Is Consent fail through possible.

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Is Consent fail through possible.

Shibboleth - Users mailing list
Hi List,

I’ve come across an issue in the consent approval process whereby if the IdP (4.0.1) is not able to connect to the storage service then the login process fails with the error [1] appearing in the browser and [2] idp-process.log. The inability to connect to the database is caused by a network misconfiguration.

Is it possible to have this process fail open and not require consent thus allowing the login to continue. Our current configuration is shown in [3] and [4].

Regards
Gary

[1] Browser error message
Gateway to Charles Sturt University - Invalid Event
The underlying software encountered an event to which it was not programmed to respond.
Please report this problem to your Help Desk or administrative staff. It has also been logged for an administrator to review.

[2] Idp-process.log

2020-12-17 08:57:03,147 - 10.9.245.115 - WARN [org.hibernate.engine.jdbc.spi.SqlExceptionHelper:137] - SQL Error: 17002, SQLState: 08006
2020-12-17 08:57:03,148 - 10.9.245.115 - ERROR [org.hibernate.engine.jdbc.spi.SqlExceptionHelper:142] - IO Error: The Network Adapter could not establish the connection
2020-12-17 08:57:03,149 - 10.9.245.115 - ERROR [org.opensaml.storage.impl.JPAStorageService:470] - Error deleting record 'user1:entityID' in context 'intercept/attribute-release'
org.hibernate.exception.JDBCConnectionException: Unable to acquire JDBC Connection
        at org.hibernate.exception.internal.SQLStateConversionDelegate.convert(SQLStateConversionDelegate.java:112)
Caused by: java.sql.SQLRecoverableException: IO Error: The Network Adapter could not establish the connection
        at oracle.jdbc.driver.T4CConnection.logon(T4CConnection.java:743)
Caused by: oracle.net.ns.NetException: The Network Adapter could not establish the connection
        at oracle.net.nt.ConnStrategy.execute(ConnStrategy.java:470)
Caused by: java.net.NoRouteToHostException: No route to host (Host unreachable)
        at java.base/java.net.PlainSocketImpl.socketConnect(Native Method)
2020-12-17 08:57:03,150 - 10.9.245.115 - ERROR [net.shibboleth.idp.consent.flow.storage.impl.RevokeConsent:80] - Profile Action RevokeConsent: Unable to delete consent storage record with context 'intercept/attribute-release' and key 'user1:entityID'
java.io.IOException: org.hibernate.exception.JDBCConnectionException: Unable to acquire JDBC Connection
        at org.opensaml.storage.impl.JPAStorageService.deleteImpl(JPAStorageService.java:472)
Caused by: org.hibernate.exception.JDBCConnectionException: Unable to acquire JDBC Connection
        at org.hibernate.exception.internal.SQLStateConversionDelegate.convert(SQLStateConversionDelegate.java:112)
Caused by: java.sql.SQLRecoverableException: IO Error: The Network Adapter could not establish the connection
        at oracle.jdbc.driver.T4CConnection.logon(T4CConnection.java:743)
Caused by: oracle.net.ns.NetException: The Network Adapter could not establish the connection
        at oracle.net.nt.ConnStrategy.execute(ConnStrategy.java:470)
Caused by: java.net.NoRouteToHostException: No route to host (Host unreachable)
        at java.base/java.net.PlainSocketImpl.socketConnect(Native Method)
2020-12-17 08:57:03,152 - 10.9.245.115 - WARN [org.opensaml.profile.action.impl.LogEvent:101] - A non-proceed event occurred while processing the request: InvalidEvent



[3] Csu.properties

csu.consent.db.url = jdbc:oracle:thin:@(DESCRIPTION_LIST=(LOAD_BALANCE=off)(FAILOVER=on)
(DESCRIPTION=(ADDRESS_LIST=(LOAD_BALANCE=on)(ADDRESS=(PROTOCOL=TCP)
(HOST=prodserver)(PORT=1521)))(CONNECT_DATA=(SERVICE_NAME=consentDB)))
(DESCRIPTION=(ADDRESS_LIST=(LOAD_BALANCE=on)(ADDRESS=(PROTOCOL=TCP)
(HOST=prodDRserver)(PORT=1521)))(CONNECT_DATA=(SERVICE_NAME=consentDB))))

[4] Global.xml

<bean id="shibboleth.JPAStorageService.JPAVendorAdapter" class="org.springframework.orm.jpa.vendor.HibernateJpaVendorAdapter"><property name="database" value="ORACLE"></property>
</bean>
<bean id="shibboleth.JPAStorageService.DataSource" class="org.apache.tomcat.jdbc.pool.DataSource" p:driverClassName="oracle.jdbc.OracleDriver" p:url="%{csu.consent.db.url}" p:username="%{csu.consent.db.username}" p:password="%{csu.consent.db.password}" p:testOnReturn="true" p:removeAbandoned="true" p:removeAbandonedTimeout="600" p:logAbandoned="true" p:maxActive="256" p:maxIdle="4" p:maxAge="300000" p:validationInterval="5000" p:validationQuery="select 1 from dual"></bean>


Gary Lipscomb
Technical Officer, Systems(Infrastructure) | Infrastructure & Client Services | Division of Information Technology
Charles Sturt University
Panorama Avenue
Bathurst NSW 2795
Tel: +61 2 6338 6533
Email: [hidden email] |www.csu.edu.au




|   ALBURY-WODONGA   |   BATHURST   |   BRISBANE   |   CANBERRA   |   DUBBO   |   GOULBURN   |   MELBOURNE   |   ORANGE   |   PORT MACQUARIE   |   SYDNEY   |   WAGGA WAGGA   |

LEGAL NOTICE
This email (and any attachment) is confidential and is intended for the use of the addressee(s) only. If you are not the intended recipient of this email, you must not copy, distribute, take any action in reliance on it or disclose it to anyone. Any confidentiality is not waived or lost by reason of mistaken delivery. Email should be checked for viruses and defects before opening. Charles Sturt University does not accept liability for viruses or any consequence which arise as a result of this email transmission. Email communications with Charles Sturt University may be subject to automated email filtering, which could result in the delay or deletion of a legitimate email before it is read at Charles Sturt University. The views expressed in this email are not necessarily those of Charles Sturt University.
Charles Sturt University in Australia The Grange Chancellery, Panorama Avenue, Bathurst NSW Australia 2795 (ABN: 83 878 708 551; CRICOS Provider Number: 00005F (National)). TEQSA Provider Number: PV12018
Consider the environment before printing this email.
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Is Consent fail through possible.

Cantor, Scott E.
On 12/16/20, 6:22 PM, "users on behalf of Lipscomb, Gary via users" <[hidden email] on behalf of [hidden email]> wrote:

>    I’ve come across an issue in the consent approval process whereby if the IdP (4.0.1) is not able to connect to the storage
> service then the login process fails with the error [1] appearing in the browser and [2] idp-process.log. The inability to
> connect to the database is caused by a network misconfiguration.

That's a bug, the InvalidEvent result means it's not programmed correctly to handle whatever event is being signaled when it fails. Regardless of whether it could ever be allowed to fail open or closed, it can't do anything like this until the flow is fixed to account for the error.

That message is like an NPE, it's always a bug unless somebody were manipulating the system from outside to artifically get it to signal an unknown condition. That's "safe" but should never happen without malicious intent.

-- Scott


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]