Hi,
I'm following the instructions to integrate a Grails app (which used Spring Security) with Crowd.
(https://confluence.atlassian.com/display/CROWD/Integrating+Crowd+with+Spring+Security)
I've got authentication working fine (up to 3.1) But I can't get SSO to work. (3.2 in the linked doc).
I've not been abkle to follow the instructions exactly, as the config is slightly different in grails, but I think I have managed to get the crowd SSO filter running. When I go to my app I get the following:
2014-04-24 10:02:52,064 [http-bio-8080-exec-7] DEBUG web.FilterChainProxy - /login/auth at position 6 of 9 in additional filter chain; firing Filter: 'CrowdSSOAuthenticationProcessingFilter' 2014-04-24 10:02:52,064 [http-bio-8080-exec-7] DEBUG util.CrowdHttpTokenHelperImpl - Checking for a SSO token that will need to be verified by Crowd. 2014-04-24 10:02:52,064 [http-bio-8080-exec-7] DEBUG util.CrowdHttpTokenHelperImpl - No request attribute token could be found, now checking the browser submitted cookies. 2014-04-24 10:02:52,064 [http-bio-8080-exec-7] DEBUG util.CrowdHttpTokenHelperImpl - Cookie name/value: JSESSIONID / 9A86DFCF77D280E9693A7AF2DD6E7619 2014-04-24 10:02:52,064 [http-bio-8080-exec-7] DEBUG util.CrowdHttpTokenHelperImpl - Cookie name/value: auth / Z3Vlc3Q6Z3Vlc3Q%3D 2014-04-24 10:02:52,064 [http-bio-8080-exec-7] DEBUG util.CrowdHttpTokenHelperImpl - Cookie name/value: m / 1933 2014-04-24 10:02:52,064 [http-bio-8080-exec-7] DEBUG util.CrowdHttpTokenHelperImpl - Unable to find a valid Crowd token. 2014-04-24 10:02:52,064 [http-bio-8080-exec-7] DEBUG web.FilterChainProxy - /login/auth at position 7 of 9 in additional filter chain; firing Filter: 'GrailsAnonymousAuthenticationFilter' 2014-04-24 10:02:52,064 [http-bio-8080-exec-7] DEBUG web.FilterChainProxy - /login/auth at position 8 of 9 in additional filter chain; firing Filter: 'ExceptionTranslationFilter' 2014-04-24 10:02:52,065 [http-bio-8080-exec-7] DEBUG web.FilterChainProxy - /login/auth at position 9 of 9 in additional filter chain; firing Filter: 'FilterSecurityInterceptor' 2014-04-24 10:02:52,068 [http-bio-8080-exec-7] DEBUG intercept.FilterSecurityInterceptor - Secure object: FilterInvocation: URL: /login/auth; Attributes: [permitAll]
I can't see anything in the Crowd logs. SSO is working between my other Atlassian applications.
Can anyone suggest what I should be looking at to get this working? Thanks!
Hi Tamsin, I believe the suggestions of this other question may help to troubleshoot this case.
Cheers
Hi - thanks for the response. I've made some progress. I think the problem was to do with the SSO domain - in the example above it was not looking through cookies under the correct domain.
On our staging server (which has the correct SSO domain), SSO is working one way - so if I am logged in to Confluence, I am logged in to the custom application. However, the login form on the application itself is not working at all now I have SSO enable! It definitely authenticates with crowd, because in the logs I can see that it has identified the correct roles for the user. But I just get redirected back to the login page.
I am trying to get SSO working locally so I can test more easily.
I've added the line
cookie.domain=my.sso.domain
|
to crowd.properties, but can't it doesn't seem to work.
I can see in the logs that the SSO filter is still looking at the cookies listed
under localhost, not under the sso domain I have set. Should it be possible to
set cookie.domain to get the SSO working for local testing?
Thanks!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I'm still having problems when the app is running on the staging server, so the SSO domain should be fine. Note that if I log into Confluence, SSO works, and i am logged into my app too. But the login form on my app is not working. In the logs it looks as if the login works but is not recognised by SSO.
I've pasted the logs from the authentication process here https://gist.github.com/anorakgirl/437a0fba01220db40f38
Would be really grateful for any suggestions. Thanks!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.