[GitHub] zeppelin issue #2373: [ZEPPELIN-2598] Securing Zeppelin with OpenID Connect

Wed, 31 May 2017 23:28:54 -0700 

Github user khalidhuseynov commented on the issue:

    https://github.com/apache/zeppelin/pull/2373
  
    i've just tried to login using the config info from online demo for 
oidc-client in https://demo.c2id.com/oidc-client using modified config below
    ```
    oidcConfig = org.pac4j.oidc.config.OidcConfiguration
    oidcConfig.discoveryURI = https://demo.c2id.com/oidc-client/cb
    oidcConfig.clientId = 000123
    oidcConfig.secret = 7wKJNYFaKKg4FxUdi8_R75GGYsiWezvAbcdN1uSumE4
    oidcConfig.clientAuthenticationMethodAsString = client_secret_basic
    oidcClient = org.pac4j.oidc.client.OidcClient
    oidcClient.configuration = $oidcConfig
    clients = org.pac4j.core.client.Clients
    clients.callbackUrl = http://localhost:8080/api/callback
    clients.clients = $oidcClient
    requireRoleAdmin = 
org.pac4j.core.authorization.authorizer.RequireAnyRoleAuthorizer
    #requireRoleAdmin.elements = <your role>
    config = org.pac4j.core.config.Config
    config.clients = $clients
    #config.authorizers = admin:$requireRoleAdmin
    pac4jRealm = io.buji.pac4j.realm.Pac4jRealm
    pac4jSubjectFactory = io.buji.pac4j.subject.Pac4jSubjectFactory
    securityManager.subjectFactory = $pac4jSubjectFactory
    oidcSecurityFilter = io.buji.pac4j.filter.SecurityFilter
    oidcSecurityFilter.config = $config
    oidcSecurityFilter.clients = oidcClient
    callbackFilter = io.buji.pac4j.filter.CallbackFilter
    callbackFilter.defaultUrl = http://localhost:8080
    callbackFilter.config = $config
    securityManager.realms = $pac4jRealm
    
    ...
    
    /api/callback = callbackFilter
    #/** = anon
    /** = authc
    ```
    but getting exception
    ```
    ERROR [2017-06-01 14:49:39,711] ({qtp764577347-20} 
LoginRestApi.java[postLogin]:111) - Exception in login: 
    org.apache.shiro.authc.pam.UnsupportedTokenException: Realm 
[io.buji.pac4j.realm.Pac4jRealm@734cf9ff] does not support authentication token 
[org.apache.shiro.authc.UsernamePasswordToken - alice, rememberMe=false].  
Please ensure that the appropriate Realm implementation is configured correctly 
or that the realm accepts AuthenticationTokens of this type.
        at 
org.apache.shiro.authc.pam.ModularRealmAuthenticator.doSingleRealmAuthentication(ModularRealmAuthenticator.java:178)
        at 
org.apache.shiro.authc.pam.ModularRealmAuthenticator.doAuthenticate(ModularRealmAuthenticator.java:267)
        at 
org.apache.shiro.authc.AbstractAuthenticator.authenticate(AbstractAuthenticator.java:198)
        at 
org.apache.shiro.mgt.AuthenticatingSecurityManager.authenticate(AuthenticatingSecurityManager.java:106)
        at 
org.apache.shiro.mgt.DefaultSecurityManager.login(DefaultSecurityManager.java:270)
        at 
org.apache.shiro.subject.support.DelegatingSubject.login(DelegatingSubject.java:256)
        at org.apache.zeppelin.rest.LoginRestApi.postLogin(LoginRestApi.java:80)
    ```
    please let me know if you can see any apparent misconfiguration 


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

Reply via email to