In Xwiki 11.10.3 (official Debian Buster packages) I’m seeing tons of the following warnings:
[2020-03-08 19:30:56] [info] 2020-03-08 19:30:56,119 [https://xwiki.ohrner-it.com/xwiki/rest/notifications/count?media=json&userId=xwiki%3AXWi
ki.go&useUserPreferences=true¤tWiki=xwiki&async=true&_=1583692255269] WARN c.x.x.XWiki - Deprecated usage legacy-sty
le HQL ordinal parameters (`?`); use JPA-style ordinal parameters (e.g., `?1`) instead. Query [select distinct doc.fullName from XWikiDocument
as doc , BaseObject as obj, StringProperty as prop where doc.fullName=obj.name and obj.className=? and obj.id=prop.id.id and prop.name=? and
lower(prop.value)=?] has been converted to [select distinct doc.fullName from XWikiDocument as doc , BaseObject as obj, StringProperty as prop
where doc.fullName=obj.name and obj.className=?1 and obj.id=prop.id.id and prop.name=?2 and lower(prop.value)=?3]
Should I just ignore it and somehow tune the log settings to hide those warnings? (And if so, how to tune them best to achieve this goal with minimal side effects?)
What is surprising is that you have an authentication being executed during the notification REST request as if it was not remembering the session user and was redoing the authentication at each request.
Would be great if you could create an issue on Loading... about that. In the meantime you can indeed just configure xwiki.properties to ignore deprecated API call warnings.
Xwiki is a purely internal service for us, and I hid everything I could behind HTTP authentication.
I also configured this for Xwiki, so the prepended Apache reverse proxy requires HTTP basic authentication, which has the advantage that noone without a valid account can even access our Tomat or Xwiki instance.
On the other hand this lead to some kind of “auto-login” which is super convenient - we don’t have to log in in Xwiki at all, there is not even a login page. As soon as we authenticate against the reverse proxy, the Xwiki session seems to be authenticated automatically.
This worked fine since 10.8.something when I started using Xwiki, and still works with 11.10.3.
However, it might of course be more of a side effect rather than an official feature, and maybe the behaviour which confuses you is related to this setup?
Shall I still report a bug? Do I suffer from worse-than-necessary performance due to unneccessary re-authentications?
Actually the bug report I was referring to was related to the warning log (the query need to be modified to not use legacy stuff). The fact that it relogin is definitely related to the environment, if it’s OK for you then fine but LDAP auth is not always super fast so I tend to prefer making sure that the user stay in the session.
How could I achieve this - just by removing the prepended HTTP basic authentication?
Or is there a way to keep the session with my current setup? Maybe I should contact your professional support for this matter?
Actually, probably every request is then currently authenticated twice - once by Apache and once by Xwiki afterwards… :-/ Probably really not such a good idea.
I should verify that this actually works, but then there’s only Xwiki left which I teach not to re-lookup the users all the time… Actually Xwiki behaves a bit sluggish, which I always though was due to insufficinent server power, but which obviously might also be caused by some latency added to all requests due to those LDAP queries.
Not really sure about the details of your current setup. So you have some SSO at apache level and XWiki is in trusted mode ? With this setup XWiki store in the session the user forwarded by Apache to know if it should try to authenticate again next time or not.
Maybe the session is lost for some reason (the session id is supposed to be stored in a cookie).
I will try to add some debug log around this process to see what exactly happen in your case.
[quote=“tmortagne, post:8, topic:6431”]
Not really sure about the details of your current setup.[/quote]
Not really sure what I’m doing.
To be more precise:
Well, probably not really. I’m hearing about trusted mode for the first time now, but will read about it.
What I actually just did was adding LDAP-backed HTTP basic authentication to the Apache vhost which serves Xwiki. I just added this HTTP authentication to all vhosts which are only supposed to be accessed by my employees, to reduce attack surface on the Internet - you’ll only reach the application running on this vhost at all if you already passed authentication:
Most applications still require their own authentication / login afterwards. With Nextcloud, this prepended Apache HTTP basic authentication is not possible / not supported at all.
In case of Xwiki, to my surprise, this setup just lead to the user already being authenticated / “logged in” in Xwiki, without the need for me to do anything to achieve this.
So I also didn’t do anything else - it “just worked” ™. Possibly “by accident”.
Maybe I need to configure something in Xwiki (trusted mode?) to make this work properly…
The REMOTE USER I was mentioning is an HTTP standard thing often used by authentication proxies to pass the authenticated user to the server (so to XWiki here). The XWiki LDAP authenticator is automatically reading this info and assume it should trust it, that’s probably why you are automatically authenticated. Then the authenticator store the result of the authentication in the sessions linked to the received REMOTE USER so that it does not do that at each request. I added some log to try to understand what is found in the session during following request and make sure if it’s authenticate at each request or remember as it supposed to.
I sent some LDAP debug log messages to you in private mail.
There also seem to be unrelated similar warnings in the logs, however, which also occur if I configure the LDAP logger for level “ERROR”.
[2020-03-13 21:22:28] [info] 2020-03-13 21:22:28,479 [https://xwiki.ohrner-it.com/xwiki/bin/get/Ohrner%20IT/WebHome?outputSyntax=plain&sheet=X
Wiki.DocumentTree&showAttachments=false&showTranslations=false&exclusions=document%3Axwiki%3AMain.WebHome&exclusions=document%3Axwiki%3ADiagra
m.WebHome&exclusions=document%3Axwiki%3ASandbox.WebHome&exclusions=document%3Axwiki%3AHelp.WebHome&exclusions=document%3Axwiki%3AMenu.WebHome&
exclusions=document%3Axwiki%3AXWiki.WebHome&data=children&id=document%3Axwiki%3AOhrner+IT.WebHome] WARN c.x.x.XWiki - Depr
ecated usage legacy-style HQL ordinal parameters (`?`); use JPA-style ordinal parameters (e.g., `?1`) instead. Query [select distinct doc.full
Name from XWikiDocument as doc , BaseObject as obj, StringProperty as prop where doc.fullName=obj.name and obj.className=? and obj.id=prop.id.
id and prop.name=? and lower(prop.value)=?] has been converted to [select distinct doc.fullName from XWikiDocument as doc , BaseObject as obj,
StringProperty as prop where doc.fullName=obj.name and obj.className=?1 and obj.id=prop.id.id and prop.name=?2 and lower(prop.value)=?3]
Or is this related to LDAP and my attempt to set the logger to ERROR level was not successful?