-
Notifications
You must be signed in to change notification settings - Fork 10
Development testing of MSKCC SAML authentication (like private beta)
This assumes you are deploying to your own Tomcat application, not just deploying to private-beta. If you are, that is simpler. Testing notes apply to any MSK SAML instance, your own, private-beta, or mskcc.
1) You will need the following files:
http://data.cbioportal.mskcc.org/hg/portal-configuration/file/tip/spring-security/
- MSKCCPortalUserDetailsService.java
- MSKCCRestfulAuthenticationSuccessHandler.java
- MSKController.java
http://data.cbioportal.mskcc.org/hg/portal-configuration/file/tip/properties/private-beta/
- applicationContext-security.xml
- mskcc-saml-metadata.xml (this is a copy of https://testaccess2.mskcc.org/nidp/saml2/metadata)
- samlKeystore.jks
- postLoadForMskCIS.js
SAML configuration from here: http://data.cbioportal.mskcc.org/hg/portal-configuration/file/tip/properties/private-beta/portal.properties
Build guide from here: http://data.cbioportal.mskcc.org/hg/portal-configuration/file/tip/buildwars/buildbetawars.sh
2 ) Modify applicationContext-security.xml
2) Make sure your portal.properties file is configured for SAML (using example above)
Your file should differ from the above in the following way only (note mine ends in -MSK-SAML-MANDA.xml but I will rename when I copy it):
diff -b applicationContext-security-MSK-SAML-MANDA.xml ../portal-configuration/properties/private-beta/applicationContext-security.xml
296c297
< <b:property name="entityBaseURL" value="http://dashi-dev.cbio.mskcc.org:8080/manda-tmp/"/>
---
> <b:property name="entityBaseURL" value="https://cbioportal.mskcc.org:443/beta"/>
345,347c346,348
< <b:property name="scheme" value="http"/>
< <b:property name="serverName" value="dashi-dev.cbio.mskcc.org"/>
< <b:property name="serverPort" value="8080"/>
---
> <b:property name="scheme" value="https"/>
> <b:property name="serverName" value="cbioportal.mskcc.org"/>
> <b:property name="serverPort" value="443"/>
349c350
< <b:property name="contextPath" value="/manda-tmp/"/>
---
> <b:property name="contextPath" value="/beta”/>
Make sure the entity id defined in: saml.sp.metadata.entityid=ENTITY_ID
Matches "<b:property name="entityId" value="ENTITY_ID”/>” from applicationContext-security.xml (e.g. "cmobeta:cbioportal”).
The server we authenticate against (in development/private-beta we use https://testaccess2.mskcc.org/) has a copy of this file:
http://dashi-dev.cbio.mskcc.org:8080/[PORTAL_INSTANCE]/saml/metadata/
And so has an expectation about what the ENTITY_ID is.
3) Make sure your build script is correct (again using example build file above):
Currently the process is, but you might want to modify it if you are using different properties files.
# private
cp $PORTAL_CONFIG_HOME/properties/private-beta/*.properties $PORTAL_HOME/src/main/resources/
cp $PORTAL_CONFIG_HOME/properties/private-beta/samlKeystore.jks $PORTAL_HOME/security/security-spring/src/main/resources/
cp $PORTAL_CONFIG_HOME/properties/private-beta/applicationContext-security.xml $PORTAL_HOME/security/security-spring/src/main/resources/
cp $PORTAL_CONFIG_HOME/properties/private-beta/mskcc-saml-metadata.xml $PORTAL_HOME/security/security-spring/src/main/resources/
cp $PORTAL_CONFIG_HOME/spring-security/MSKController.java $PORTAL_HOME/web/src/main/java/org/mskcc/cbio/portal/web
cp $PORTAL_CONFIG_HOME/spring-security/MSKCCPortalUserDetailsService.java $PORTAL_HOME/security/security-spring/src/main/java/org/cbioportal/security/spring/authentication/saml/
cp $PORTAL_CONFIG_HOME/spring-security/MSKCCRestfulAuthenticationSuccessHandler.java $PORTAL_HOME/security/security-spring/src/main/java/org/cbioportal/security/spring/authentication/saml/
cat $PORTAL_CONFIG_HOME/properties/private-beta/postLoadForMskCIS.js >> $PORTAL_HOME/portal/src/main/webapp/WEB-INF/jsp/global/header_bar.jsp
4) Build.
5) Test:
Testing MSK CIS login backdoor into portal (no login by user):
http://data.cbioportal.mskcc.org/hg/portal-configuration/file/tip/properties/private-beta/applicationContext-security.xml
Has username and password:
<user-service>
<user name=“XXX" password=“XXX" authorities="mskcc-portal:PUBLIC,mskcc-portal:EXTENDED,mskcc-portal:MSKPUB"/>
</user-service>
has the http://cbioportal-data.mskcc.org:38080/repos/hg/portal-configuration/file/ee5cd1cd72f7/spring-security
wget --keep-session-cookies --save-cookies cookies.txt "https://cbioportal.mskcc.org/j_spring_security_check?j_username=XX&j_password=XX"
wget --load-cookies cookies.txt "https://cbioportal.mskcc.org/case.do?cancer_study_id=mskimpact&case_id=P-0003900"
wget --load-cookies cookies.txt "https://cbioportal.mskcc.org/j_spring_security_logout/“
Note we can no longer test the above with wget, we MUST test in the browser because the react code is the same for authenticated vs not authenticated users. You could use wget to test the API instead.
Testing CIS/Darwin/CRDB endpoints:
In production, requests from Darwin differ from requests from CIS. When a CIS user clicks on a cBioPortal link, CIS authenticates users via a backdoor and then renders the returned html/javascript inside its own web-enabled control. When a Darwin user clicks on a cBioPortal link, Darwin being a web application, simply opens a new browser tab and lets the browser handle the request/response. What this means is that during testing we need to ensure that requests through /api-legacy are properly redirected to the cBioPortal login page before the tester has created a session.
https://HOST:PORT/INSTANCE/api-legacy/darwin/P-0000500-T01-IM3/exists
https://HOST:PORT/INSTANCE/api-legacy/cis/P-0000500-T01-IM3/exists
https://HOST:PORT/INSTANCE/api-legacy/crdb/P-0000500-T01-IM3/exists
The service returns a simple JSON:
{
exists: true
}
NOTE: Ben manually changed the DEV mskcc-saml-metadata.xml (https://testaccess2.mskcc.org/nidp/saml2/metadata) and PROD mskcc-saml-metadata.xml (https://cbiologin.mskcc.org/nidp/saml2/metadata), but we don’t have to worry about that unless we have to download new files from the authentication server.
DEV:
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://cbiologin.mskcc.org/nidp/saml2/sso"/>
Changed to:
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://testaccess2.mskcc.org/nidp/saml2/idpsend?id=cbioportalbeta"/>
PROD:
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://cbiologin.mskcc.org/nidp/saml2/sso”/>
Changed to:
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://cbiologin.mskcc.org/nidp/saml2/idpsend?id=cbioportal"/>