I would think you could put them into gateway.sh options in a similar
manner to:
JAVA_FLAGS=-Dhttp.proxyHost=10.0.0.100 -Dhttp.proxyPort=8800
java ${JAVA_FLAGS} ...
I don't recall seeing those errors before - you see a similar JIRA?
On Sat, Mar 3, 2018 at 10:54 PM, Ryan H <[email protected]>
wrote:
> Yep, that was the issue; I was behind a proxy (bang my head). This got me
> past the current issue and into a new set of issues. Firstly, is there a
> way to set a proxy with Knox for scenarios such as this? Second, now I see
> the following error (which it looks like there may have been a JIRA opened
> for this a while back):
>
> 2018-03-03 22:45:46,171 ERROR knox.gateway
> (AbstractGatewayFilter.java:doFilter(69))
> - Failed to execute filter: org.pac4j.core.exception.TechnicalException:
> State parameter is different from the one sent in authentication request.
> Session expired or possible threat of cross-site request forgery
> 2018-03-03 22:45:46,171 ERROR knox.gateway (GatewayFilter.java:doFilter(177))
> - Gateway processing failed: javax.servlet.ServletException:
> org.pac4j.core.exception.TechnicalException: State parameter is different
> from the one sent in authentication request. Session expired or possible
> threat of cross-site request forgery
> javax.servlet.ServletException: org.pac4j.core.exception.TechnicalException:
> State parameter is different from the one sent in authentication request.
> Session expired or possible threat of cross-site request forgery
> at org.apache.knox.gateway.filter.AbstractGatewayFilter.doFilter(
> AbstractGatewayFilter.java:70)
> ...
>
> -Ryan
>
> On Sat, Mar 3, 2018 at 10:45 PM, larry mccay <[email protected]>
> wrote:
>
>> Maybe you have a proxy configured in your browser to allow you to get
>> there.
>>
>> On Sat, Mar 3, 2018 at 10:35 PM, Ryan H <ryan.howell.development@gmail
>> .com> wrote:
>>
>>> Hi Larry,
>>>
>>> I can reach the host via browser, but not via ping... Ping results in
>>> "Unknown Host", I'm seeing a correlation here...
>>>
>>> -Ryan
>>>
>>> On Sat, Mar 3, 2018 at 10:32 PM, larry mccay <[email protected]> wrote:
>>>
>>>> Hi Ryan -
>>>>
>>>> Welcome to Knox-ville!
>>>>
>>>> Going to start with a very obvious question - can you ping that host
>>>> from the machine where the gateway is running?
>>>>
>>>> thanks,
>>>>
>>>> --larry
>>>>
>>>> On Sat, Mar 3, 2018 at 10:07 PM, Ryan H <ryan.howell.development@gmail
>>>> .com> wrote:
>>>>
>>>>> Hi All,
>>>>>
>>>>> Disclaimer: I am very new to Knox!
>>>>>
>>>>> I am working on setting up KnoxSSO with an OpenID provider (Cloud
>>>>> Foundry UAA) for AuthN to an application (Apache NiFi). I am running into
>>>>> an issue where it seems that the oidc.discoverUri is resulting in the
>>>>> following error:
>>>>>
>>>>> 2018-03-03 21:59:37,104 ERROR knox.gateway
>>>>> (AbstractGatewayFilter.java:doFilter(69)) - Failed to execute filter:
>>>>> org.pac4j.core.exception.TechnicalException:
>>>>> java.net.UnknownHostException: {guid-id}.sub-uaa.another.zone
>>>>> .aws-us01.something.io
>>>>> 2018-03-03 21:59:37,104 ERROR knox.gateway
>>>>> (GatewayFilter.java:doFilter(177)) - Gateway processing failed:
>>>>> javax.servlet.ServletException:
>>>>> org.pac4j.core.exception.TechnicalException:
>>>>> java.net.UnknownHostException: {guid-id}.sub-uaa.another.zone
>>>>> .aws-us01.something.io
>>>>> javax.servlet.ServletException:
>>>>> org.pac4j.core.exception.TechnicalException:
>>>>> java.net.UnknownHostException: {guid-id}.sub-uaa.another.zone
>>>>> .aws-us01.something.io
>>>>> at org.apache.knox.gateway.filter.AbstractGatewayFilter.doFilte
>>>>> r(AbstractGatewayFilter.java:70)
>>>>> at org.apache.knox.gateway.GatewayFilter$Holder.doFilter(Gatewa
>>>>> yFilter.java:377)
>>>>> at org.apache.knox.gateway.GatewayFilter$Chain.doFilter(Gateway
>>>>> Filter.java:277)
>>>>> at org.apache.knox.gateway.webappsec.filter.XFrameOptionsFilter
>>>>> .doFilter(XFrameOptionsFilter.java:58)
>>>>> at org.apache.knox.gateway.GatewayFilter$Holder.doFilter(Gatewa
>>>>> yFilter.java:377)
>>>>> at org.apache.knox.gateway.GatewayFilter$Chain.doFilter(Gateway
>>>>> Filter.java:277)
>>>>> at org.apache.knox.gateway.GatewayFilter.doFilter(GatewayFilter
>>>>> .java:171)
>>>>> at org.apache.knox.gateway.GatewayFilter.doFilter(GatewayFilter
>>>>> .java:94)
>>>>> at org.apache.knox.gateway.GatewayServlet.service(GatewayServle
>>>>> t.java:141)
>>>>> at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder
>>>>> .java:812)
>>>>>
>>>>> *Here is my topology from knoxsso.xml config:*
>>>>>
>>>>> <topology>
>>>>> <gateway>
>>>>> <provider>
>>>>> <role>webappsec</role>
>>>>> <name>WebAppSec</name>
>>>>> <enabled>true</enabled>
>>>>> <param><name>xframe.options.en
>>>>> abled</name><value>true</value></param>
>>>>> </provider>
>>>>> <provider>
>>>>> <role>federation</role>
>>>>> <name>pac4j</name>
>>>>> <enabled>true</enabled>
>>>>> <param>
>>>>> <name>pac4j.callbackUrl</name>
>>>>> <value>https://localhost:8443/
>>>>> gateway/knoxsso/api/v1/websso</value>
>>>>> </param>
>>>>> <param>
>>>>> <name>clientName</name>
>>>>> <value>OidcClient</value>
>>>>> </param>
>>>>> <param>
>>>>> <name>oidc.id</name>
>>>>> <value>some_client_id</value>
>>>>> </param>
>>>>> <param>
>>>>> <name>oidc.secret</name>
>>>>> <value>some_client_secret</value>
>>>>> </param>
>>>>> <param>
>>>>> <name>oidc.discoveryUri</name>
>>>>> <value>https://{guid-id}.sub-u
>>>>> aa.another.zone.aws-us01.something.io/.well-known/openid-con
>>>>> figuration</value>
>>>>> </param>
>>>>> <param>
>>>>> <name>oidc.preferredJwsAlgorithm</name>
>>>>> <value>RS256</value>
>>>>> </param>
>>>>> </provider>
>>>>> </gateway>
>>>>> <application>
>>>>> <name>knoxauth</name>
>>>>> </application>
>>>>> <service>
>>>>> <role>KNOXSSO</role>
>>>>> <param>
>>>>> <name>knoxsso.cookie.secure.only</name>
>>>>> <value>false</value>
>>>>> </param>
>>>>> <param>
>>>>> <name>knoxsso.token.ttl</name>
>>>>> <value>3600000</value>
>>>>> </param>
>>>>> <param>
>>>>> <name>knoxsso.redirect.whitelist.regex</name>
>>>>> <value>^https?:\/\/(localhost
>>>>> |127\.0\.0\.1|0:0:0:0:0:0:0:1|::1):[0-9].*$</value>
>>>>> </param>
>>>>> </service>
>>>>> </topology>
>>>>>
>>>>>
>>>>> *Here is my topology from sandbox.xml:*
>>>>>
>>>>> <topology>
>>>>>
>>>>> <gateway>
>>>>>
>>>>> <provider>
>>>>> <role>federation</role>
>>>>> <name>SSOCookieProvider</name>
>>>>> <enabled>true</enabled>
>>>>> <param>
>>>>> <name>sso.authentication.provider.url</name>
>>>>> <value>https://127.0.0.1:8443/gateway/knoxsso/api/v1/websso<
>>>>> /value>
>>>>> </param>
>>>>> </provider>
>>>>>
>>>>> <provider>
>>>>> <role>identity-assertion</role>
>>>>> <name>Default</name>
>>>>> <enabled>true</enabled>
>>>>> </provider>
>>>>>
>>>>> </gateway>
>>>>>
>>>>> <service>
>>>>> <role>NIFI</role>
>>>>> <url>http://localhost:8080</url>
>>>>> </service>
>>>>>
>>>>> </topology>
>>>>>
>>>>> I was able to use the gateway to get to the NiFi app with basic auth
>>>>> as a connectivity test, and now I want to drop in the OpenID provider for
>>>>> the auth I am really after. Any help is greatly appreciated!
>>>>>
>>>>>
>>>>> Cheers,
>>>>>
>>>>> Ryan H.
>>>>>
>>>>
>>>>
>>>
>>
>
