Jetty servlet location /login/ - 404 not found with shibboleth authentication

Vinc · March 6, 2020, 7:20am

Dear community,

we want to implement shibboleth authentication using apache as the webserver.
The shibboleth part is working, the client gets authenticated by the IDP.

When I get redirected to
/login/?machineUID=1ac27ccdf7d7c1b98414b977a72bcc70&room=malevolentdolphinsterminateimpolitely@conference.{mydomain}&close=false
I get a 404 not found page from Jetty.

Apache config should be fine since shibboleth is working and apache gets a response from the proxied Jetty.

Could you please help troubleshoot this? I will provide the necessary logs.

Vinc · March 6, 2020, 10:53am

Turned FINE logging on and jicofo.log shows this:

Jicofo 2020-03-06 11:42:26.018 FINE: [26] org.eclipse.jetty.server.Server.handle() REQUEST GET /login/ on HttpChannelOverHttp@1c7141dd{r=1,c=false,c=false/false,a=DISPATCHED,uri=//{ourdomain}/login/?machineUID=1ac27ccdf7d7c1b98414b977a72bcc70&room=nervousgorillasfragmenthysterically@conference.{ourdomain}&close=false,age=7}
Jicofo 2020-03-06 11:42:26.018 FINE: [26] org.eclipse.jetty.server.handler.ContextHandler.doScope() scope null||/login/ @ o.e.j.s.ServletContextHandler@70de6594{/,null,AVAILABLE}
Jicofo 2020-03-06 11:42:26.019 FINE: [26] org.eclipse.jetty.server.handler.ContextHandler.doScope() context=||/login/ @ o.e.j.s.ServletContextHandler@70de6594{/,null,AVAILABLE}
Jicofo 2020-03-06 11:42:26.019 FINE: [26] org.eclipse.jetty.servlet.ServletHandler.doScope() servlet ||/login/ -> org.glassfish.jersey.servlet.ServletContainer-5e6a026@15842c8b==org.glassfish.jersey.servlet.ServletContainer,jsp=null,order=-1,inst=true,async=true
Jicofo 2020-03-06 11:42:26.020 FINE: [26] org.eclipse.jetty.servlet.ServletHandler.doHandle() chain=null
Jicofo 2020-03-06 11:42:26.055 FINE: [26] org.glassfish.jersey.server.ServerRuntime$Responder.mapException() WebApplicationException (WAE) with no entity thrown and no ExceptionMappers have been found for this WAE. Response with status 404 is directly generated from the WAE.
javax.ws.rs.NotFoundException: HTTP 404 Not Found
at org.glassfish.jersey.server.ServerRuntime$1.run(ServerRuntime.java:250)
at org.glassfish.jersey.internal.Errors$1.call(Errors.java:248)
at org.glassfish.jersey.internal.Errors$1.call(Errors.java:244)
at org.glassfish.jersey.internal.Errors.process(Errors.java:292)
at org.glassfish.jersey.internal.Errors.process(Errors.java:274)
at org.glassfish.jersey.internal.Errors.process(Errors.java:244)
at org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:265)
at org.glassfish.jersey.server.ServerRuntime.process(ServerRuntime.java:232)
at org.glassfish.jersey.server.ApplicationHandler.handle(ApplicationHandler.java:680)
at org.glassfish.jersey.servlet.WebComponent.serviceImpl(WebComponent.java:392)
at org.glassfish.jersey.servlet.WebComponent.service(WebComponent.java:346)
at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:365)
at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:318)
at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:205)
at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:873)
at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:542)
at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:255)
at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1345)
at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:203)
at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:480)
at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:201)
at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1247)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:144)
at org.eclipse.jetty.server.handler.HandlerList.handle(HandlerList.java:61)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)
at org.eclipse.jetty.server.Server.handle(Server.java:502)
at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:370)
at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:267)
at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:305)
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103)
at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:117)
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:765)
at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:683)
at java.lang.Thread.run(Thread.java:748)
Jicofo 2020-03-06 11:42:26.064 FINE: [26] org.eclipse.jetty.server.HttpChannel.sendResponse() sendResponse info=null content=DirectByteBuffer@6cc7b8f6[p=0,l=323,c=32768,r=323]={<<<\n\n<me…/body>\n\n>>>\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00…\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00} complete=true committing=true callback=Blocker@13c209db{null}
Jicofo 2020-03-06 11:42:26.064 FINE: [26] org.eclipse.jetty.server.HttpChannel.commit() COMMIT for /login/ on HttpChannelOverHttp@1c7141dd{r=1,c=true,c=false/false,a=DISPATCHED,uri=//meet.{ourdomain}/login/?machineUID=1ac27ccdf7d7c1b98414b977a72bcc70&room=nervousgorillasfragmenthysterically@conference.meet.{ourdomain}&close=false,age=53}
404 Not Found HTTP/1.1

jcfischer · March 6, 2020, 3:33pm

No help from our side, but we are experiencing exactly the same. I have used the stable version (Jicoco 508) and based on this https://github.com/jitsi/jicofo/issues/404 issue, we upgraded to nightly (524). The error persists (and the redirect URL seems to be mangled with some commented out stuff).

I am now trying to downgrade to an older version of all packages from here: https://download.jitsi.org/jitsi/debian/ (the 2019-08-22 releases)

I will keep you posted

jcfischer · March 6, 2020, 3:50pm

Downgrading worked, but now I’m stuck with

Problem accessing /login/. Reason:

    Attribute 'mail' not provided - check server configuration

jcfischer · March 6, 2020, 4:05pm

and that was fixed by adding shib_request_use_headers on; in the location /login block in the nginx conf

Vinc · March 9, 2020, 8:26am

Dear Jens,

many thanks for your comments I will try downgrading as well.

Vinc · March 10, 2020, 7:50am

I can confirm that downgrading to 2019-08 debian packages worked.

Here is the apache config for shibboleth in case someone is looking for it.
<Location /login>
AuthType shibboleth
ShibRequestSetting requireSession true
ShibUseHeaders On
Require valid-user
SetHandler shib
ProxyPass http://localhost:8888/login
ProxyPassReverse http://localhost:8888/login

elacour · March 20, 2020, 2:42pm

Hi, I’m also facing a 404 after going back to /login. What do you mean by dowangrade to 2019-08. Which version exactly? (I have latest: 1.0-508-1)

elacour · March 20, 2020, 2:46pm

I see, using https://download.jitsi.org/jitsi/debian/, it means:

apt install jicofo=1.0-481-1 jitsi-meet=1.0.3936-1 jitsi-videobridge=1124-1 jitsi-meet-web=1.0.3577-1 jitsi-meet-web-config=1.0.3577-1 jitsi-meet-prosody=1.0.3577-1

elacour · March 20, 2020, 2:47pm

I confirm 404 fixed with downgrade, I now have missing mail attribute, will look deeped in my SP configuration …

jcfischer · March 20, 2020, 3:00pm

We needed to add shib_request_use_headers on; in the nginx config.

In the meantime we are on nightly in order to have MUC enabled scalable videobridges (Perfomance is currently more important than authentication)

/jc

Ian_Beardslee · March 22, 2020, 1:55am

Oh gawd, I wish I had found this post on Thursday afternoon. After the downgrade (on Sunday afternoon) it seems to be working again.

Thanks for the downgrade tip!

localguru · March 24, 2020, 5:37pm

Hi,

not sure, if this is the same problem, but I get a 404 on /login after authenticated by our Shibboleth IDP too.

My nginx config:

server {
    listen 443 ssl;
    server_name testdomain.com;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers  .....

    add_header Strict-Transport-Security "max-age=31536000";

    ssl_certificate /etc/nginx/ssl/testdomain_com.crt;
    ssl_certificate_key /etc/nginx/ssl/testdomain_com.key;

    root /usr/share/jitsi-meet;
    ssi on;
    index index.html index.htm;
    error_page 404 /static/404.html;

    location = /config.js {
        alias /etc/jitsi/meet/testdomain.com-config.js;
    }

    location = /external_api.js {
        alias /usr/share/jitsi-meet/libs/external_api.min.js;
    }

    #ensure all static content can always be found first
    location ~ ^/(libs|css|static|images|fonts|lang|sounds|connection_optimization|.well-known)/(.*)$
    {
        add_header 'Access-Control-Allow-Origin' '*';
        alias /usr/share/jitsi-meet/$1/$2;
    }

    # BOSH
    location = /http-bind {
        proxy_pass      http://localhost:5280/http-bind;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header Host $http_host;
    }


    location ~ ^/([^/?&:'"]+)$ {
        try_files $uri @root_path;
    }

    location @root_path {
        rewrite ^/(.*)$ / break;
    }


    # Shibboleth

    location = /shibauthorizer {
      internal;
      include fastcgi_params;
      fastcgi_pass unix:/var/run/shibboleth/shibauthorizer.sock;
    }

    location /Shibboleth.sso {
      include fastcgi_params;
      fastcgi_pass unix:/var/run/shibboleth/shibresponder.sock;
    }

    location /shibboleth-sp {
      alias /usr/share/shibboleth/;
    }

    # Login location where Jicofo servlet is running

    location /login {
      shib_request_use_headers on;
      more_clear_input_headers 'Variable-*' 'Shib-*' 'Remote-User' 'REMOTE_USER' 'Auth-Type' 'AUTH_TYPE';
      more_clear_input_headers 'displayName' 'mail' 'persistent-id';
      shib_request /shibauthorizer;
      proxy_pass http://127.0.0.1:8888;
    }
}

system is ubuntu 18.04 LTS:

ii  jitsi-meet                            1.0.4101-1                                      all          WebRTC JavaScript video conferences
ii  jitsi-meet-prosody                    1.0.3729-1                                      all          Prosody configuration for Jitsi Meet
ii  jitsi-meet-web                        1.0.3729-1                                      all          WebRTC JavaScript video conferences
ii  jitsi-meet-web-config                 1.0.3729-1                                      all          Configuration for web serving of Jitsi Meet
ii  jitsi-videobridge                     1126-1                                          amd64        WebRTC compatible Selective Forwarding Unit (SFU)
ii  nginx                                 1.16.1-1~bionic                                 amd64        high performance web server
ii  nginx-module-headersmore              1.16.1-1~bionic                                 amd64        nginx headersmore dynamic module
ii  nginx-module-shibboleth               1.16.1-1~bionic                                 amd64        nginx shibboleth dynamic module

Setting shib_request_use_headers on; didn’t help in my case.

Any ideas?

Thanks
Marcus

jcfischer · March 24, 2020, 7:42pm

looks like it is the same problem. I created https://github.com/jitsi/jicofo/issues/441 to track it

/jc

localguru · March 24, 2020, 9:00pm

I downgraded only jicofo deb package to version 1.0-481-1, not the other jitsi debian packages like jitsi-meet, jitsi-meet-prosody, jitsi-meet-web*, jitsi-videobridge. Would that be stable or do I have to downgrade each of them?

flyinghuman · April 2, 2020, 5:21pm

You save me a lot ot time. We have now a running config with the latest jisti and apache2 sibboleth auth!

<Location /login>
AuthType shibboleth
ShibRequestSetting requireSession true
ShibUseHeaders On
Require valid-user
SetHandler shib
ProxyPass http://localhost:8888/login
ProxyPassReverse http://localhost:8888/login

these settings are nowhere described. maybe i will make a wiki article for this. Thanks!

Can it be configured to set automatically the Displayed Name to a Shibboleth Value?

Vinc · April 3, 2020, 6:18am

Can it be configured to set automatically the Displayed Name to a Shibboleth Value?

I don’t know if that is possible, but it would be a cool feature. That might be answered by the developers.

creativeguitar · May 7, 2020, 7:19pm

I am having the same issue in jicofo 1.0-567-1…

dpkg -l | grep ji
ii  jicofo                       1.0-567-1                         all          JItsi Meet COnference FOcus

but I am getting a 500 error

## HTTP ERROR 500

Problem accessing /login/. Reason:

Attribute 'mail' not provided - check server configuration

[Powered by Jetty:// 9.4.15.v20190215](http://eclipse.org/jetty)

any help will be greatly appreciate it.

nginx conf

server {
listen 443 ssl;
server_name jitsi-meet.MYDOMAIN.com;
include /config/nginx/ssl.conf;
include /config/nginx/meet.conf;

    # Shibboleth

    location = /shibauthorizer {
      internal;
      include fastcgi_params;
      fastcgi_pass unix:/etc/shibboleth/shibauthorizer.sock;
    }

    location /Shibboleth.sso {
      include fastcgi_params;
      fastcgi_pass unix:/etc/shibboleth/shibresponder.sock;
    }

    location /shibboleth-sp {
      alias /usr/share/shibboleth/;
    }

    # Login location where Jicofo servlet is running

    location /login {
      shib_request_use_headers on;
      more_clear_input_headers 'Variable-*' 'Shib-*' 'Remote-User' 'REMOTE_USER' 'Auth-Type' 'AUTH_TYPE';
      more_clear_input_headers 'displayName' 'mail' 'persistent-id';
      shib_request /shibauthorizer;
      proxy_pass http://jicofo:8888;
    }

creativeguitar · May 7, 2020, 9:41pm

It was my problem I wasn’t mapping the attributes correctly in shibboleth.
Now that I mapped the attributes, if i go to a room as a logged out user and clikc “i am the host” I get a plain error 500.
if I login manually with the link jitsi-meet.mydomain.com/Shibbolleth.sso/Login, and then go to a room and click I am the host, it works

Any ideas why