Uploaded image for project: 'Red Hat Fuse'
  1. Red Hat Fuse
  2. ENTESB-14749

Regression: [ENTESB-4766] Authorization not working for Hawtio on EAP

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Critical
    • fuse-7.8-GA
    • fuse-7.x-GA
    • Hawtio
    • None
    • False
    • False
    • % %
    • build3
    • ?
    • Undefined
    • Hide

      Deploy Red Hat Fuse to JBoss EAP 7.2 (I used 7.2.9). Configure a security-domain for hawtio (I used a legacy LDAP configuration)

      Enable the hawtio.role system property with a valid role in the security realm. Attempt to log into Hawtio with credentials for a user with the requested role. Login fails. With no role specified, login succeeds.

      Note: Using the principal name for the hawtio.role property does allow the specified user to login.

      Show
      Deploy Red Hat Fuse to JBoss EAP 7.2 (I used 7.2.9). Configure a security-domain for hawtio (I used a legacy LDAP configuration) Enable the hawtio.role system property with a valid role in the security realm. Attempt to log into Hawtio with credentials for a user with the requested role. Login fails. With no role specified, login succeeds. Note: Using the principal name for the hawtio.role property does allow the specified user to login.

    Description

      When enabling the hawtio.role property with a role name in Fuse 7 on JBoss EAP, authorization fails with the same trace logging as in the earlier ENTESB-4766. 

      15:41:21,398 DEBUG [io.hawt.web.auth.SessionExpiryFilter] (default task-3) Accessing [/hawtio/auth/login], hawtio path is [auth/login]
15:41:21,405 DEBUG [io.hawt.system.Authenticator] (default task-3) doAuthenticate[realm=legacy-ldap-domain, role=SuperUser, rolePrincipalClasses=org.jboss.security.SimplePrincipal, configuration=null, username=testadm, password=******]
15:41:21,407 TRACE [org.jboss.security] (default task-3) PBOX00221: Begin getAppConfigurationEntry(legacy-ldap-domain), size: 6
15:41:21,407 TRACE [org.jboss.security] (default task-3) PBOX00224: End getAppConfigurationEntry(legacy-ldap-domain), AuthInfo: AppConfigurationEntry[]:
[0]
LoginModule Class: org.jboss.security.auth.spi.LdapExtLoginModule
ControlFlag: LoginModuleControlFlag: required
Options:
name=bindDN, value=CN=Directory\ Manager
name=bindCredential, value=****
name=baseCtxDN, value=OU=People,DC=redhat,DC=com
name=java.naming.factory.initial, value=com.sun.jndi.ldap.LdapCtxFactory
name=java.naming.provider.url, value=ldap://services.test.redhat.com:389
name=baseFilter, value=(uid={0})
name=rolesCtxDN, value=ou=Groups,dc=redhat,dc=com
name=roleFilter, value=(&(objectClass=GroupOfUniqueNames)(UniqueMember={1}))
name=roleAttributeID, value=cn
name=java.naming.security.authentication, value=simple

15:41:21,412 TRACE [org.jboss.security] (default task-3) PBOX00236: Begin initialize method
15:41:21,412 TRACE [org.jboss.security] (default task-3) PBOX00240: Begin login method
15:41:21,419 DEBUG [org.jboss.security] (default task-3) PBOX00269: Failed to parse roleRecursion as number, using default value 0
15:41:21,420 TRACE [org.jboss.security] (default task-3) PBOX00220: Logging into LDAP server with env {java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, java.naming.security.principal=CN=Directory\ Manager, baseCtxDN=OU=People,DC=redhat,DC=com, roleAttributeID=cn, roleFilter=(&(objectClass=GroupOfUniqueNames)(UniqueMember={1})), rolesCtxDN=ou=Groups,dc=redhat,dc=com, baseFilter=(uid={0}), jboss.security.security_domain=legacy-ldap-domain, java.naming.provider.url=ldap://services.test.redhat.com:389, bindDN=CN=Directory\ Manager, bindCredential=******, java.naming.security.authentication=simple, java.naming.security.credentials=******}
15:41:21,444 TRACE [org.jboss.security] (default task-3) PBOX00220: Logging into LDAP server with env {java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, java.naming.security.principal=uid=testadm,OU=People,DC=redhat,DC=com, baseCtxDN=OU=People,DC=redhat,DC=com, roleAttributeID=cn, roleFilter=(&(objectClass=GroupOfUniqueNames)(UniqueMember={1})), rolesCtxDN=ou=Groups,dc=redhat,dc=com, baseFilter=(uid={0}), jboss.security.security_domain=legacy-ldap-domain, java.naming.provider.url=ldap://services.test.redhat.com:389, bindDN=CN=Directory\ Manager, bindCredential=******, java.naming.security.authentication=simple, java.naming.security.credentials=******}
15:41:21,450 TRACE [org.jboss.security] (default task-3) PBOX00268: Assigning user to role Monitor
15:41:21,451 TRACE [org.jboss.security] (default task-3) PBOX00268: Assigning user to role Administrator
15:41:21,451 TRACE [org.jboss.security] (default task-3) PBOX00268: Assigning user to role admin
15:41:21,451 TRACE [org.jboss.security] (default task-3) PBOX00268: Assigning user to role viewer
15:41:21,451 TRACE [org.jboss.security] (default task-3) PBOX00268: Assigning user to role Operator
15:41:21,451 TRACE [org.jboss.security] (default task-3) PBOX00268: Assigning user to role Maintainer
15:41:21,451 TRACE [org.jboss.security] (default task-3) PBOX00268: Assigning user to role Deployer
15:41:21,452 TRACE [org.jboss.security] (default task-3) PBOX00268: Assigning user to role Auditor
15:41:21,452 TRACE [org.jboss.security] (default task-3) PBOX00268: Assigning user to role SuperUser
15:41:21,452 TRACE [org.jboss.security] (default task-3) PBOX00241: End login method, isValid: true
15:41:21,453 TRACE [org.jboss.security] (default task-3) PBOX00242: Begin commit method, overall result: true
15:41:21,455 DEBUG [io.hawt.system.Authenticator] (default task-3) Looking for rolePrincipalClass: org.jboss.security.SimplePrincipal
15:41:21,455 DEBUG [io.hawt.system.Authenticator] (default task-3) Checking principal, classname: org.jboss.security.SimplePrincipal toString: testadm
15:41:21,455 DEBUG [io.hawt.system.Authenticator] (default task-3) role testadm doesn't match SuperUser, continuing
15:41:21,455 DEBUG [io.hawt.system.Authenticator] (default task-3) Checking principal, classname: org.jboss.security.SimpleGroup toString: Roles(members:Operator,Maintainer,Auditor,viewer,Monitor,Administrator,admin,SuperUser,Deployer)
15:41:21,455 DEBUG [io.hawt.system.Authenticator] (default task-3) principal class org.jboss.security.SimpleGroup doesn't match org.jboss.security.SimplePrincipal, continuing
15:41:21,455 DEBUG [io.hawt.system.Authenticator] (default task-3) Checking principal, classname: org.jboss.security.SimpleGroup toString: CallerPrincipal(members:testadm)
15:41:21,455 DEBUG [io.hawt.system.Authenticator] (default task-3) principal class org.jboss.security.SimpleGroup doesn't match org.jboss.security.SimplePrincipal, continuing
15:41:21,455 DEBUG [io.hawt.system.Authenticator] (default task-3) User testadm does not have the required role SuperUser
15:41:21,456 TRACE [org.jboss.security] (default task-3) PBOX00354: Setting security roles ThreadLocal: null

      Looking at the commit for the previous issue, code was added to parse out role names from the returned "Roles(members:...)" string in io.hawt.system.Authenticator (checkIfSubjectHasRequiredRoleOnJbossEAP(Subject subject, String role) and related methods).

      Looking at the tag for Fuse 7.7 I do not see these changes carried into hawtio-2

      Attachments

        Activity

          People

            rhn-support-tasato Tadayoshi Sato
            rhn-support-dhawkins Duane Hawkins
            Juri Solovjov Juri Solovjov
            Votes:
            0 Vote for this issue
            Watchers:
            7 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: