the ssoAuthenticationRedirectUrl parameter in session:
String redirectUrl = (String)request.getSession().getAttribute("ssoAuthenticationRedirectUrl");
boolean isRedirectProvided = StringUtils.isNotBlank(redirectUrl);
boolean isLogoutRequest = StringUtils.isNotBlank(request.getParameter(LogoutFilter.PARAMETER_LOGOUT));
if (isRedirectProvided && !isLogoutRequest) {
log.debug("Redirecting to original request URL {}", redirectUrl);
if (StringUtils.endsWith(redirectUrl, ADMINCENTRAL_REDIRECT)) {
log.debug("AdminCentral redirect, adding fragment so that Magnolia does not mess it up.");
redirectUrl += SHELL_FRAGMENT;
log.debug("Redirecting to Magnolia AdminCentral URL {}", redirectUrl);
}
response.sendRedirect(redirectUrl);
}
Here is the log:
2021-05-21 10:39:14,098 WARN info.magnolia.debug : -- Session found
-- Session attributes :
Admincentral.lock = java.util.concurrent.locks.ReentrantLock@48f28a40[Unlocked]
Key[type=info.magnolia.personalization.trait.storage.StorageAwareTraitCollector$SessionScopedTraitStorage, annotation=[none]] = info.magnolia.personalization.trait.storage.StorageAwareTraitCollector$SessionScopedTraitStorage@11bf3b79
com.vaadin.server.VaadinSession.Admincentral = com.vaadin.server.VaadinSession@22beb61d
csrf = UEmqRXrh1x7b966Jy7t8SrvBk80
javax.security.auth.Subject = Subject:
Principal: info.magnolia.cms.security.ExternalUser@8921633
Principal: info.magnolia.cms.security.Realm$RealmImpl@179a1
Principal: RoleListImpl[name=roles,list={superuser,workflow-base,publisher}]
Principal: GroupListImpl[name=groups,list={owners,publishers}]
Principal: PrincipalCollectionImpl[name=PrincipalCollection]-- Session is new : false
----------2021-05-21 10:39:14,098 DEBUG info.magnolia.cms.security.auth.login.FormLogin : handle login for null
2021-05-21 10:39:14,894 WARN info.magnolia.debug : -- Session found
-- Session attributes :
Key[type=info.magnolia.personalization.trait.storage.StorageAwareTraitCollector$SessionScopedTraitStorage, annotation=[none]] = info.magnolia.personalization.trait.storage.StorageAwareTraitCollector$SessionScopedTraitStorage@411aa3e7
ssoAuthenticationServiceRequest = info.magnolia.connector.sso.oic.service.OICServiceRequest@2ad41d33
csrf = JB9nHjdEpojLAqHLZwvRQM2Od3E
-- Session is new : false
----------2021-05-21 10:39:14,894 DEBUG info.magnolia.connector.sso.login.SSOLoginHandler : Authorization code received: 4/0AY0e-g6ble6iBROyNsVLVX_nXuox6R-J0i3da9U3vJZP1XsWssZ2mF0mLJtVlD2q7qdTfg
2021-05-21 10:39:15,084 DEBUG info.magnolia.connector.sso.login.SSOLoginHandler : Received an access token: ya29.a0AfH6SMAz4fgOD79wCf_mKdMB28Hhcce3mM3nYEl7mF8Ld3jQ7vnX2m7RFWN4E_K7kSbSJiPK3q7jKPqubZuwVoSGXsfWL1rBf5Kpvay9yiz24di__6S_BLvn7HmqByn3xd_R_oPC0K7As6jwl_fWnDT9PefJ
2021-05-21 10:39:15,084 DEBUG info.magnolia.connector.sso.login.SSOLoginHandler : Raw response: {
"access_token": "ya29.a0AfH6SMAz4fgOD79wCf_mKdMB28Hhcce3mM3nYEl7mF8Ld3jQ7vnX2m7RFWN4E_K7kSbSJiPK3q7jKPqubZuwVoSGXsfWL1rBf5Kpvay9yiz24di__6S_BLvn7HmqByn3xd_R_oPC0K7As6jwl_fWnDT9PefJ",
"expires_in": 3599,
"refresh_token": "1//03e-J4RoitwghCgYIARAAGAMSNwF-L9IrySuQDsJhjoKS5zxPM0fNpINmVRIx2NWUJO5dDJAbc-x8guHoGIlreWWLEOj7jzY_lXw",
"scope": "openid https://www.googleapis.com/auth/userinfo.email",
"token_type": "Bearer",
"id_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6ImQzZmZiYjhhZGUwMWJiNGZhMmYyNWNmYjEwOGNjZWI4ODM0MDZkYWMiLCJ0eXAiOiJKV1QifQ.eyJpc3MiOiJodHRwczovL2FjY291bnRzLmdvb2dsZS5jb20iLCJhenAiOiI0NjI4Mzc0OTEzMjEtNTJkMGJicHVqMWY5aTl2Z29rMnNlZmZsc2kzZjh2anUuYXBwcy5nb29nbGV1c2VyY29udGVudC5jb20iLCJhdWQiOiI0NjI4Mzc0OTEzMjEtNTJkMGJicHVqMWY5aTl2Z29rMnNlZmZsc2kzZjh2anUuYXBwcy5nb29nbGV1c2VyY29udGVudC5jb20iLCJzdWIiOiIxMDIzMTUxMDEzNjIwMTA2NDI0OTQiLCJoZCI6Im1hZ25vbGlhLWNtcy5jb20iLCJlbWFpbCI6ImVkd2luLmd1aWxiZXJ0QG1hZ25vbGlhLWNtcy5jb20iLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwiYXRfaGFzaCI6IlJsVFh4TDRhYnp6LVBnVU56RTRGVmciLCJpYXQiOjE2MjE1OTM1NTUsImV4cCI6MTYyMTU5NzE1NX0.JmIX0dS3Wo4VfIRMnkcisBv65ym-dKS94X6yMpU5c7oIt7csSLnxv_FYKCqs9VuUpA8eKl0Uow72ghuSvPhAK7viTgmkDNU7_R7XBi2sRxqW2UbRgE4ObYn1NC_QEw8uCPkNzz7zXyLguSrruX9w81VFcI7CwY_iKvDk3FRcchUA1gBEnUMZbs_gGgdM7NfOSd1-R1HYGA5A-aXeK57BlgS8uDYnYeOmdIQaeqPzW0IVne2dqssKj_GR6hAkPfExOztx-HBVUkpw74psMLOE0c-gWV33Wmj91PCSy8LsgVc9ly43KX1lzUqoznopa1ausObrDzMYsLNs03AczzUK9g"
}
2021-05-21 10:39:15,084 DEBUG info.magnolia.connector.sso.login.SSOLoginHandler : Token expires in: 3599
2021-05-21 10:39:15,085 DEBUG info.magnolia.connector.sso.login.SSOLoginHandler : Using OpenID Connect for SSO authentication.
2021-05-21 10:39:15,100 DEBUG info.magnolia.connector.sso.util.JSONUtils : Fetched JSON Web Keys for OpenID validation:
2021-05-21 10:39:15,100 DEBUG info.magnolia.connector.sso.util.JSONUtils : { "keys": [ { "n": "z8eiKUkFeJeFWXxqDCCR7R3FATnahlIWPY-drXFv0DOY_GCwmQCZArvNhHjtbJkbpPO9isHykrEkov1B0T8RhsMWalfmOuUCMTGvcc_gJgTtlfTkgY10FOayh0QRQiyW7DfW4SeJijOMrw7JpIyuQ5tHGZEC1L2Y0_-TFSwvWjOhbb8zbNWmI4RnyFtLreHonUM9QUPsjFWJpyLFmCFlu0WqcWDnmnjZTjlAlkm-iWeqfvNs1q3EsDDc9YtNnoy_h8ipi5g-ThG9LIw5KCzMY_C-2BrS9Sa-DsegOht2Y8rew4nEgcqkSokQZpXtDSkSKCkbcaT_rXY7vK13uXg14w", "alg": "RS256", "e": "AQAB", "kid": "d3ffbb8ade01bb4fa2f25cfb108cceb883406dac", "kty": "RSA", "use": "sig" }, { "kid": "cd49b2ab16e1e9a496c8239dac0dadd09d443012", "n": "koT6VAUmOwqXQoyMQkk0F1JJd81H7ksx7FHfKtqXvdrDt9LLr1IDJ-CFpbbn4SuJeYQcUo-lHA1_vbbtgCBSyd_H86WGGARlPrsqFF-hbBBauhUQuXMxFxJKAiQS0WIbFvDkwRaNiGIMYQvzwDKbms5tCqZ04T5Qez9v64i3RlU8-upJxG9duzeXQjrnC5uJeeG-9fwE06RRZ1Y8Uul63Lpxicw5Alyd5HQIzF5vSSwjqdVrBUJAToxuTIqIHR24omrz1f7Jf97wy2U7KUoSnytauyaZtph7RmsUPVMFr9fGMxNVU8tKEVeOYJv-piOc0gfPvIahbv2en0DhOax6OQ", "alg": "RS256", "e": "AQAB", "kty": "RSA", "use": "sig" } ]}
2021-05-21 10:39:15,104 DEBUG info.magnolia.connector.sso.util.JSONUtils : The JWS signature was verified.
2021-05-21 10:39:15,104 DEBUG info.magnolia.connector.sso.util.JSONUtils : JWS payload: {"iss":"https://accounts.google.com","azp":"462837491321-52d0bbpuj1f9i9vgok2sefflsi3f8vju.apps.googleusercontent.com","aud":"462837491321-52d0bbpuj1f9i9vgok2sefflsi3f8vju.apps.googleusercontent.com","sub":"102315101362010642494","hd":"magnolia-cms.com","email":"edwin.guilbert@magnolia-cms.com","email_verified":true,"at_hash":"RlTXxL4abzz-PgUNzE4FVg","iat":1621593555,"exp":1621597155}
2021-05-21 10:39:15,104 DEBUG info.magnolia.connector.sso.util.JSONUtils : JWT claims: JWT Claims Set:{iss=https://accounts.google.com, azp=462837491321-52d0bbpuj1f9i9vgok2sefflsi3f8vju.apps.googleusercontent.com, aud=462837491321-52d0bbpuj1f9i9vgok2sefflsi3f8vju.apps.googleusercontent.com, sub=102315101362010642494, hd=magnolia-cms.com, email=edwin.guilbert@magnolia-cms.com, email_verified=true, at_hash=RlTXxL4abzz-PgUNzE4FVg, iat=1621593555, exp=1621597155}
2021-05-21 10:39:15,104 DEBUG info.magnolia.connector.sso.util.JSONUtils : OpenID issuer OK.
2021-05-21 10:39:15,104 DEBUG info.magnolia.connector.sso.util.JSONUtils : OpenID audience OK.
2021-05-21 10:39:15,104 DEBUG info.magnolia.connector.sso.util.JSONUtils : OpenID issued-at OK
2021-05-21 10:39:15,105 DEBUG info.magnolia.connector.sso.util.JSONUtils : OpenID expiration OK
2021-05-21 10:39:15,105 DEBUG info.magnolia.connector.sso.login.SSOLoginHandler : Validation of the OpenID token was successful.
2021-05-21 10:39:15,105 DEBUG info.magnolia.connector.sso.login.SSOLoginHandler : Assigned the OpenID token: eyJhbGciOiJSUzI1NiIsImtpZCI6ImQzZmZiYjhhZGUwMWJiNGZhMmYyNWNmYjEwOGNjZWI4ODM0MDZkYWMiLCJ0eXAiOiJKV1QifQ.eyJpc3MiOiJodHRwczovL2FjY291bnRzLmdvb2dsZS5jb20iLCJhenAiOiI0NjI4Mzc0OTEzMjEtNTJkMGJicHVqMWY5aTl2Z29rMnNlZmZsc2kzZjh2anUuYXBwcy5nb29nbGV1c2VyY29udGVudC5jb20iLCJhdWQiOiI0NjI4Mzc0OTEzMjEtNTJkMGJicHVqMWY5aTl2Z29rMnNlZmZsc2kzZjh2anUuYXBwcy5nb29nbGV1c2VyY29udGVudC5jb20iLCJzdWIiOiIxMDIzMTUxMDEzNjIwMTA2NDI0OTQiLCJoZCI6Im1hZ25vbGlhLWNtcy5jb20iLCJlbWFpbCI6ImVkd2luLmd1aWxiZXJ0QG1hZ25vbGlhLWNtcy5jb20iLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwiYXRfaGFzaCI6IlJsVFh4TDRhYnp6LVBnVU56RTRGVmciLCJpYXQiOjE2MjE1OTM1NTUsImV4cCI6MTYyMTU5NzE1NX0.JmIX0dS3Wo4VfIRMnkcisBv65ym-dKS94X6yMpU5c7oIt7csSLnxv_FYKCqs9VuUpA8eKl0Uow72ghuSvPhAK7viTgmkDNU7_R7XBi2sRxqW2UbRgE4ObYn1NC_QEw8uCPkNzz7zXyLguSrruX9w81VFcI7CwY_iKvDk3FRcchUA1gBEnUMZbs_gGgdM7NfOSd1-R1HYGA5A-aXeK57BlgS8uDYnYeOmdIQaeqPzW0IVne2dqssKj_GR6hAkPfExOztx-HBVUkpw74psMLOE0c-gWV33Wmj91PCSy8LsgVc9ly43KX1lzUqoznopa1ausObrDzMYsLNs03AczzUK9g
2021-05-21 10:39:15,105 DEBUG info.magnolia.connector.sso.login.SSOLoginHandler : Trying to retrieve user information by using the URL: https://www.googleapis.com/oauth2/v1/userinfo
2021-05-21 10:39:15,161 DEBUG info.magnolia.connector.sso.util.JSONUtils : Original response body: {
"id": "102315101362010642494",
"email": "edwin.guilbert@magnolia-cms.com",
"verified_email": true,
"picture": "https://lh3.googleusercontent.com/a-/AOh14GiJUShAp7E9KgrgvINjDynUHs3YJc-jEW57dzuP=s96-c",
"hd": "magnolia-cms.com"
}2021-05-21 10:39:15,163 DEBUG info.magnolia.connector.sso.util.UserAccountUtils : The payload from the OIDC token can be used to fill user properties.
2021-05-21 10:39:15,163 DEBUG info.magnolia.connector.sso.util.JSONUtils : Original response body: {"iss":"https://accounts.google.com","azp":"462837491321-52d0bbpuj1f9i9vgok2sefflsi3f8vju.apps.googleusercontent.com","aud":"462837491321-52d0bbpuj1f9i9vgok2sefflsi3f8vju.apps.googleusercontent.com","sub":"102315101362010642494","hd":"magnolia-cms.com","email":"edwin.guilbert@magnolia-cms.com","email_verified":true,"at_hash":"RlTXxL4abzz-PgUNzE4FVg","iat":1621593555,"exp":1621597155}
2021-05-21 10:39:15,163 DEBUG info.magnolia.connector.sso.util.UserAccountUtils : Created user properties: {name=edwin.guilbert, id=googleOpenIDConnectTemplate:oauth:102315101362010642494, email=edwin.guilbert@magnolia-cms.com}
2021-05-21 10:39:15,251 DEBUG info.magnolia.connector.sso.util.UserAccountUtils : Creating user with details {name=edwin.guilbert, id=googleOpenIDConnectTemplate:oauth:102315101362010642494, email=edwin.guilbert@magnolia-cms.com}
2021-05-21 10:39:15,251 DEBUG nolia.cms.security.RepositoryBackedSecurityManager: Executing query "select * from [mgnl:group] where name() = 'publishers'".
2021-05-21 10:39:15,253 DEBUG nolia.cms.security.RepositoryBackedSecurityManager: Retrieving node took 2ms (isInstallationPhase: false): path = /publishers
2021-05-21 10:39:15,254 DEBUG nolia.cms.security.RepositoryBackedSecurityManager: Executing query "select * from [mgnl:role] where name() = 'superuser'".
2021-05-21 10:39:15,255 DEBUG nolia.cms.security.RepositoryBackedSecurityManager: Retrieving node took 1ms (isInstallationPhase: false): path = /superuser
2021-05-21 10:39:15,260 DEBUG nolia.cms.security.RepositoryBackedSecurityManager: Executing query "select * from [mgnl:group] where name() = 'publishers'".
2021-05-21 10:39:15,261 DEBUG nolia.cms.security.RepositoryBackedSecurityManager: Retrieving node took 1ms (isInstallationPhase: false): path = /publishers
2021-05-21 10:39:15,261 DEBUG nolia.cms.security.RepositoryBackedSecurityManager: Executing query "select * from [mgnl:group] where name() = 'publishers'".
2021-05-21 10:39:15,263 DEBUG nolia.cms.security.RepositoryBackedSecurityManager: Retrieving node took 2ms (isInstallationPhase: false): path = /publishers
2021-05-21 10:39:15,263 DEBUG info.magnolia.cms.security.SSOConnectorUserManager: External user object:
2021-05-21 10:39:15,263 DEBUG info.magnolia.cms.security.SSOConnectorUserManager: -- properties: {name=edwin.guilbert, id=googleOpenIDConnectTemplate:oauth:102315101362010642494, email=edwin.guilbert@magnolia-cms.com}
2021-05-21 10:39:15,263 DEBUG info.magnolia.cms.security.SSOConnectorUserManager: -- groups: [publishers]
2021-05-21 10:39:15,263 DEBUG info.magnolia.cms.security.SSOConnectorUserManager: -- roles: [workflow-base, publisher, superuser]
2021-05-21 10:39:15,263 DEBUG info.magnolia.cms.security.SSOConnectorUserManager: Please consider effective permissions when assigning groups and roles.
2021-05-21 10:39:15,265 DEBUG nolia.cms.security.RepositoryBackedSecurityManager: Executing query "select * from [mgnl:role] where name() = 'workflow-base'".
2021-05-21 10:39:15,266 DEBUG nolia.cms.security.RepositoryBackedSecurityManager: Retrieving node took 1ms (isInstallationPhase: false): path = /workflow-base
2021-05-21 10:39:15,267 DEBUG nolia.cms.security.RepositoryBackedSecurityManager: Executing query "select * from [mgnl:role] where name() = 'publisher'".
2021-05-21 10:39:15,268 DEBUG nolia.cms.security.RepositoryBackedSecurityManager: Retrieving node took 1ms (isInstallationPhase: false): path = /publisher
2021-05-21 10:39:15,269 DEBUG nolia.cms.security.RepositoryBackedSecurityManager: Executing query "select * from [mgnl:role] where name() = 'superuser'".
2021-05-21 10:39:15,270 DEBUG nolia.cms.security.RepositoryBackedSecurityManager: Retrieving node took 1ms (isInstallationPhase: false): path = /superuser
2021-05-21 10:39:15,274 DEBUG nolia.cms.security.RepositoryBackedSecurityManager: Executing query "select * from [mgnl:group] where name() = 'publishers'".
2021-05-21 10:39:15,274 DEBUG nolia.cms.security.RepositoryBackedSecurityManager: Retrieving node took 0ms (isInstallationPhase: false): path = /publishers
2021-05-21 10:39:15,277 WARN info.magnolia.cms.filters.ContentTypeFilter : Content type for http://localhost:8080/.auth?state=tntof7lrii29s39u5cms7138gf&code=4%2F0AY0e-g6ble6iBROyNsVLVX_nXuox6R-J0i3da9U3vJZP1XsWssZ2mF0mLJtVlD2q7qdTfg&scope=email+openid+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email&authuser=0&hd=magnolia-cms.com&prompt=consent is not set.
2021-05-21 10:39:47,198 WARN info.magnolia.debug : -- Session found
-- Session attributes :
Admincentral.lock = java.util.concurrent.locks.ReentrantLock@48f28a40[Unlocked]
Key[type=info.magnolia.personalization.trait.storage.StorageAwareTraitCollector$SessionScopedTraitStorage, annotation=[none]] = info.magnolia.personalization.trait.storage.StorageAwareTraitCollector$SessionScopedTraitStorage@11bf3b79
com.vaadin.server.VaadinSession.Admincentral = com.vaadin.server.VaadinSession@22beb61d
csrf = UEmqRXrh1x7b966Jy7t8SrvBk80
javax.security.auth.Subject = Subject:
Principal: info.magnolia.cms.security.ExternalUser@8921633
Principal: info.magnolia.cms.security.Realm$RealmImpl@179a1
Principal: RoleListImpl[name=roles,list={superuser,workflow-base,publisher}]
Principal: GroupListImpl[name=groups,list={owners,publishers}]
Principal: PrincipalCollectionImpl[name=PrincipalCollection]-- Session is new : false
----------2021-05-21 10:39:47,198 DEBUG info.magnolia.cms.security.auth.login.FormLogin : handle login for null
2021-05-21 10:40:44,117 WARN info.magnolia.debug : -- Session found
-- Session attributes :
Admincentral.lock = java.util.concurrent.locks.ReentrantLock@48f28a40[Unlocked]
Key[type=info.magnolia.personalization.trait.storage.StorageAwareTraitCollector$SessionScopedTraitStorage, annotation=[none]] = info.magnolia.personalization.trait.storage.StorageAwareTraitCollector$SessionScopedTraitStorage@11bf3b79
com.vaadin.server.VaadinSession.Admincentral = com.vaadin.server.VaadinSession@22beb61d
csrf = UEmqRXrh1x7b966Jy7t8SrvBk80
javax.security.auth.Subject = Subject:
Principal: info.magnolia.cms.security.ExternalUser@8921633
Principal: info.magnolia.cms.security.Realm$RealmImpl@179a1
Principal: RoleListImpl[name=roles,list={superuser,workflow-base,publisher}]
Principal: GroupListImpl[name=groups,list={owners,publishers}]
Principal: PrincipalCollectionImpl[name=PrincipalCollection]-- Session is new : false
----------2021-05-21 10:40:44,117 DEBUG info.magnolia.cms.security.auth.login.FormLogin : handle login for null
2021-05-21 10:40:47,148 WARN info.magnolia.debug : -- Session found
-- Session attributes :
Admincentral.lock = java.util.concurrent.locks.ReentrantLock@48f28a40[Unlocked]
Key[type=info.magnolia.personalization.trait.storage.StorageAwareTraitCollector$SessionScopedTraitStorage, annotation=[none]] = info.magnolia.personalization.trait.storage.StorageAwareTraitCollector$SessionScopedTraitStorage@11bf3b79
com.vaadin.server.VaadinSession.Admincentral = com.vaadin.server.VaadinSession@22beb61d
csrf = UEmqRXrh1x7b966Jy7t8SrvBk80
javax.security.auth.Subject = Subject:
Principal: info.magnolia.cms.security.ExternalUser@8921633
Principal: info.magnolia.cms.security.Realm$RealmImpl@179a1
Principal: RoleListImpl[name=roles,list={superuser,workflow-base,publisher}]
Principal: GroupListImpl[name=groups,list={owners,publishers}]
Principal: PrincipalCollectionImpl[name=PrincipalCollection]-- Session is new : false
----------2021-05-21 10:40:47,148 DEBUG info.magnolia.cms.security.auth.login.FormLogin : handle login for null
2021-05-21 10:41:47,093 WARN info.magnolia.debug : -- Session found
-- Session attributes :
Admincentral.lock = java.util.concurrent.locks.ReentrantLock@48f28a40[Unlocked]
Key[type=info.magnolia.personalization.trait.storage.StorageAwareTraitCollector$SessionScopedTraitStorage, annotation=[none]] = info.magnolia.personalization.trait.storage.StorageAwareTraitCollector$SessionScopedTraitStorage@11bf3b79
com.vaadin.server.VaadinSession.Admincentral = com.vaadin.server.VaadinSession@22beb61d
csrf = UEmqRXrh1x7b966Jy7t8SrvBk80
javax.security.auth.Subject = Subject:
Principal: info.magnolia.cms.security.ExternalUser@8921633
Principal: info.magnolia.cms.security.Realm$RealmImpl@179a1
Principal: RoleListImpl[name=roles,list={superuser,workflow-base,publisher}]
Principal: GroupListImpl[name=groups,list={owners,publishers}]
Principal: PrincipalCollectionImpl[name=PrincipalCollection]-- Session is new : false
----------2021-05-21 10:41:47,093 DEBUG info.magnolia.cms.security.auth.login.FormLogin : handle login for null
2021-05-21 10:42:15,124 WARN info.magnolia.debug : -- Session found
-- Session attributes :
Admincentral.lock = java.util.concurrent.locks.ReentrantLock@48f28a40[Unlocked]
Key[type=info.magnolia.personalization.trait.storage.StorageAwareTraitCollector$SessionScopedTraitStorage, annotation=[none]] = info.magnolia.personalization.trait.storage.StorageAwareTraitCollector$SessionScopedTraitStorage@11bf3b79
com.vaadin.server.VaadinSession.Admincentral = com.vaadin.server.VaadinSession@22beb61d
csrf = UEmqRXrh1x7b966Jy7t8SrvBk80
javax.security.auth.Subject = Subject:
Principal: info.magnolia.cms.security.ExternalUser@8921633
Principal: info.magnolia.cms.security.Realm$RealmImpl@179a1
Principal: RoleListImpl[name=roles,list={superuser,workflow-base,publisher}]
Principal: GroupListImpl[name=groups,list={owners,publishers}]
Principal: PrincipalCollectionImpl[name=PrincipalCollection]-- Session is new : false
----------2021-05-21 10:42:15,124 DEBUG info.magnolia.cms.security.auth.login.FormLogin : handle login for null
2021-05-21 10:42:47,041 WARN info.magnolia.debug : -- Session found
-- Session attributes :
Admincentral.lock = java.util.concurrent.locks.ReentrantLock@48f28a40[Unlocked]
Key[type=info.magnolia.personalization.trait.storage.StorageAwareTraitCollector$SessionScopedTraitStorage, annotation=[none]] = info.magnolia.personalization.trait.storage.StorageAwareTraitCollector$SessionScopedTraitStorage@11bf3b79
com.vaadin.server.VaadinSession.Admincentral = com.vaadin.server.VaadinSession@22beb61d
csrf = UEmqRXrh1x7b966Jy7t8SrvBk80
javax.security.auth.Subject = Subject:
Principal: info.magnolia.cms.security.ExternalUser@8921633
Principal: info.magnolia.cms.security.Realm$RealmImpl@179a1
Principal: RoleListImpl[name=roles,list={superuser,workflow-base,publisher}]
Principal: GroupListImpl[name=groups,list={owners,publishers}]
Principal: PrincipalCollectionImpl[name=PrincipalCollection]-- Session is new : false
----------2021-05-21 10:42:47,041 DEBUG info.magnolia.cms.security.auth.login.FormLogin : handle login for null
2021-05-21 10:43:46,081 WARN info.magnolia.debug : -- Session found
-- Session attributes :
Admincentral.lock = java.util.concurrent.locks.ReentrantLock@48f28a40[Unlocked]
Key[type=info.magnolia.personalization.trait.storage.StorageAwareTraitCollector$SessionScopedTraitStorage, annotation=[none]] = info.magnolia.personalization.trait.storage.StorageAwareTraitCollector$SessionScopedTraitStorage@11bf3b79
com.vaadin.server.VaadinSession.Admincentral = com.vaadin.server.VaadinSession@22beb61d
csrf = UEmqRXrh1x7b966Jy7t8SrvBk80
javax.security.auth.Subject = Subject:
Principal: info.magnolia.cms.security.ExternalUser@8921633
Principal: info.magnolia.cms.security.Realm$RealmImpl@179a1
Principal: RoleListImpl[name=roles,list={superuser,workflow-base,publisher}]
Principal: GroupListImpl[name=groups,list={owners,publishers}]
Principal: PrincipalCollectionImpl[name=PrincipalCollection]-- Session is new : false
----------2021-05-21 10:43:46,081 DEBUG info.magnolia.cms.security.auth.login.FormLogin : handle login for null
2021-05-21 10:43:46,984 WARN info.magnolia.debug : -- Session found
-- Session attributes :
Admincentral.lock = java.util.concurrent.locks.ReentrantLock@48f28a40[Unlocked]
Key[type=info.magnolia.personalization.trait.storage.StorageAwareTraitCollector$SessionScopedTraitStorage, annotation=[none]] = info.magnolia.personalization.trait.storage.StorageAwareTraitCollector$SessionScopedTraitStorage@11bf3b79
com.vaadin.server.VaadinSession.Admincentral = com.vaadin.server.VaadinSession@22beb61d
csrf = UEmqRXrh1x7b966Jy7t8SrvBk80
javax.security.auth.Subject = Subject:
Principal: info.magnolia.cms.security.ExternalUser@8921633
Principal: info.magnolia.cms.security.Realm$RealmImpl@179a1
Principal: RoleListImpl[name=roles,list={superuser,workflow-base,publisher}]
Principal: GroupListImpl[name=groups,list={owners,publishers}]
Principal: PrincipalCollectionImpl[name=PrincipalCollection]-- Session is new : false
----------2021-05-21 10:43:46,985 DEBUG info.magnolia.cms.security.auth.login.FormLogin : handle login for null
The trace "Redirecting to original request URL" from SSOPreserveOriginalURIServlet is never reached.
|
| Comment by Evzen Fochr [ 29/Aug/23 ] |
|
Documented https://docs.magnolia-cms.com/magnolia-sso/3.1.6/troubleshooting.html#_unable_to_log_in_with_an_ssoopenid_setup |