Uploaded image for project: 'Red Hat Fuse'
  1. Red Hat Fuse
  2. ENTESB-5566

Multiple roles defined in hawtio.roles property not working in EAP

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Done
    • Affects Version/s: jboss-fuse-6.2.1
    • Fix Version/s: jboss-fuse-6.3
    • Component/s: Hawtio
    • Labels:
      None
    • Environment:

      Fuse 6.2.1 P2 on EAP

    • Steps to Reproduce:
      Hide

      1. Change standalone.xml to use application realm and to define the hawtio.role:

      <property name="hawtio.realm" value="ApplicationRealm" />
      		 
      <property name="hawtio.role" value="admin" />

      2. Add a user with admin role:

      $ ./bin/add-user.sh -a -u hawtio -p password1! -g admin

      3. Start the server and try to log in at http://localhost:8080/hawtio -> this should work

      4. Now change the hawtio roles definition to

      <property name="hawtio.roles" value="admin,viewer" />

      Login will fail now.

      Show
      1. Change standalone.xml to use application realm and to define the hawtio.role: <property name="hawtio.realm" value="ApplicationRealm" /> <property name="hawtio.role" value="admin" /> 2. Add a user with admin role: $ ./bin/add-user.sh -a -u hawtio -p password1! -g admin 3. Start the server and try to log in at http://localhost:8080/hawtio -> this should work 4. Now change the hawtio roles definition to <property name="hawtio.roles" value="admin,viewer" /> Login will fail now.
    • Git Pull Request:
    • Sprint:
      Sprint 5 - towards ER2

      Description

      Trying to define the roles allowed to access the hawtio console as documented in http://hawt.io/configuration/index.html, it was found that a single role works, whereas a setup with multiple roles, separated by comma, does not work:

      OK: <property name="hawtio.role" value="admin" />
      FAIL: <property name="hawtio.roles" value="admin,viewer" />

      DEBUG level logging shows that the role value is not split:

      14:40:41,593 DEBUG [io.hawt.system.Authenticator] (http-/127.0.0.1:8080-1) Checking principal Roles(members:admin,hawt,weiler) if it is a Jboss specific SimpleGroup containing group info
      		 
      14:40:41,593 DEBUG [io.hawt.system.Authenticator] (http-/127.0.0.1:8080-1) Matching Jboss EAP group name admin to required role admin,viewer

      While the roles are split in the general checkIfSubjectHasRequiredRole method:
      https://github.com/hawtio/hawtio/blob/master/hawtio-system/src/main/java/io/hawt/system/Authenticator.java#L175
      https://github.com/hawtio/hawtio/blob/master/hawtio-system/src/main/java/io/hawt/system/Authenticator.java#L294
      the same split logic is missing in the WebSphere/EAP specific methods:

        Gliffy Diagrams

          Attachments

            Issue Links

            cloned to

            Bug - A problem which impairs or prevents the functions of the product. ENTESB-5629 Authenticator.checkIfSubjectHasRequiredRoleOnWebsphere method is missing logic to handle multiple roles

            • Major - A request that should be considered seriously but is not a show stopper.
            • Closed

              Activity

                People

                • Assignee:
                  kearls Kevin Earls
                  Reporter:
                  mputz Martin Weiler
                  Tester:
                  Martin Štěpánek
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  4 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: