0

Login issue with CAS/SAML SSO

asked 2021-05-06 23:06:30 +0800

hmannam gravatar image hmannam
153 2

updated 2021-05-06 23:10:22 +0800

Hi,

I have an application that uses zk7 and spring security. We have integrated with CAS SSO and having login issues when there is a slow internet connection. User is looping back to login screen and never get to the home page of the application even though authentication is successful. The issue is once the user is authenticated with CAS, the user is redirecting to '/zkau' url where it supposed to redirect to 'careWeb.zul' first which the landing page for the application. This is happening only when there is slow internet connection. When there is a fast internet connection, 'careWeb.zul' redirection happens first and then '/zkau' gets called as expected. I feel there is some race condition that zk looks for and picks the redirection url order.

I have been struggling with this issue sincle couple of months. I know whats causing the issue but no clue how to fix it. I really appreciate your responses. Thanks!

delete flag offensive retag edit

9 Answers

Sort by » oldest newest most voted
0

answered 2021-05-07 14:56:49 +0800

cor3000 gravatar image cor3000
5920 2 7
ZK Team

updated 2021-05-07 15:00:18 +0800

jeanher gravatar image jeanher
1814 2 6
ZK Team

difficult to say what's going on there without actually seeing when, how it happens, what it does at the network and server side... etc.

In your browser's developer tools (network tab) you can trace which request(s) are sent/received and in which order (there's no need to guess) it will be written in plain text how long a request took, when/what was sent and what was received. The developer tools also allow to simulate a slow connection (latency/bandwidth) to reproduce a certain scenario more reliably.

In my experience these type of questions/problems are unlikely to solve in a forum, since it's almost impossible to provide all the reproducing details.

If urgent please contact [email protected] asking for dedicated support (e.g. a zoom session so we can look directly into your environment)

link publish delete flag offensive edit
0

answered 2021-05-08 04:40:06 +0800

hmannam gravatar image hmannam
153 2

updated 2021-05-11 19:47:39 +0800

image descriptionimage description(/upfiles/16207334821023756.png)

Thanks for your comments. I have already simulated the issue in chrome developer tools by setting to 'Fast 3G' and 'No throttling'. Please compare the attached screen shots and compare working and non working cases. As fyi...we have set '/zkau' url pattern urls are allowed as 'ANONYMOUS USER' if that helps at all in the applicationContext.xml (<security:intercept-url pattern="\A/zkau\Z" access="IS_AUTHENTICATED_ANONYMOUSLY"/>)

So in failed case, by the time call goes to '/tEMR' the spring security context is updated with 'ANONYMOUS USER' (as it is intercepted by /zkau call which flips the security context to ANONYMOUS USER ) hence looping back to login screen.

Hope this detail helps a bit further.

One question...is the dedicated support free of cost or charged?

Thanks!

link publish delete flag offensive edit

Comments

Regarding dedicated support: we will take a quick look (or do a quick call) and provide some initial help for free. If it is complicated and requires more time we will let you know, and you can decide if you wish to continue (get paid support).

jeanher ( 2021-05-11 09:29:18 +0800 )edit
0

answered 2021-05-08 04:52:33 +0800

hmannam gravatar image hmannam
153 2

updated 2021-05-08 04:57:01 +0800

hmm...looks like I can not upload screen shots.

Says "sorry, file uploading requires karma >100" what does this mean?

link publish delete flag offensive edit

Comments

Increased your Karma, you should be able to post images now

jeanher ( 2021-05-11 09:23:58 +0800 )edit
0

answered 2021-05-11 19:50:47 +0800

hmannam gravatar image hmannam
153 2

Thanks for adding the ability to add screen shots. I have added the screen shots. Thanks!

link publish delete flag offensive edit
0

answered 2021-05-14 18:42:19 +0800

MDuchemin gravatar image MDuchemin
1901 1 5
ZK Team

There are a few things that I currently cannot place:

Regarding the page loading order, what I would expect to see would be:

1 -> login.html page with the username and password form controls

2 -> post form to the jspringsecurity_check url, perform authentication at session level, etc.

3 -> jspringsecurity_check response contains a 302 redirect to the landing page

4 -> landing zul page loads scripts, etc

From the network panel, it looks like you are already in a loaded ZK page, then post a zkau request (which goes through with result 200, since the /zkau url is allowed for anonymous users)

From there, it looks like the request to tERM is either successful (returns 200), or is redirected to yet another target.

I think this should be easier to handle in a support ticket in order to check the event order and results in a remote session

link publish delete flag offensive edit

Comments

Sure, thanks for the comments. Please let me know the procedure to create a support ticket. Thanks!

hmannam ( 2021-05-17 20:08:29 +0800 )edit

Hi we've sent you an email about getting dedicated support.

jeanher ( 2021-05-18 14:57:21 +0800 )edit
0

answered 2021-06-14 21:46:08 +0800

hmannam gravatar image hmannam
153 2

Hi Mat,

I was busy with other projects and finally able to take a look into this issue. After I recall the summary from our meeting I remember you mentioned about changing something in the code just to make sure that it is actually causing the issue. I know its been a while and you might have forgotten the issue. If you remember anything and give some hints that would be really great. Here, I am attaching the screen shot of the code snippet where we left off. Can you confirm is this is the code that you mentioned about changing something here and test? Also we looked into 'onClientInfo' and 'onResetTimer' events and I believe 'onClientInfo' is the one that may be causing the issue. I really appreciate your help. Thanks! image description

link publish delete flag offensive edit
0

answered 2021-06-15 15:38:50 +0800

MDuchemin gravatar image MDuchemin
1901 1 5
ZK Team

Hey there hmannam,

From memory, what we found out last time was:

  • The user Pricinpal (the authentication status) is lost at some point after the end of the filters for the ClientInfo request.
  • At the clientInfo event entry point, the principal is still available, so something must happen after the clientInfo /zkau request reach the business layer. The pricipal is still available after spring security filtering, while the request is being processed by the ZK framework.
  • Putting a breakpoint in the clientInfo service method may help you to locate the location of the event listener.
  • You could also put breakpoints at key code locations that you know will be executed during this event processing, and check for the status of the user credential during each of these steps. If you find that the credentials have disappeared between two steps, you will be able to reduce the scope of the investigation.
  • Based on the effect, it is possible that something caused the session to be invalidated. (I suggested using a session cleanup listener) but this was unlikely due to the JSessionId not changing between requests.
  • Í also mentioned that you could check if you are already logging every debug messages from Spring Security, in case there would be a way to display a log when the session is invalidated. This might be done with a spring security config such as: logging.level.org.springframework.security=DEBUG or other relevant to your setup.
link publish delete flag offensive edit
0

answered 2021-06-15 21:13:39 +0800

hmannam gravatar image hmannam
153 2

updated 2021-06-16 06:21:08 +0800

cor3000 gravatar image cor3000
5920 2 7
ZK Team

Hi Mat, I really appreciate your response. In addition to your comments yesterday when I was debugging, I found that 'rmDesktop' gets called somewhere which makes the Securitycontext to create a brand new session looks like. I may ne wrong but this may be a after the fact kind of event happens after user has redirected back to login screen. I need to figure out what is causing the 'rmDesktop' event firing. That might help or at least lead to something. This is the code snippet that pulls the Security context,

public static SecurityContext getSecurityContext(HttpServletRequest request) {
    HttpSession session = request.getSession(false);
    System.out.println("haritha id: " + request.getParameter("cmd_0") +
                       "and session is " + session);
    boolean ignore = "rmDesktop".equals(request.getParameter("cmd_0"));
    return ignore || session == null ? 
            SecurityContextHolder.createEmptyContext() : 
            getSecurityContext(session, request.getParameter("dtid"));
}
link publish delete flag offensive edit
0

answered 2021-06-17 10:41:13 +0800

MDuchemin gravatar image MDuchemin
1901 1 5
ZK Team

Hi there,

the rmDesktop call is sent by the browser during "onBeforeUnload" (when the page is closed, or when navigation to a different page happens) It's a cleanup mechanism that removes the ZK desktop when the associated browser page is closing.

Based on your description, this rmDesktop is most likely sent by the first page when receiving the navigation event triggering the redirect to the login screen.

link publish delete flag offensive edit
Your answer
Please start posting your answer anonymously - your answer will be saved within the current session and published after you log in or create a new account. Please try to give a substantial answer, for discussions, please use comments and please do remember to vote (after you log in)!

[hide preview]

Question tools

Follow
2 followers

RSS

Stats

Asked: 2021-05-06 23:06:30 +0800

Seen: 28 times

Last updated: Jun 17

Support Options
  • Email Support
  • Training
  • Consulting
  • Outsourcing
Learn More