Uploaded image for project: 'Red Hat Fuse'
  1. Red Hat Fuse
  2. ENTESB-10798

[Hawtio] Direct url gives an access to Hawtio without authentication

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Done
    • Affects Version/s: fuse-7.3.1, fuse-7.4-GA
    • Fix Version/s: fuse-7.4-GA
    • Component/s: Hawtio
    • Labels:
      None
    • Sprint:
      Fuse 7.4 Sprint 47 - Bug Fix
    • Steps to Reproduce:
      Hide

      1. Open Hawtio;
      2. Type "http://localhost:8181/hawtio/users" into URL bar (make sure you are logged out);
      3. It will pass you to the Hawtio page;

      I believe, there are more URLs which can pass you without authentication. I will investigate it.

      Show
      1. Open Hawtio; 2. Type "http://localhost:8181/hawtio/users" into URL bar (make sure you are logged out); 3. It will pass you to the Hawtio page; I believe, there are more URLs which can pass you without authentication. I will investigate it.

      Description

      The issue is also presented in Red Hat Fuse (7.3.1.fuse-731003)

      The url http://localhost:8181/hawtio/users allows to get access to Hawtio with limited functionality, of course.

      Other urls like http://localhost:8181/hawtio/osgi, http://localhost:8181/hawtio/auth etc. are fixed in ENTESB-10468 and ENTESB-7967 and do not allow to get access.

      List of URLs which can pass:

      The URL - http://localhost:8181/hawtio/user gives the following result

        Gliffy Diagrams

          Attachments

          1. bug.jpg
            bug.jpg
            19 kB
          2. login_bug.webm
            1.42 MB

            Issue Links

              Activity

                People

                • Assignee:
                  jamesnetherton James Netherton
                  Reporter:
                  jsolovjo Juri Solovjov
                  Tester:
                  Juri Solovjov
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  2 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: