[ENTESB-4766] Authorization not working for Hawtio on EAP - JBoss Issue Tracker

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Done
Affects Version/s: jboss-fuse-6.2.1
Fix Version/s: jboss-fuse-6.2-patches, jboss-fuse-6.3
Component/s: Hawtio
Labels:
None
Environment:

Fuse 6.2.1 on EAP

Steps to Reproduce:

Hide

Add system property to standalone.xml:

<property name="hawtio.role" value="manager"/>

Configure hawtio-domain to use UserRoles, Ldap or similar LoginModule

Start EAP, try to log in to the hawtio console with a user which has the same role as configured earlier

Log in will fail - related DEBUG logging:

15:13:07,897 TRACE [org.jboss.security] (http-/127.0.0.1:8080-5) PBOX000288: Properties file defaultRoles.properties loaded, users: [userA]

15:13:07,897 TRACE [org.jboss.security] (http-/127.0.0.1:8080-5) PBOX000240: Begin login method

15:13:07,897 TRACE [org.jboss.security] (http-/127.0.0.1:8080-5) PBOX000241: End login method, isValid: true

15:13:07,898 TRACE [org.jboss.security] (http-/127.0.0.1:8080-5) PBOX000242: Begin commit method, overall result: true

15:13:07,898 TRACE [org.jboss.security] (http-/127.0.0.1:8080-5) PBOX000285: Adding role manager to group Roles

... logging above shows that user 'userA' belongs to group 'manager' ...

15:13:07,898 DEBUG [io.hawt.system.Authenticator] (http-/127.0.0.1:8080-5) Looking for rolePrincipalClass: org.jboss.security.SimplePrincipal

15:13:07,898 DEBUG [io.hawt.system.Authenticator] (http-/127.0.0.1:8080-5) Checking principal, classname: org.jboss.security.SimplePrincipal toString: userA

15:13:07,898 DEBUG [io.hawt.system.Authenticator] (http-/127.0.0.1:8080-5) role userA doesn't match manager, continuing

15:13:07,898 DEBUG [io.hawt.system.Authenticator] (http-/127.0.0.1:8080-5) Checking principal, classname: org.jboss.security.SimpleGroup toString: Roles(members:manager)

15:13:07,898 DEBUG [io.hawt.system.Authenticator] (http-/127.0.0.1:8080-5) principal class org.jboss.security.SimpleGroup doesn't match org.jboss.security.SimplePrincipal, continuing

15:13:07,898 DEBUG [io.hawt.system.Authenticator] (http-/127.0.0.1:8080-5) Checking principal, classname: org.jboss.security.SimpleGroup toString: CallerPrincipal(members:userA)

15:13:07,898 DEBUG [io.hawt.system.Authenticator] (http-/127.0.0.1:8080-5) principal class org.jboss.security.SimpleGroup doesn't match org.jboss.security.SimplePrincipal, continuing

... role could not be found...:

15:13:07,898 DEBUG [io.hawt.system.Authenticator] (http-/127.0.0.1:8080-5) User userA does not have the required role manager

Show

Add system property to standalone.xml: <property name="hawtio.role" value="manager"/> Configure hawtio-domain to use UserRoles, Ldap or similar LoginModule Start EAP, try to log in to the hawtio console with a user which has the same role as configured earlier Log in will fail - related DEBUG logging: 15:13:07,897 TRACE [org.jboss.security] (http-/127.0.0.1:8080-5) PBOX000288: Properties file defaultRoles.properties loaded, users: [userA] 15:13:07,897 TRACE [org.jboss.security] (http-/127.0.0.1:8080-5) PBOX000240: Begin login method 15:13:07,897 TRACE [org.jboss.security] (http-/127.0.0.1:8080-5) PBOX000241: End login method, isValid: true 15:13:07,898 TRACE [org.jboss.security] (http-/127.0.0.1:8080-5) PBOX000242: Begin commit method, overall result: true 15:13:07,898 TRACE [org.jboss.security] (http-/127.0.0.1:8080-5) PBOX000285: Adding role manager to group Roles ... logging above shows that user 'userA' belongs to group 'manager' ... 15:13:07,898 DEBUG [io.hawt.system.Authenticator] (http-/127.0.0.1:8080-5) Looking for rolePrincipalClass: org.jboss.security.SimplePrincipal 15:13:07,898 DEBUG [io.hawt.system.Authenticator] (http-/127.0.0.1:8080-5) Checking principal, classname: org.jboss.security.SimplePrincipal toString: userA 15:13:07,898 DEBUG [io.hawt.system.Authenticator] (http-/127.0.0.1:8080-5) role userA doesn't match manager, continuing 15:13:07,898 DEBUG [io.hawt.system.Authenticator] (http-/127.0.0.1:8080-5) Checking principal, classname: org.jboss.security.SimpleGroup toString: Roles(members:manager) 15:13:07,898 DEBUG [io.hawt.system.Authenticator] (http-/127.0.0.1:8080-5) principal class org.jboss.security.SimpleGroup doesn't match org.jboss.security.SimplePrincipal, continuing 15:13:07,898 DEBUG [io.hawt.system.Authenticator] (http-/127.0.0.1:8080-5) Checking principal, classname: org.jboss.security.SimpleGroup toString: CallerPrincipal(members:userA) 15:13:07,898 DEBUG [io.hawt.system.Authenticator] (http-/127.0.0.1:8080-5) principal class org.jboss.security.SimpleGroup doesn't match org.jboss.security.SimplePrincipal, continuing ... role could not be found...: 15:13:07,898 DEBUG [io.hawt.system.Authenticator] (http-/127.0.0.1:8080-5) User userA does not have the required role manager

Workaround Description:

Hide

Remove 'hawtio.role' property

Show
Remove 'hawtio.role' property
Sprint:
6.3 Sprint 1 (4-Jan->29-Jan)

Description

Restricting access to the hawtio console on EAP fails to properly compare the user roles with the one defined by the 'hawtio.role' property.

Related to: https://github.com/hawtio/hawtio/issues/1983

Authorization not working for Hawtio on EAP

Details

Description

Gliffy Diagrams

Attachments

Activity

People

Dates