Re: Setting idp.home

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: Setting idp.home

Frank Büttner
Hi all,
I must change the path where the web app is placing in.
On the list I found this thread for it, but in the actual version of
it(3.4.6) it will not work. Or I do something wrong.

Tomcat 9 will read the context.xml
from conf/Catalina/localhost, but the idp app will still try to load it
configuration from /opt/shibboleth-idp

Here the boot log of my tc:
7-Feb-2020 09:21:36.229 INFORMATION [main]
org.apache.catalina.core.StandardService.startInternal Starting service
[Catalina]
17-Feb-2020 09:21:36.229 INFORMATION [main]
org.apache.catalina.core.StandardEngine.startInternal Starting Servlet
engine: [Apache Tomcat/9.0.31]
17-Feb-2020 09:21:36.249 INFORMATION [main]
org.apache.catalina.startup.HostConfig.deployDescriptor Deploying
deployment descriptor [/etc/tomcat9/Catalina/localhost/idp.xml]
17-Feb-2020 09:21:40.863 INFORMATION [main]
org.apache.jasper.servlet.TldScanner.scanJars At least one JAR was
scanned for TLDs yet contained no TLDs. Enable debug logging for this
logger for a complete list of
JARs that were scanned but no TLDs were found in them. Skipping unneeded
JARs during scanning can improve startup time and JSP compilation time.
2020-02-17 09:21:41.313 [ERROR] :
net.shibboleth.idp.spring.IdPPropertiesApplicationContextInitializer:
Unable to find '/conf/idp.properties' at well known locations
'[/opt/shibboleth-idp]'
2020-02-17 09:21:41.317 [ERROR] :
org.springframework.web.context.ContextLoader: Context initialization failed

Thanks
Frank

--
*Frank Büttner*
IT

MDC Berlin-Buch
Max-Delbrück-Centrum für Molekulare Medizin in der Helmholtz-Gemeinschaft
Robert-Rössle-Straße 10
13125 Berlin

☎ +49 30 9406 2038
℻ +49 30 9406 2599
[hidden email]


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]

smime.p7s (7K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Setting idp.home

Peter Schober
* Frank Büttner <[hidden email]> [2020-02-17 09:40]:
> I must change the path where the web app is placing in.
> On the list I found this thread for it, but in the actual version of
> it (3.4.6) it will not work. Or I do something wrong.
>
> Tomcat 9 will read the context.xml
> from conf/Catalina/localhost, but the idp app will still try to load it
> configuration from /opt/shibboleth-idp

Hard to say what's wrong when you don't show what you tried so far.

-peter
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: [ext] Re: Setting idp.home

Frank Büttner
Hi Peter,
I simply create the xml file conf/Catalina/localhost/idp.xml with this
content:

<?xml version='1.0' encoding='utf-8'?>
<Context>
        <Parameter name="idp.home" value="/opt/shibboleth/idp"
override="false"/>
</Context>

I also tried to add this lines to the web.xml:
<display-name>Shibboleth Identity Provider</display-name>
<context-param>
        <param-name>idp.home</param-name>
        <param-value>/opt/shibboleth/idp</param-value>
    </context-param>

Then rebuild an deploy the war file.

But in both cases, my path is not used. :(

Frank

Am 17.02.20 um 10:21 schrieb Peter Schober:

> * Frank Büttner <[hidden email]> [2020-02-17 09:40]:
>> I must change the path where the web app is placing in.
>> On the list I found this thread for it, but in the actual version of
>> it (3.4.6) it will not work. Or I do something wrong.
>>
>> Tomcat 9 will read the context.xml
>> from conf/Catalina/localhost, but the idp app will still try to load it
>> configuration from /opt/shibboleth-idp
>
> Hard to say what's wrong when you don't show what you tried so far.
>
> -peter
>
--
*Frank Büttner*
IT

MDC Berlin-Buch
Max-Delbrück-Centrum für Molekulare Medizin in der Helmholtz-Gemeinschaft
Robert-Rössle-Straße 10
13125 Berlin

☎ +49 30 9406 2038
℻ +49 30 9406 2599
[hidden email]


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]

smime.p7s (7K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Setting idp.home

Cantor, Scott E.
In reply to this post by Frank Büttner
The only way I know of to set it is with a -D system variable on the Java command line. If anything else works, then it's by accident.

-- Scott


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Setting idp.home

Peter Schober
* Cantor, Scott <[hidden email]> [2020-02-17 14:00]:
> The only way I know of to set it is with a -D system variable on the
> Java command line. If anything else works, then it's by accident.

At least in the thread mentioned by the OP Brent had this to offer:
http://shibboleth.net/pipermail/users/2016-July/030471.html
and Matthew S. provided these examples for (specific to his use-case
of running 2 IDP instances on the same server):
http://shibboleth.net/pipermail/users/2016-July/030507.html

Of course that was almost 4 years ago.

-peter
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Setting idp.home

Cantor, Scott E.
On 2/17/20, 8:10 AM, "users on behalf of Peter Schober" <[hidden email] on behalf of [hidden email]> wrote:

> At least in the thread mentioned by the OP Brent had this to offer:

That's not about idp.home, though. There are a lot of order and timing initialization issues that could be getting in the way if it's not set early enough. And when Tomcat is involved, all bets are off.

In any event, the OP is claiming -D doesn't work either in a Jira ticket, so my bet is on environmental, but I still have no idea whether setting it in web.xml works. I simply have never tried it.

-- Scott


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Setting idp.home

Peter Schober
* Cantor, Scott <[hidden email]> [2020-02-17 14:31]:
> > At least in the thread mentioned by the OP Brent had this to offer:
>
> That's not about idp.home, though.

Well, Brent suggested the method/syntax and Matthew S. (second
reference I provided in my previous email) used this successfully to
override idp.home.
But, again, Tomcat and mid 2016.
-peter
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: [ext] Re: Setting idp.home

Frank Büttner
Hi all,
now it works.
The problem was that the overwritten idp.home directory was not
accessible for tomcat. But this was not logged. Only that
/opt/shibboleth-idp was tried.

Thanks at all
Frank

Am 17.02.20 um 14:34 schrieb Peter Schober:

> * Cantor, Scott <[hidden email]> [2020-02-17 14:31]:
>>> At least in the thread mentioned by the OP Brent had this to offer:
>>
>> That's not about idp.home, though.
>
> Well, Brent suggested the method/syntax and Matthew S. (second
> reference I provided in my previous email) used this successfully to
> override idp.home.
> But, again, Tomcat and mid 2016.
> -peter
>
--
*Frank Büttner*
IT

MDC Berlin-Buch
Max-Delbrück-Centrum für Molekulare Medizin in der Helmholtz-Gemeinschaft
Robert-Rössle-Straße 10
13125 Berlin

☎ +49 30 9406 2038
℻ +49 30 9406 2599
[hidden email]


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]

smime.p7s (7K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Setting idp.home

Simeon Maxein
In reply to this post by Peter Schober
It works for me on IdP 3.4.6 on tomcat 8.5.50, Ubuntu 18.04. In fact I'm
doing something slightly more exotic (and possibly frowned upon -
probably shouldn't do this unless you have good reasons): packaging the
part of my config that is not "per server" in the war file itself:

<Parameter name="idp.home" value="classpath:config" override="false" />

Using an absolute pathname in the format shown before works for me as
well. All other things being equal, it might be related to using Tomcat 9.

Simeon

Am 17.02.20 um 14:34 schrieb Peter Schober:
> * Cantor, Scott <[hidden email]> [2020-02-17 14:31]:
>>> At least in the thread mentioned by the OP Brent had this to offer:
>> That's not about idp.home, though.
> Well, Brent suggested the method/syntax and Matthew S. (second
> reference I provided in my previous email) used this successfully to
> override idp.home.
> But, again, Tomcat and mid 2016.
> -peter

--
Simeon Maxein
Software Developer

Chamaeleon Aktiengesellschaft
für innovative Netzlösungen
Robert-Bosch-Straße 12
56410 Montabaur

Handelsregister: HRB 6685
Amtsgericht Montabaur
UST-ID: DE189988337

T: +49 (2602) 101 69-316
F: +49 (2602) 101 69-101
E: [hidden email]
I: https://www.chamaeleon.de/

Vorstand: Stefan Kux, Olaf Pohling
Aufsichtsratsvorsitzender: Reimer Steenbock

Pflichtinformationen gemäß Artikel 13 DSGVO
Im Falle des Erstkontakts sind wir gemäß Art. 12, 13 DSGVO verpflichtet, Ihnen
folgende datenschutzrechtliche Pflichtinformationen zur Verfügung zu stellen: Wenn Sie
uns per E-Mail kontaktieren, verarbeiten wir Ihre personenbezogenen Daten nur, soweit
an der Verarbeitung ein berechtigtes Interesse besteht (Art. 6 Abs. 1 lit. f DSGVO),
Sie in die Datenverarbeitung eingewilligt haben (Art. 6 Abs. 1 lit. a DSGVO), die
Verarbeitung für die Anbahnung, Begründung, inhaltliche Ausgestaltung oder Änderung
eines Rechtsverhältnisses zwischen Ihnen und uns erforderlich sind
(Art. 6 Abs. 1 lit. b DSGVO) oder eine sonstige Rechtsnorm die Verarbeitung gestattet.
Ihre personenbezogenen Daten verbleiben bei uns, bis Sie uns zur Löschung auffordern,
Ihre Einwilligung zur Speicherung widerrufen oder der Zweck für die Datenspeicherung
entfällt (z. B. nach abgeschlossener Bearbeitung Ihres Anliegens). Zwingende
gesetzliche Bestimmungen – insbesondere steuer- und handelsrechtliche
Aufbewahrungsfristen – bleiben unberührt. Sie haben jederzeit das Recht, unentgeltlich
Auskunft über Herkunft, Empfänger und Zweck Ihrer gespeicherten personenbezogenen
Daten zu erhalten. Ihnen steht außerdem ein Recht auf Widerspruch, auf
Datenübertragbarkeit und ein Beschwerderecht bei der zuständigen Aufsichtsbehörde zu.
Ferner können Sie die Berichtigung, die Löschung und unter bestimmten Umständen die
Einschränkung der Verarbeitung Ihrer personenbezogenen Daten verlangen. Details
entnehmen Sie unserer Datenschutzerklärung
(https://chamaeleon.de/datenschutzerklaerung). Unseren Datenschutzbeauftragten
erreichen Sie unter [hidden email].

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Setting idp.home

Cantor, Scott E.
On 2/17/20, 9:30 AM, "users on behalf of Simeon Maxein" <[hidden email] on behalf of [hidden email]> wrote:

>It works for me on IdP 3.4.6 on tomcat 8.5.50, Ubuntu 18.04. In fact I'm
> doing something slightly more exotic (and possibly frowned upon -
> probably shouldn't do this unless you have good reasons): packaging the
> part of my config that is not "per server" in the war file itself:
>
> <Parameter name="idp.home" value="classpath:config" override="false" />

It's not frowned upon, just not totally reliable because there are too many Spring-isms that can get in the way of it working. It may work, even mostly work, we just don't test it that way. The architecture was designed to try and allow it in the longer term.

Trying to move system configurations into the jars is a similar thing, but Spring Web Flow makes that much harder than it should be because they botched a lot of the lower level Spring behavior and locked it down too much with bad assumptions. We managed it (seemingly) with the V4 OIDC plugin but I don't know how well we'll pull off moving the core files in for V5.

-- Scott


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]