You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@zeppelin.apache.org by khalidhuseynov <gi...@git.apache.org> on 2017/06/01 06:28:11 UTC

[GitHub] zeppelin issue #2373: [ZEPPELIN-2598] Securing Zeppelin with OpenID Connect

Github user khalidhuseynov commented on the issue:

    https://github.com/apache/zeppelin/pull/2373
  
    i've just tried to login using the config info from online demo for oidc-client in https://demo.c2id.com/oidc-client using modified config below
    ```
    oidcConfig = org.pac4j.oidc.config.OidcConfiguration
    oidcConfig.discoveryURI = https://demo.c2id.com/oidc-client/cb
    oidcConfig.clientId = 000123
    oidcConfig.secret = 7wKJNYFaKKg4FxUdi8_R75GGYsiWezvAbcdN1uSumE4
    oidcConfig.clientAuthenticationMethodAsString = client_secret_basic
    oidcClient = org.pac4j.oidc.client.OidcClient
    oidcClient.configuration = $oidcConfig
    clients = org.pac4j.core.client.Clients
    clients.callbackUrl = http://localhost:8080/api/callback
    clients.clients = $oidcClient
    requireRoleAdmin = org.pac4j.core.authorization.authorizer.RequireAnyRoleAuthorizer
    #requireRoleAdmin.elements = <your role>
    config = org.pac4j.core.config.Config
    config.clients = $clients
    #config.authorizers = admin:$requireRoleAdmin
    pac4jRealm = io.buji.pac4j.realm.Pac4jRealm
    pac4jSubjectFactory = io.buji.pac4j.subject.Pac4jSubjectFactory
    securityManager.subjectFactory = $pac4jSubjectFactory
    oidcSecurityFilter = io.buji.pac4j.filter.SecurityFilter
    oidcSecurityFilter.config = $config
    oidcSecurityFilter.clients = oidcClient
    callbackFilter = io.buji.pac4j.filter.CallbackFilter
    callbackFilter.defaultUrl = http://localhost:8080
    callbackFilter.config = $config
    securityManager.realms = $pac4jRealm
    
    ...
    
    /api/callback = callbackFilter
    #/** = anon
    /** = authc
    ```
    but getting exception
    ```
    ERROR [2017-06-01 14:49:39,711] ({qtp764577347-20} LoginRestApi.java[postLogin]:111) - Exception in login: 
    org.apache.shiro.authc.pam.UnsupportedTokenException: Realm [io.buji.pac4j.realm.Pac4jRealm@734cf9ff] does not support authentication token [org.apache.shiro.authc.UsernamePasswordToken - alice, rememberMe=false].  Please ensure that the appropriate Realm implementation is configured correctly or that the realm accepts AuthenticationTokens of this type.
    	at org.apache.shiro.authc.pam.ModularRealmAuthenticator.doSingleRealmAuthentication(ModularRealmAuthenticator.java:178)
    	at org.apache.shiro.authc.pam.ModularRealmAuthenticator.doAuthenticate(ModularRealmAuthenticator.java:267)
    	at org.apache.shiro.authc.AbstractAuthenticator.authenticate(AbstractAuthenticator.java:198)
    	at org.apache.shiro.mgt.AuthenticatingSecurityManager.authenticate(AuthenticatingSecurityManager.java:106)
    	at org.apache.shiro.mgt.DefaultSecurityManager.login(DefaultSecurityManager.java:270)
    	at org.apache.shiro.subject.support.DelegatingSubject.login(DelegatingSubject.java:256)
    	at org.apache.zeppelin.rest.LoginRestApi.postLogin(LoginRestApi.java:80)
    ```
    please let me know if you can see any apparent misconfiguration 


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---