Uploaded image for project: 'Sakai'
  1. Sakai
  2. SAK-41315

SAML login fails in Tomcat9 with CSRF Error

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Verified
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 19.0, 20.0 [Tentative]
    • Fix Version/s: 19.1, 20.0 [Tentative]
    • Component/s: Login
    • Labels:
      None
    • Environment:
      19.x with SAML configuration running on Tomcat9 and JDK1.8.0_191
    • 19 status:
      Resolved
    • Test Plan:
      Hide

      Testing requires configuring SAML which is not currently available on the nightlies

      Show
      Testing requires configuring SAML which is not currently available on the nightlies

      Description

      Tomcat9 added CSRF Protection.  This causes SAML login to fail with 403 message.  The fix that worked for me was adding the following line to the SAML configuration to disable CSRF.

       

      <!-- Secured pages with SAML as entry point -->
       <security:http entry-point-ref="samlEntryPoint" use-expressions="false">
       <security:csrf disabled="true"/>
       <security:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY"/>
       <security:custom-filter before="FIRST" ref="metadataGeneratorFilter"/>
       <security:custom-filter after="BASIC_AUTH_FILTER" ref="samlFilter"/>
       </security:http>

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                ern Earle R Nietzel
                Reporter:
                karagon Kenneth Aragon
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Git Source Code