SOGo | BTS

View Issue Details Jump to Notes ] Related Changesets ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0004468SOGoGUIpublic2018-05-16 11:132019-02-01 10:37
Reportervbonamy 
Assigned Tofrancis 
PrioritynormalSeverityminorReproducibilityalways
StatusresolvedResolutionfixed 
Platform[Server] LinuxOSCentOS LinuxOS Version7.4
Product Version3.2.10 
Target VersionFixed in Version4.0.6 
Summary0004468: CAS Authentication - CAS Session expiration handling with SOGo V3 - CORS
DescriptionTroubles with SOGo handling of the CAS Session expiration.

Adding some configurations on CAS server to handle Cross-origin resource sharing (CORS) allows us to have a better behavior, but that's not perfect yet.

See below.
Steps To ReproduceUse a SOGo v3 with a CAS Authentication.
You authenticate on SOGo Web UI (via CAS login).
You click on a mail, all is ok.
Now, log out of the cas directly via another tab of your browser : https://cas.my-univ.fr/logout [^]
Wait or click on another mail in the SOGo Web UI.

-> an infinity loop of http ajax requests occurs (on CAS and SOGo) ... and the browser doesn't detect it !

In console of your browser you can see logs scrolling like this
"""
Failed to load https://cas.my-univ.fr/login?service=https%3A%2F%2Fsogo.my-univ.fr%2FSOGo%2Fso%2Findex: [^] No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://sogo.my-univ.fr' [^] is therefore not allowed access.
"""
-> to handle CORS, we add on the HTTPD of the CAS Server, configurations like this :
SetEnvIf Origin "https://sogo.my-univ.fr" [^] FROM_SOGO
Header add Access-Control-Allow-Origin "https://sogo.my-univ.fr" [^] env=FROM_SOGO
Header add Access-Control-Allow-Headers "Accept,Accept-Encoding,Accept-Language,Access-Control-Request-Headers,Access-Control-Request-Method,Connection,Host,Origin,User-Agent,Content-Type" env=FROM_SOGO

With this, it works better - no more infinity loop, and the cas login form is displayed to the user ... but after log in, regularly, you are not redirected to a sogo web html page but to a sogo web js page like https://sogo.my-univ.fr/SOGo/so/toto/Mail/0/folderINBOX/expunge [^] . This page displays things like :
{"quotas": {"maxQuota": "10731520", "usedSpace": "3865663"}} in the browser of the user :-(
TagsNo tags attached.
Attached Files

- Relationships Relation Graph ] Dependency Graph ]

-  Notes
(0013117)
vbonamy (reporter)
2018-10-18 02:42

Same problem with SOGo v4 (I just tested with 4.0.3).

The workaround about handle cors on cas server does not work very well ... and can actually cause an infinite loop ont the cas server, so I remove httpd configurations about this on the cas server.

Because of this problem, we continue to use SOGo in version 2 here.
(0013122)
vbonamy (reporter)
2018-10-22 09:26

To avoid infinite loop I added this JavaScript (thanks to SOGoUIAdditionalJSFiles) :

document.addEventListener("DOMContentLoaded", function() {

// Hack for https://sogo.nu/bugs/view.php?id=4468 [^]
var observer = new MutationObserver(function (mutations, me) {
    // console.log(mutations);
    try {
    if(mutations[0].addedNodes[0].src.endsWith('/recover')) {
        window.location = '/';
        me.disconnect(); // stop observing
    }
    } catch(e) {}
});

// start observing
observer.observe(document.body, {
  childList: true
});

});
(0013260)
wix (reporter)
2019-01-16 02:53
edited on: 2019-01-16 02:55

Hello,

I have the same issue with SOGo 4.0.5

For me this problem is not only related to the logout of the CAS, but also randomly

I fix with this rule on my proxypass :
ProxyPassMatch "^/SOGo/so/(.*)/recover" "!"
RedirectMatch "^/SOGo/so/(.*)/recover(.*)" "https://webmail.domain.fr/SOGo/" [^]

But I think it's not a good solution

Thank you to check. This problem has existed since 2011 ( https://lists.inverse.ca/sogo/arc/users/2011-07/msg00058.html [^] )

William

User avatar (0013270)
francis (administrator)
2019-01-22 09:52

If one of you can provide me a temporary account on their system, I could more easily reproduce and fix the problem. Thanks. Contact me in private.
(0013271)
wix (reporter)
2019-01-23 09:25

I have a ticket open on inverse.ca/mantis/
I will give via this tracker access as soon as it is ready (the test area is not related to production)

Thanks
User avatar (0013273)
francis (administrator)
2019-01-24 07:30

Please try the next nightly build and let me know if it fixes the problem. Make sure to empty your browser's cache.
(0013278)
vbonamy (reporter)
2019-01-24 08:45

Thank you.

Our testing sogo v4 contains this modification (== https://github.com/inverse-inc/sogo/tree/master [^] ) now.

I had to handle CORS on CAS Server :
SetEnvIf Origin "https://sogo-rwd.univ-rouen.fr" [^] FROM_SOGO_RWD
Header add Access-Control-Allow-Origin "https://sogo-rwd.univ-rouen.fr" [^] env=FROM_SOGO_RWD
Header add Access-Control-Allow-Headers "Accept,Accept-Encoding,Accept-Language,Access-Control-Request-Headers,Access-Control-Request-Method,Connection,Host,Origin,User-Agent,Content-Type" env=FROM_SOGO_\
RWD

And with that, there is no infinite redirections loop after CAS logout : if you don't handle CORS on CAS with http headers, there is an infinite loop yet because that getting cas url from ajax call failed [js exception] and so I think $window.attempted is never set to true.

Problem is after reauthentication, the page that is displayed can be sometimes javascript page with quota as json (expunge url).

I send you video by mail.

Thank you.
Vincent.
(0013308)
wix (reporter)
2019-02-01 09:00

Salut Vincent,

Le dernier commit à corrigé le problème pour ma part (sogo-4.0.5.20190201)
De ce que m'a expliquer Francis via le support payant, c'est qu'il n'y a pas besoin de gérer les CORS, l'application s'en occupe dans le code.

William

- Related Changesets
sogo: master 9596ac2a
Timestamp: 2019-01-22 15:34:23
Author: francis
Details ] Diff ]
(js) Improve CAS handling

Fixes 0004468
mod - NEWS Diff ] File ]
mod - UI/WebServerResources/js/Common/Common.app.js Diff ] File ]
sogo: master 5cac6696
Timestamp: 2019-01-22 18:27:45
Author: francis
Details ] Diff ]
(js) Improve CAS handling

Fixes 0004468
mod - UI/WebServerResources/js/Common/Common.app.js Diff ] File ]
sogo: master 3c60e2a7
Timestamp: 2019-01-24 13:12:04
Author: francis
Details ] Diff ]
(js) Improve CAS handling

Fixes 0004468
mod - UI/WebServerResources/js/Common/Common.app.js Diff ] File ]
sogo: master c13c01ff
Timestamp: 2019-01-30 15:55:00
Author: francis
Details ] Diff ]
(js) Improve CAS handling

Fixes 0004468
mod - UI/WebServerResources/js/Common/Common.app.js Diff ] File ]
sogo: master 368c13d6
Timestamp: 2019-01-31 11:12:03
Author: francis
Details ] Diff ]
(js) Improve CAS handling

Fixes 0004468
mod - UI/WebServerResources/js/Common/Common.app.js Diff ] File ]

- Issue History
Date Modified Username Field Change
2018-05-16 11:13 vbonamy New Issue
2018-10-18 02:42 vbonamy Note Added: 0013117
2018-10-22 09:26 vbonamy Note Added: 0013122
2019-01-16 02:53 wix Note Added: 0013260
2019-01-16 02:55 wix Note Edited: 0013260 View Revisions
2019-01-22 09:52 francis Note Added: 0013270
2019-01-23 09:25 wix Note Added: 0013271
2019-01-24 07:26 francis Changeset attached => sogo master 9596ac2a
2019-01-24 07:26 francis Assigned To => francis
2019-01-24 07:26 francis Resolution open => fixed
2019-01-24 07:30 francis Note Added: 0013273
2019-01-24 08:45 vbonamy Note Added: 0013278
2019-01-24 11:24 francis Changeset attached => sogo master 5cac6696
2019-01-24 13:12 francis Changeset attached => sogo master 3c60e2a7
2019-01-30 15:56 francis Changeset attached => sogo master c13c01ff
2019-01-31 11:12 francis Changeset attached => sogo master 368c13d6
2019-02-01 09:00 wix Note Added: 0013308
2019-02-01 10:37 francis Status new => resolved
2019-02-01 10:37 francis Fixed in Version => 4.0.6


Copyright © 2000 - 2019 MantisBT Team
Powered by Mantis Bugtracker