CMS with azure AD SSO not loading any iframes (408 timeouts)

Hi,

We are trying to setup our CMS with SSO via azure AD which partially works. We run into an issue where no iframes are loaded and we can’t seem to figure out why this is happening. Hopefully someone here has some insights.

The versions:
BrXM enterprise version 14.7.5

We use azure ad with OIDC (oauth2) following the setup suggested by Woonsan and Baris here:

and

The setup seems to work as we are rerouted to microsoft login and get back to the cms and are logged in. The navigation on the left loads, but then it gets stuck on loading anything on the right of the screen (the angular iframes).
If you use an admin user you can also login into the console and edit/delete/write to repo so the whole login process seems to work properly.

The iframe loading just gives a timeout angular error page 408 without a clear reason why the iframes are not loading properly.

The logs give the following information, but don’t seem to be much help. The connection timeout error is something that we also see happening when not running with SSO, so seems unrelated.

[INFO] [talledLocalContainer] 28.04.2022 10:42:11 INFO  http-nio-8080-exec-4 [CmsSubAppIFrameCommunicationBehavior.renderHead:93] Add script:cms-subapp-iframe-communication.js
[INFO] [talledLocalContainer] 28.04.2022 10:42:11 INFO  http-nio-8080-exec-4 [CmsSubAppIFrameCommunicationBehavior.createScript:104] Add key:iFrameElementId,value:projects-iframe as parameter to script
[INFO] [talledLocalContainer] 28.04.2022 10:42:14 INFO  http-nio-8080-exec-4 [ActiveLogoutPlugin.internalRenderHead:86] Inactive user sessions will be logged out automatically after 30 minutes minutes
[INFO] [talledLocalContainer] 28.04.2022 10:42:34 DEBUG http-nio-8080-exec-4 [JcrItemModel.loadModel:195] Neither path nor uuid present for item model, returning null
[INFO] [talledLocalContainer] 28.04.2022 10:42:34 DEBUG http-nio-8080-exec-4 [JcrItemModel.doSave:283] Neither path nor uuid present
[INFO] [talledLocalContainer] 28.04.2022 10:42:34 DEBUG http-nio-8080-exec-4 [JcrItemModel.loadModel:195] Neither path nor uuid present for item model, returning null
[INFO] [talledLocalContainer] 28.04.2022 10:42:34 DEBUG http-nio-8080-exec-4 [JcrItemModel.doSave:283] Neither path nor uuid present
[INFO] [talledLocalContainer] 28.04.2022 10:42:34 DEBUG http-nio-8080-exec-4 [JcrItemModel.loadModel:195] Neither path nor uuid present for item model, returning null
[INFO] [talledLocalContainer] 28.04.2022 10:42:34 DEBUG http-nio-8080-exec-4 [JcrItemModel.doSave:283] Neither path nor uuid present
[INFO] [talledLocalContainer] 28.04.2022 10:42:34 DEBUG http-nio-8080-exec-4 [SecurityContextPersistenceFilter.doFilter:118] Cleared SecurityContextHolder to complete request
[INFO] [talledLocalContainer] 28.04.2022 10:42:34 DEBUG http-nio-8080-exec-7 [FilterChainProxy.doFilterInternal:208] Securing GET /?1&iframe
[INFO] [talledLocalContainer] 28.04.2022 10:42:34 DEBUG http-nio-8080-exec-7 [HttpSessionSecurityContextRepository.readSecurityContextFromSession:184] Retrieved SecurityContextImpl [Authentication=OAuth2AuthenticationToken [Principal= [redacted] Granted Authorities=[ROLE_USER, SCOPE_email, SCOPE_openid, SCOPE_profile]]]
[INFO] [talledLocalContainer] 28.04.2022 10:42:34 DEBUG http-nio-8080-exec-7 [SecurityContextPersistenceFilter.doFilter:107] Set SecurityContextHolder to SecurityContextImpl [Authentication=OAuth2AuthenticationToken [Principal=Name: [redacted] Granted Authorities=[ROLE_USER, SCOPE_email, SCOPE_openid, SCOPE_profile]]]
[INFO] [talledLocalContainer] 28.04.2022 10:42:34 DEBUG http-nio-8080-exec-7 [AbstractSecurityInterceptor.beforeInvocation:210] Authorized filter invocation [GET /?1&iframe] with attributes [authenticated]
[INFO] [talledLocalContainer] 28.04.2022 10:42:34 INFO  http-nio-8080-exec-7 [LoginSuccessFilter.doFilter:34] doFilter LoginSuccessFilter
[INFO] [talledLocalContainer] 28.04.2022 10:42:34 DEBUG http-nio-8080-exec-7 [FilterChainProxy$VirtualFilterChain.doFilter:323] Secured GET /?1&iframe
[INFO] [talledLocalContainer] 28.04.2022 10:42:34 DEBUG http-nio-8080-exec-7 [CsrfPreventionRequestCycleListener.onBeginRequest:260] Request header Origin: null
[INFO] [talledLocalContainer] 28.04.2022 10:42:34 DEBUG http-nio-8080-exec-7 [SecurityContextPersistenceFilter.doFilter:118] Cleared SecurityContextHolder to complete request
[INFO] [talledLocalContainer] 28.04.2022 10:42:34 WARN  http-nio-8080-exec-7 [FilterChainInvokingValve.invoke:79] Failed to continue with the filterChain.
[INFO] [talledLocalContainer] org.apache.catalina.connector.ClientAbortException: java.io.IOException: An established connection was aborted by the software in your host machine
[INFO] [talledLocalContainer] 	at org.apache.catalina.connector.OutputBuffer.realWriteBytes(OutputBuffer.java:351) ~[catalina.jar:9.0.38]
[INFO] [talledLocalContainer] 	at org.apache.catalina.connector.OutputBuffer.flushByteBuffer(OutputBuffer.java:776) ~[catalina.jar:9.0.38]
[INFO] [talledLocalContainer] 	at org.apache.catalina.connector.OutputBuffer.realWriteChars(OutputBuffer.java:451) ~[catalina.jar:9.0.38]
[INFO] [talledLocalContainer] 	at org.apache.catalina.connector.OutputBuffer.flushCharBuffer(OutputBuffer.java:781) ~[catalina.jar:9.0.38]
[INFO] [talledLocalContainer] 	at org.apache.catalina.connector.OutputBuffer.doFlush(OutputBuffer.java:295) ~[catalina.jar:9.0.38]
[INFO] [talledLocalContainer] 	at org.apache.catalina.connector.OutputBuffer.flush(OutputBuffer.java:272) ~[catalina.jar:9.0.38]
[INFO] [talledLocalContainer] 	at org.apache.catalina.connector.Response.flushBuffer(Response.java:500) ~[catalina.jar:9.0.38]
[INFO] [talledLocalContainer] 	at org.apache.catalina.connector.ResponseFacade.flushBuffer(ResponseFacade.java:312) ~[catalina.jar:9.0.38]
[INFO] [talledLocalContainer] 	at javax.servlet.ServletResponseWrapper.flushBuffer(ServletResponseWrapper.java:181) ~[servlet-api.jar:4.0.FR]

The console log only gives the following information:

Anyone any idea what we are missing in our setup to make sure the iframes are loaded correctly?
Or where to look/debug in order to find the root cause?

Kind regards,
Matthijs

Can you try with the following:

http
            .csrf()
            .disable()
            .authorizeRequests()
            //.requestMatchers(request -> request.getParameterMap().containsKey("_hn:type")).permitAll()
            .antMatchers("/saml*", "/*.gif", "/*.jpg", "/*.jpeg", "/*.png", "/*.jsp", "/*.js", "/*.css", "/*.map", "/console*").permitAll()
            .anyRequest().authenticated()
            .and()
            .headers().frameOptions().sameOrigin()
            .and()
            .addFilterAfter(new LoginSuccessFilter(), FilterSecurityInterceptor.class)
            .apply(saml(hostname, protocol))
            .serviceProvider()
            .keyStore()
            .storeFilePath(keyStoreFilePath)
            .password(password)
            .keyname(keyAlias)
            .keyPassword(password)
            .and()
            .protocol(protocol)
            .hostname(hostname)
            .basePath(CMS)
            .and()
            .identityProvider()
            .metadataFilePath(metadataUrl);
}

http.cors().configurationSource(corsConfigurationSource());

Perfect! That was exactly it. Thanks very much Kenan! Have been stuck on this for a while now :slight_smile:

Maybe good for others to know is the only extra element that is needed is this part which makes all the iframes render again. When configuring the security config.

.and()
   .headers().frameOptions().sameOrigin()