Unfortunately I haven't seen a ton of Shiro expertise on this list. Maybe someone will know the answer to your problem but my guess is that you are going to have to troubleshoot this by stripping out all that fancy complexity until you get a basic shiro.ini that works and then methodically add pieces back in until you see what is breaking. Once you know what is going on we would all appreciate your help adding to the documentation for using shiro with zeppelin.
http://www.placeiq.com/ http://www.placeiq.com/ http://www.placeiq.com/ Paul Brenner https://twitter.com/placeiq https://twitter.com/placeiq https://twitter.com/placeiq https://www.facebook.com/PlaceIQ https://www.facebook.com/PlaceIQ https://www.linkedin.com/company/placeiq https://www.linkedin.com/company/placeiq DATA SCIENTIST tel:(217)%20390-3033 http://www.placeiq.com/2015/05/26/placeiq-named-winner-of-prestigious-2015-oracle-data-cloud-activate-award/ http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/ http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/ http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/ http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/ http://placeiq.com/2016/03/08/measuring-addressable-tv-campaigns-is-now-possible/ http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/ http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/ http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/ http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/ http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/ http://pages.placeiq.com/Location-Data-Accuracy-Whitepaper-Download.html?utm_source=Signature&utm_medium=Email&utm_campaign=AccuracyWP http://placeiq.com/2016/08/03/placeiq-bolsters-location-intelligence-platform-with-mastercard-insights/ http://placeiq.com/2016/10/26/the-making-of-a-location-data-industry-milestone/ http://placeiq.com/2016/12/07/placeiq-introduces-landmark-a-groundbreaking-offering-that-delivers-access-to-the-highest-quality-location-data-for-insights-that-fuel-limitless-business-decisions/ On Wed, May 03, 2017 at 8:36 AM Jaideep Singh < mailto:Jaideep Singh <jaideep...@gmail.com> > wrote: a, pre, code, a:link, body { word-wrap: break-word !important; } Also attaching the screen shot for 2 JSession id which i got after redirection. On Wed, May 3, 2017 at 5:18 PM, Jaideep Singh < mailto:jaideep...@gmail.com > wrote: Hello, I have used saml based sso authentication on zeppelin url which is on localhost:8080. I am able to load the zeppelin page successfully if i disable the shiro.ini file. I have used sso authentication with wso2, configured in shiro.ini with metadata for idp and sp provided there. But after redirection from idp to zeppelin / url i am not able to load the page. Following are the assumption for problem occurence * Problem may be due to the websocket calls which are not initiating after redirection, but i can see it works if no authentication applied. * I am getting JSessionid after redirection from IDP. Is Zeppelin server also providing JSessionid which may cause conflicts? Plese help me to identify the problem. I am attaching the log file and shiro.ini . I have checked the log file the error i am getting is 17:01:05.402 [qtp1663619914-60 - /;JSESSIONID=804affc8-ea2c- 40ad-9db8-0492c9f1f134/api/ security/ticket] DEBUG o.e.jetty.servlet. ServletHandler - chain=org.apache.zeppelin. server.CorsFilter-5ae50ce6-> ShiroFilter->org.eclipse. jetty.servlet.DefaultServlet- 69b2283a@5b910f06==org. eclipse.jetty.servlet. DefaultServlet,-1,true 17:01:05.402 [qtp1663619914-60 - /;JSESSIONID=804affc8-ea2c- 40ad-9db8-0492c9f1f134/api/ security/ticket] DEBUG o.e.jetty.servlet. ServletHandler - call filter org.apache.zeppelin.server. CorsFilter-5ae50ce6 17:01:05.402 [qtp1663619914-60 - /;JSESSIONID=804affc8-ea2c- 40ad-9db8-0492c9f1f134/api/ security/ticket] DEBUG o.e.jetty.servlet. ServletHandler - call filter ShiroFilter 17:01:05.403 [qtp1663619914-60 - /;JSESSIONID=804affc8-ea2c- 40ad-9db8-0492c9f1f134/api/ security/ticket] DEBUG o.a.shiro.mgt. DefaultSecurityManager - Resolved SubjectContext context session is invalid. Ignoring and creating an anonymous (session-less) Subject instance. org.apache.shiro.session. UnknownSessionException: There is no session with id [804affc8-ea2c-40ad-9db8- 0492c9f1f134/api/security/ ticket] at org.apache.shiro.session.mgt. eis.AbstractSessionDAO. readSession( AbstractSessionDAO.java:170) ~[shiro-core-1.2.3.jar:1.2.3] at org.apache.shiro.session.mgt. DefaultSessionManager. retrieveSessionFromDataSource( DefaultSessionManager.java: 236) ~[shiro-core-1.2.3.jar:1.2.3] at org.apache.shiro.session.mgt. DefaultSessionManager. retrieveSession( DefaultSessionManager.java: 222) ~[shiro-core-1.2.3.jar:1.2.3] at org.apache.shiro.session.mgt. AbstractValidatingSessionManag er.doGetSession( AbstractValidatingSessionManag er.java:118) ~[shiro-core-1.2.3.jar:1.2.3] at org.apache.shiro.session.mgt. AbstractNativeSessionManager. lookupSession( AbstractNativeSessionManager. java:108) ~[shiro-core-1.2.3.jar:1.2.3] at org.apache.shiro.session.mgt. AbstractNativeSessionManager. getSession( AbstractNativeSessionManager. java:100) ~[shiro-core-1.2.3.jar:1.2.3] at org.apache.shiro.mgt. SessionsSecurityManager. getSession( SessionsSecurityManager.java: 125) ~[shiro-core-1.2.3.jar:1.2.3] at org.apache.shiro.mgt. DefaultSecurityManager. resolveContextSession( DefaultSecurityManager.java: 456) [shiro-core-1.2.3.jar:1.2.3] at org.apache.shiro.mgt. DefaultSecurityManager. resolveSession( DefaultSecurityManager.java: 442) [shiro-core-1.2.3.jar:1.2.3] at org.apache.shiro.mgt. DefaultSecurityManager. createSubject( DefaultSecurityManager.java: 338) [shiro-core-1.2.3.jar:1.2.3] at org.apache.shiro.subject. Subject$Builder.buildSubject( Subject.java:846) [shiro-core-1.2.3.jar:1.2.3] at org.apache.shiro.web.subject. WebSubject$Builder. buildWebSubject(WebSubject. java:148) [shiro-web-1.2.3.jar:1.2.3] at org.apache.shiro.web.servlet. AbstractShiroFilter. createSubject( AbstractShiroFilter.java:292) [shiro-web-1.2.3.jar:1.2.3] at org.apache.shiro.web.servlet. AbstractShiroFilter. doFilterInternal( AbstractShiroFilter.java:359) [shiro-web-1.2.3.jar:1.2.3] at org.apache.shiro.web.servlet. OncePerRequestFilter.doFilter( OncePerRequestFilter.java:125) [shiro-web-1.2.3.jar:1.2.3] at org.eclipse.jetty.servlet. ServletHandler$CachedChain. doFilter(ServletHandler.java: 1652) [jetty-servlet-9.2.15. v20160210.jar:9.2.15. v20160210] at org.apache.zeppelin.server. CorsFilter.doFilter( CorsFilter.java:72) [classes/:na] at org.eclipse.jetty.servlet. ServletHandler$CachedChain. doFilter(ServletHandler.java: 1652) [jetty-servlet-9.2.15. v20160210.jar:9.2.15. v20160210] at org.eclipse.jetty.servlet. ServletHandler.doHandle( ServletHandler.java:585) [jetty-servlet-9.2.15. v20160210.jar:9.2.15. v20160210] at org.eclipse.jetty.server. handler.ScopedHandler.handle( ScopedHandler.java:143) [jetty-server-9.2.15. v20160210.jar:9.2.15. v20160210] at org.eclipse.jetty.security. SecurityHandler.handle( SecurityHandler.java:577) [jetty-security-9.2.15. v20160210.jar:9.2.15. v20160210] at org.eclipse.jetty.server. session.SessionHandler. doHandle(SessionHandler.java: 223) [jetty-server-9.2.15. v20160210.jar:9.2.15. v20160210] at org.eclipse.jetty.server. handler.ContextHandler. doHandle(ContextHandler.java: 1127) [jetty-server-9.2.15. v20160210.jar:9.2.15. v20160210] at org.eclipse.jetty.servlet. ServletHandler.doScope( ServletHandler.java:515) [jetty-servlet-9.2.15. v20160210.jar:9.2.15. v20160210] at org.eclipse.jetty.server. session.SessionHandler. doScope(SessionHandler.java: 185) [jetty-server-9.2.15. v20160210.jar:9.2.15. v20160210] at org.eclipse.jetty.server. handler.ContextHandler. doScope(ContextHandler.java: 1061) [jetty-server-9.2.15. v20160210.jar:9.2.15. v20160210] at org.eclipse.jetty.server. handler.ScopedHandler.handle( ScopedHandler.java:141) [jetty-server-9.2.15. v20160210.jar:9.2.15. v20160210] at org.eclipse.jetty.server. handler. ContextHandlerCollection. handle( ContextHandlerCollection.java: 215) [jetty-server-9.2.15. v20160210.jar:9.2.15. v20160210] at org.eclipse.jetty.server. handler.HandlerWrapper.handle( HandlerWrapper.java:97) [jetty-server-9.2.15. v20160210.jar:9.2.15. v20160210] at org.eclipse.jetty.server. Server.handle(Server.java:499) [jetty-server-9.2.15. v20160210.jar:9.2.15. v20160210] at org.eclipse.jetty.server. HttpChannel.handle( HttpChannel.java:311) [jetty-server-9.2.15. v20160210.jar:9.2.15. v20160210] at org.eclipse.jetty.server. HttpConnection.onFillable( HttpConnection.java:257) [jetty-server-9.2.15. v20160210.jar:9.2.15. v20160210] at http://org.eclipse.jetty.io . AbstractConnection$2.run( AbstractConnection.java:544) [jetty-io-9.2.15.v20160210. jar:9.2.15.v20160210] at org.eclipse.jetty.util.thread. QueuedThreadPool.runJob( QueuedThreadPool.java:635) [jetty-util-9.2.15.v20160210. jar:9.2.15.v20160210] at org.eclipse.jetty.util.thread. QueuedThreadPool$3.run( QueuedThreadPool.java:555) [jetty-util-9.2.15.v20160210. jar:9.2.15.v20160210] at java.lang.Thread.run(Thread. java:745) [na:1.8.0_121] 17:01:05.404 [qtp1663619914-60 - /;JSESSIONID=804affc8-ea2c- 40ad-9db8-0492c9f1f134/api/ security/ticket] DEBUG o.a.s.s.mgt. DefaultSessionManager - Creating new EIS record for new session instance [org.apache.shiro.session.mgt. SimpleSession,id=null] 17:01:05.404 [qtp1663619914-60 - /;JSESSIONID=804affc8-ea2c- 40ad-9db8-0492c9f1f134/api/ security/ticket] DEBUG o.a.shiro.web.servlet. SimpleCookie - Added HttpServletResponse Cookie [JSESSIONID=1ba59f91-fe61- 4153-b45d-4d1b4f813a05; Path=/; HttpOnly] 17:01:05.404 [qtp1663619914-60 - /;JSESSIONID=804affc8-ea2c- 40ad-9db8-0492c9f1f134/api/ security/ticket] DEBUG o.p.s.context. SAML2ContextProvider - Creating message storage by org.pac4j.saml.storage. EmptyStorageFactory 17:01:05.404 [qtp1663619914-60 - /;JSESSIONID=804affc8-ea2c- 40ad-9db8-0492c9f1f134/api/ security/ticket] DEBUG o.o.s.m.r.i. AbstractMetadataResolver - Metadata backing store does not contain any EntityDescriptors with the ID: zeppelin 17:01:05.404 [qtp1663619914-60 - /;JSESSIONID=804affc8-ea2c- 40ad-9db8-0492c9f1f134/api/ security/ticket] DEBUG o.o.s.m.support. SAML2MetadataSupport - Selecting default IndexedEndpoint Thanks and Regards, Jaideep Singh On Tue, May 2, 2017 at 5:24 PM, Paul Brenner < mailto:pbren...@placeiq.com > wrote: That is an impressively complex Shira.ini! 500 sounds like something isn't loading correctly. Have you looked at the logs in /car/log/zeppelin? http://www.placeiq.com/ http://www.placeiq.com/ http://www.placeiq.com/ Paul Brenner https://twitter.com/placeiq https://twitter.com/placeiq https://twitter.com/placeiq https://www.facebook.com/PlaceIQ https://www.facebook.com/PlaceIQ https://www.linkedin.com/company/placeiq https://www.linkedin.com/company/placeiq DATA SCIENTIST tel:(217)%20390-3033 http://www.placeiq.com/2015/05/26/placeiq-named-winner-of-prestigious-2015-oracle-data-cloud-activate-award/ http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/ http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/ http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/ http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/ http://placeiq.com/2016/03/08/measuring-addressable-tv-campaigns-is-now-possible/ http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/ http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/ http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/ http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/ http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/ http://pages.placeiq.com/Location-Data-Accuracy-Whitepaper-Download.html?utm_source=Signature&utm_medium=Email&utm_campaign=AccuracyWP http://placeiq.com/2016/08/03/placeiq-bolsters-location-intelligence-platform-with-mastercard-insights/ http://placeiq.com/2016/10/26/the-making-of-a-location-data-industry-milestone/ http://placeiq.com/2016/12/07/placeiq-introduces-landmark-a-groundbreaking-offering-that-delivers-access-to-the-highest-quality-location-data-for-insights-that-fuel-limitless-business-decisions/ On Tue, May 02, 2017 at 1:51 AM Jaideep Singh < mailto:jaideep+singh+%3cjaideep...@gmail.com%3E > wrote: + mailto:us...@zeppelin.incubator.apache.org On Mon, May 1, 2017 at 6:01 PM, Jaideep Singh < mailto:jaideep...@gmail.com > wrote: Hello, I am not able to load the zeppelin page after redirection from IDP. The page loads with error 500. I am using SAML based authentication for securing zeppelin home page URL. Please find the shiro.ini file as follows: [main] ############################## ############################## ################ # PROVIDERS : ############################## ############################## ################ subjectFactory = io.buji.pac4j.ClientSubjectFac tory securityManager.subjectFactory = $subjectFactory facebookClient = org.pac4j.oauth.client.Faceboo kClient facebookClient.key = 145278422258960 facebookClient.secret = be21409ba8f39b5dae2a7de525484d a8 twitterClient = org.pac4j.oauth.client.Twitter Client twitterClient.key = CoxUiYwQOSFDReZYdjigBA twitterClient.secret = 2kAzunH5Btc4gRSaMr7D7MkyoJ5u1V zbOOzE8rBofs simpleAuthenticator = org.pac4j.http.credentials.aut henticator.test.SimpleTestUser namePasswordAuthenticator formClient = org.pac4j.http.client.indirect .FormClient formClient.loginUrl = http://10.11.198.126:8083/loginForm.jsp formClient.authenticator = $simpleAuthenticator basicAuthClient = org.pac4j.http.client.indirect .IndirectBasicAuthClient basicAuthClient.authenticator = $simpleAuthenticator casClient = org.pac4j.cas.client.CasClient casClient.casLoginUrl = https://casserverpac4j.herokuapp.com #casClient.gateway=true vkClient = org.pac4j.oauth.client.VkClien t vkClient.key = 4224582 vkClient.secret = nDc4IHTqu8ioFMkHKifq saml2Config = org.pac4j.saml.client.SAML2Cli entConfiguration saml2Config.keystorePath = samlKeystore.jks saml2Config.keystorePassword = pac4j-demo-passwd saml2Config.privateKeyPassword = pac4j-demo-passwd saml2Config.identityProviderMe tadataPath = metadata-okta.xml saml2Config.maximumAuthenticat ionLifetime = 3600 saml2Config.serviceProviderEnt ityId = zeppelin saml2Config.serviceProviderMet adataPath = sp-metadata.xml saml2Client = org.pac4j.saml.client.SAML2Cli ent saml2Client.configuration = $saml2Config clients = org.pac4j.core.client.Clients clients.callbackUrl = http://10.11.198.126:8083/callback clients.clients = $facebookClient,$twitterClient ,$formClient,$basicAuthClient, $casClient,$vkClient,$saml2Cli ent ############################## ############################## ################ # REALM & FILTERS : ############################## ############################## ################ clientsRealm = io.buji.pac4j.ClientRealm #clientsRealm = org.apache.zeppelin.realm.PamR ealm clientsRealm.defaultRoles = ROLE_USER clientsRealm.clients = $clients clientsFilter = io.buji.pac4j.ClientFilter clientsFilter.clients = $clients clientsFilter.failureUrl = /error500.jsp sessionManager = org.apache.shiro.web.session.m gt.DefaultWebSessionManager cacheManager = org.apache.shiro.cache.MemoryC onstrainedCacheManager securityManager.cacheManager = $cacheManager securityManager.sessionManager = $sessionManager securityManager.sessionManager .globalSessionTimeout = 86400000 facebookRoles = io.buji.pac4j.filter.ClientRol esAuthorizationFilter facebookRoles.client = $facebookClient twitterRoles = io.buji.pac4j.filter.ClientRol esAuthorizationFilter twitterRoles.client = $twitterClient formRoles = io.buji.pac4j.filter.ClientRol esAuthorizationFilter formRoles.client = $formClient basicAuthRoles = io.buji.pac4j.filter.ClientRol esAuthorizationFilter basicAuthRoles.client = $basicAuthClient casRoles = io.buji.pac4j.filter.ClientRol esAuthorizationFilter casRoles.client = $casClient vkRoles = io.buji.pac4j.filter.ClientRol esAuthorizationFilter vkRoles.client = $vkClient saml2Roles = io.buji.pac4j.filter.ClientRol esAuthorizationFilter saml2Roles.client = $saml2Client [roles] admin = * [urls] /facebook/** = facebookRoles[ROLE_USER] /twitter/** = twitterRoles[ROLE_USER] /form/** = formRoles[ROLE_USER] /basicauth/** = basicAuthRoles[ROLE_USER] /cas/** = casRoles[ROLE_USER] /vk/** = vkRoles[ROLE_USER] /saml/** = saml2Roles[ROLE_USER] /callback = clientsFilter /logout = logout /** = saml2Roles[ROLE_USER] /api/version = anon /api/interpreter/** = authc, roles[admin] /api/configurations/** = authc, roles[admin] /api/credential/** = authc, roles[admin] I am attaching the video file for the error coming. Thanks, Jaideep Singh
