I have 3 hosts where I'm trying to set up shibboleth and nuxeo; -dev, -stg, and production.
It works on -dev and -stg, it does not work on production. On production, it looks like it is doing something similar to a report last October where nuxeo is not able to pick up the shibboleth information from the request and end up in an endless loop.
#DNS difference between -dev/-stg and production
nuxeo-dev.example.org and nuxeo-stg.example.org are DNS A records to the IP address of the VM.
nuxeo.example.org, my production VM, is a DNS CNAME to xyz-nuxeo-p01.example.edu. This is the only difference I can see between production and the other environments. Production is run by a different group, and getting them to change the DNS setup to match -dev/-stg is not an option.
#when it fails
If I turn up log4j.xml org.nuxeo.ecm.platform.ui.web.auth to TRACE; on production I see:
2013-10-14 20:25:50,610 DEBUG [ajp-bio-0.0.0.0-8009-exec-1] [org.nuxeo.ecm.platform.ui.web.auth.NuxeoAuthenticationFilter] Entering Nuxeo Authentication Filter
2013-10-14 20:25:50,611 DEBUG [ajp-bio-0.0.0.0-8009-exec-1] [org.nuxeo.ecm.platform.ui.web.auth.NuxeoAuthenticationFilter] Principal not found inside Request via getUserPrincipal
2013-10-14 20:25:50,611 DEBUG [ajp-bio-0.0.0.0-8009-exec-1] [org.nuxeo.ecm.platform.ui.web.auth.NuxeoAuthenticationFilter] Try getting authentication from cache
2013-10-14 20:25:50,612 DEBUG [ajp-bio-0.0.0.0-8009-exec-1] [org.nuxeo.ecm.platform.ui.web.auth.NuxeoAuthenticationFilter] Trying to retrieve userIdentification using plugin SHIB_AUTH
2013-10-14 20:25:50,612 DEBUG [ajp-bio-0.0.0.0-8009-exec-1] [org.nuxeo.ecm.platform.ui.web.auth.NuxeoAuthenticationFilter] Trying to retrieve userIdentification using plugin BASIC_AUTH
2013-10-14 20:25:50,612 DEBUG [ajp-bio-0.0.0.0-8009-exec-1] [org.nuxeo.ecm.platform.ui.web.auth.NuxeoAuthenticationFilter] user/password not found in request, try into identity cache
or
Entering Nuxeo Authentication Filter
Principal not found inside Request via getUserPrincipal
Try getting authentication from cache
Trying to retrieve userIdentification using plugin SHIB_AUTH
Trying to retrieve userIdentification using plugin BASIC_AUTHuser/password not found in request, try into identity cache
#when it works
When it works (tar'ing up the same exact files onto -dev or -stg) the TRACE logs show something like this:
Entering Nuxeo Authentication Filter
Principal not found inside Request via getUserPrincipal
Try getting authentication from cache
Trying to retrieve userIdentification using plugin SHIB_AUTH
[ShibbolethAuthenticationPlugin] Failed to get or create user entry
... java.lang.NullPointerException ...
User/Password found as parameter of the request
Exit Nuxeo Authentication filter
Entering Nuxeo Authentication FilterPrincipal not found inside Request via getUserPrincipal
Try getting authentication from cacheuserIdent found in cache, get the Principal from it without reloggin
Principal = Brian.T@example.org
Exit Nuxeo Authentication filter
Entering Nuxeo Authentication FilterPrincipal not found inside Request via getUserPrincipal
Try getting authentication from cacheuserIdent found in cache, get the Principal from it without reloggin
Principal = Brian.T@example.org
Exit Nuxeo Authentication filte
#what I've tried
- I've tried to edit the
server.xml for tomcat so that host=nuxeo.example.org
- I've tried to set nuxeo.url=http://nuxeo.example.org:8080/nuxeo
- I've tried to set
RequestHeader append nuxeo-virtual-host "https://myDomainName/" and turn ProxyPreserveHost On
- tested on 5.6, 5.7.2, and 5.7.3
#what next?
I'm not sure what to try next. Could the DNS issue be a red herring? What could account for this different behaviour?
