Uploaded image for project: 'Red Hat Fuse'
  1. Red Hat Fuse
  2. ENTESB-4766

Authorization not working for Hawtio on EAP

    XMLWordPrintable

Details

    • % %
    • Hide

      Remove 'hawtio.role' property

      Show
      Remove 'hawtio.role' property
    • Hide
      • Add system property to standalone.xml: 
        <property name="hawtio.role" value="manager"/>
      • Configure hawtio-domain to use UserRoles, Ldap or similar LoginModule
      • Start EAP, try to log in to the hawtio console with a user which has the same role as configured earlier
      • Log in will fail - related DEBUG logging: 
        15:13:07,897 TRACE [org.jboss.security] (http-/127.0.0.1:8080-5) PBOX000288: Properties file defaultRoles.properties loaded, users: [userA]
15:13:07,897 TRACE [org.jboss.security] (http-/127.0.0.1:8080-5) PBOX000240: Begin login method
15:13:07,897 TRACE [org.jboss.security] (http-/127.0.0.1:8080-5) PBOX000241: End login method, isValid: true
15:13:07,898 TRACE [org.jboss.security] (http-/127.0.0.1:8080-5) PBOX000242: Begin commit method, overall result: true
15:13:07,898 TRACE [org.jboss.security] (http-/127.0.0.1:8080-5) PBOX000285: Adding role manager to group Roles

... logging above shows that user 'userA' belongs to group 'manager' ...

15:13:07,898 DEBUG [io.hawt.system.Authenticator] (http-/127.0.0.1:8080-5) Looking for rolePrincipalClass: org.jboss.security.SimplePrincipal
15:13:07,898 DEBUG [io.hawt.system.Authenticator] (http-/127.0.0.1:8080-5) Checking principal, classname: org.jboss.security.SimplePrincipal toString: userA
15:13:07,898 DEBUG [io.hawt.system.Authenticator] (http-/127.0.0.1:8080-5) role userA doesn't match manager, continuing
15:13:07,898 DEBUG [io.hawt.system.Authenticator] (http-/127.0.0.1:8080-5) Checking principal, classname: org.jboss.security.SimpleGroup toString: Roles(members:manager)
15:13:07,898 DEBUG [io.hawt.system.Authenticator] (http-/127.0.0.1:8080-5) principal class org.jboss.security.SimpleGroup doesn't match org.jboss.security.SimplePrincipal, continuing
15:13:07,898 DEBUG [io.hawt.system.Authenticator] (http-/127.0.0.1:8080-5) Checking principal, classname: org.jboss.security.SimpleGroup toString: CallerPrincipal(members:userA)
15:13:07,898 DEBUG [io.hawt.system.Authenticator] (http-/127.0.0.1:8080-5) principal class org.jboss.security.SimpleGroup doesn't match org.jboss.security.SimplePrincipal, continuing

... role could not be found...:

15:13:07,898 DEBUG [io.hawt.system.Authenticator] (http-/127.0.0.1:8080-5) User userA does not have the required role manager
      Show
      Add system property to standalone.xml: <property name="hawtio.role" value="manager"/> Configure hawtio-domain to use UserRoles, Ldap or similar LoginModule Start EAP, try to log in to the hawtio console with a user which has the same role as configured earlier Log in will fail - related DEBUG logging: 15:13:07,897 TRACE [org.jboss.security] (http-/127.0.0.1:8080-5) PBOX000288: Properties file defaultRoles.properties loaded, users: [userA] 15:13:07,897 TRACE [org.jboss.security] (http-/127.0.0.1:8080-5) PBOX000240: Begin login method 15:13:07,897 TRACE [org.jboss.security] (http-/127.0.0.1:8080-5) PBOX000241: End login method, isValid: true 15:13:07,898 TRACE [org.jboss.security] (http-/127.0.0.1:8080-5) PBOX000242: Begin commit method, overall result: true 15:13:07,898 TRACE [org.jboss.security] (http-/127.0.0.1:8080-5) PBOX000285: Adding role manager to group Roles ... logging above shows that user 'userA' belongs to group 'manager' ... 15:13:07,898 DEBUG [io.hawt.system.Authenticator] (http-/127.0.0.1:8080-5) Looking for rolePrincipalClass: org.jboss.security.SimplePrincipal 15:13:07,898 DEBUG [io.hawt.system.Authenticator] (http-/127.0.0.1:8080-5) Checking principal, classname: org.jboss.security.SimplePrincipal toString: userA 15:13:07,898 DEBUG [io.hawt.system.Authenticator] (http-/127.0.0.1:8080-5) role userA doesn't match manager, continuing 15:13:07,898 DEBUG [io.hawt.system.Authenticator] (http-/127.0.0.1:8080-5) Checking principal, classname: org.jboss.security.SimpleGroup toString: Roles(members:manager) 15:13:07,898 DEBUG [io.hawt.system.Authenticator] (http-/127.0.0.1:8080-5) principal class org.jboss.security.SimpleGroup doesn't match org.jboss.security.SimplePrincipal, continuing 15:13:07,898 DEBUG [io.hawt.system.Authenticator] (http-/127.0.0.1:8080-5) Checking principal, classname: org.jboss.security.SimpleGroup toString: CallerPrincipal(members:userA) 15:13:07,898 DEBUG [io.hawt.system.Authenticator] (http-/127.0.0.1:8080-5) principal class org.jboss.security.SimpleGroup doesn't match org.jboss.security.SimplePrincipal, continuing ... role could not be found...: 15:13:07,898 DEBUG [io.hawt.system.Authenticator] (http-/127.0.0.1:8080-5) User userA does not have the required role manager
    • 6.3 Sprint 1 (4-Jan->29-Jan)

    Description

      Restricting access to the hawtio console on EAP fails to properly compare the user roles with the one defined by the 'hawtio.role' property.

      Related to: https://github.com/hawtio/hawtio/issues/1983

      Attachments

        Activity

          People

            ggrzybek Grzegorz Grzybek
            rhn-support-mputz Martin Weiler (Inactive)
            Viliam Kasala Viliam Kasala
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: