Uploaded image for project: 'Red Hat Data Grid'
  1. Red Hat Data Grid
  2. JDG-2540

[GSS](7.2.z) Logout doesn't work when LDAP realm is configured using chrome

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Obsolete
    • Icon: Minor Minor
    • None
    • JDG 7.2.3 GA
    • Management and Monitoring
    • None

      After configuring the management console to use an LDAP (AD) realm, more or less like this:

                  <security-realm name="ManagementRealm">
                <authentication>
                    <local default-user="$local" skip-group-loading="true"/>
                    <ldap connection="adconn" base-dn="cn=users,dc=sample,dc=com" recursive="true">
                        <username-filter attribute="sAMAccountName"/>
                    </ldap>
                </authentication>
                <authorization map-groups-to-roles="false">
                    <ldap connection="adconn">
                        <group-search group-name="DISTINGUISHED_NAME" iterative="true" group-dn-attribute="dn" group-name-attribute="cn">
                            <group-to-principal search-by="DISTINGUISHED_NAME" base-dn="cn=users,dc=sample,dc=com" recursive="true">
                                <membership-filter principal-attribute="member"/>
                            </group-to-principal>
                        </group-search>
                    </ldap>
                </authorization>
            </security-realm>
        </security-realms>
        <outbound-connections>
            <ldap name="adconn" url="ldap://activedirectory.sample.com" search-dn="cn=Admin,cn=users,dc=sample,dc=com" search-credential="XXXXX"/>
        </outbound-connections>

      The logout doesn't work in chrome (it does in firefox). Debugging the console javascript the issue seems to be that to force the logout the console performs a fake login using the following javascript code:

          AuthenticationService.prototype.logout = function() {
      var _this = this;
      var l = this.$location;
      var logoutUrl = l.protocol() + "://enter-login-here:blah@" + l.host() + ":" + l.port() + "/logout?org.jboss.as.console.logout.exit&mechanism=DIGEST";
      this.availability.stopApiAccessibleCheck();
      this.$http.get(logoutUrl).then(function() {
        return _this.$window.location.href = "/";
      });
    };

      It works for normal authentication but not for LDAP, because LDAP is BASIC (not DIGEST). And chrome seems to only delete the credential if the 401 response is to the exact same realm (BASIC and not DIGEST). I have changed the JS to use "BASIC" instead of "DIGEST" and I can logout in chrome and firefox. So the URL cannot be hardcoded with the parameter mechanism=DIGEST. You need to pass the correct one (the one you are using). This issue is specific to JDG (not reproducible in EAP console, tested in 7.1.5)

            remerson@redhat.com Ryan Emerson
            rhn-support-rmartinc Ricardo Martin Camarero
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved: