Uploaded image for project: 'Red Hat Fuse'
  1. Red Hat Fuse
  2. ENTESB-14749

Regression: [ENTESB-4766] Authorization not working for Hawtio on EAP

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Critical Critical
    • fuse-7.8-GA
    • fuse-7.x-GA
    • Hawtio
    • None
    • False
    • False
    • % %
    • build3
    • ?
    • Undefined
    • Hide

      Deploy Red Hat Fuse to JBoss EAP 7.2 (I used 7.2.9). Configure a security-domain for hawtio (I used a legacy LDAP configuration)

      Enable the hawtio.role system property with a valid role in the security realm. Attempt to log into Hawtio with credentials for a user with the requested role. Login fails. With no role specified, login succeeds.

      Note: Using the principal name for the hawtio.role property does allow the specified user to login.

      Show
      Deploy Red Hat Fuse to JBoss EAP 7.2 (I used 7.2.9). Configure a security-domain for hawtio (I used a legacy LDAP configuration) Enable the hawtio.role system property with a valid role in the security realm. Attempt to log into Hawtio with credentials for a user with the requested role. Login fails. With no role specified, login succeeds. Note: Using the principal name for the hawtio.role property does allow the specified user to login.

      When enabling the hawtio.role property with a role name in Fuse 7 on JBoss EAP, authorization fails with the same trace logging as in the earlier ENTESB-4766.

      15:41:21,398 DEBUG [io.hawt.web.auth.SessionExpiryFilter] (default task-3) Accessing [/hawtio/auth/login], hawtio path is [auth/login]
      15:41:21,405 DEBUG [io.hawt.system.Authenticator] (default task-3) doAuthenticate[realm=legacy-ldap-domain, role=SuperUser, rolePrincipalClasses=org.jboss.security.SimplePrincipal, configuration=null, username=testadm, password=******]
      15:41:21,407 TRACE [org.jboss.security] (default task-3) PBOX00221: Begin getAppConfigurationEntry(legacy-ldap-domain), size: 6
      15:41:21,407 TRACE [org.jboss.security] (default task-3) PBOX00224: End getAppConfigurationEntry(legacy-ldap-domain), AuthInfo: AppConfigurationEntry[]:
      [0]
      LoginModule Class: org.jboss.security.auth.spi.LdapExtLoginModule
      ControlFlag: LoginModuleControlFlag: required
      Options:
      name=bindDN, value=CN=Directory\ Manager
      name=bindCredential, value=****
      name=baseCtxDN, value=OU=People,DC=redhat,DC=com
      name=java.naming.factory.initial, value=com.sun.jndi.ldap.LdapCtxFactory
      name=java.naming.provider.url, value=ldap://services.test.redhat.com:389
      name=baseFilter, value=(uid={0})
      name=rolesCtxDN, value=ou=Groups,dc=redhat,dc=com
      name=roleFilter, value=(&(objectClass=GroupOfUniqueNames)(UniqueMember={1}))
      name=roleAttributeID, value=cn
      name=java.naming.security.authentication, value=simple
      
      15:41:21,412 TRACE [org.jboss.security] (default task-3) PBOX00236: Begin initialize method
      15:41:21,412 TRACE [org.jboss.security] (default task-3) PBOX00240: Begin login method
      15:41:21,419 DEBUG [org.jboss.security] (default task-3) PBOX00269: Failed to parse roleRecursion as number, using default value 0
      15:41:21,420 TRACE [org.jboss.security] (default task-3) PBOX00220: Logging into LDAP server with env {java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, java.naming.security.principal=CN=Directory\ Manager, baseCtxDN=OU=People,DC=redhat,DC=com, roleAttributeID=cn, roleFilter=(&(objectClass=GroupOfUniqueNames)(UniqueMember={1})), rolesCtxDN=ou=Groups,dc=redhat,dc=com, baseFilter=(uid={0}), jboss.security.security_domain=legacy-ldap-domain, java.naming.provider.url=ldap://services.test.redhat.com:389, bindDN=CN=Directory\ Manager, bindCredential=******, java.naming.security.authentication=simple, java.naming.security.credentials=******}
      15:41:21,444 TRACE [org.jboss.security] (default task-3) PBOX00220: Logging into LDAP server with env {java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, java.naming.security.principal=uid=testadm,OU=People,DC=redhat,DC=com, baseCtxDN=OU=People,DC=redhat,DC=com, roleAttributeID=cn, roleFilter=(&(objectClass=GroupOfUniqueNames)(UniqueMember={1})), rolesCtxDN=ou=Groups,dc=redhat,dc=com, baseFilter=(uid={0}), jboss.security.security_domain=legacy-ldap-domain, java.naming.provider.url=ldap://services.test.redhat.com:389, bindDN=CN=Directory\ Manager, bindCredential=******, java.naming.security.authentication=simple, java.naming.security.credentials=******}
      15:41:21,450 TRACE [org.jboss.security] (default task-3) PBOX00268: Assigning user to role Monitor
      15:41:21,451 TRACE [org.jboss.security] (default task-3) PBOX00268: Assigning user to role Administrator
      15:41:21,451 TRACE [org.jboss.security] (default task-3) PBOX00268: Assigning user to role admin
      15:41:21,451 TRACE [org.jboss.security] (default task-3) PBOX00268: Assigning user to role viewer
      15:41:21,451 TRACE [org.jboss.security] (default task-3) PBOX00268: Assigning user to role Operator
      15:41:21,451 TRACE [org.jboss.security] (default task-3) PBOX00268: Assigning user to role Maintainer
      15:41:21,451 TRACE [org.jboss.security] (default task-3) PBOX00268: Assigning user to role Deployer
      15:41:21,452 TRACE [org.jboss.security] (default task-3) PBOX00268: Assigning user to role Auditor
      15:41:21,452 TRACE [org.jboss.security] (default task-3) PBOX00268: Assigning user to role SuperUser
      15:41:21,452 TRACE [org.jboss.security] (default task-3) PBOX00241: End login method, isValid: true
      15:41:21,453 TRACE [org.jboss.security] (default task-3) PBOX00242: Begin commit method, overall result: true
      15:41:21,455 DEBUG [io.hawt.system.Authenticator] (default task-3) Looking for rolePrincipalClass: org.jboss.security.SimplePrincipal
      15:41:21,455 DEBUG [io.hawt.system.Authenticator] (default task-3) Checking principal, classname: org.jboss.security.SimplePrincipal toString: testadm
      15:41:21,455 DEBUG [io.hawt.system.Authenticator] (default task-3) role testadm doesn't match SuperUser, continuing
      15:41:21,455 DEBUG [io.hawt.system.Authenticator] (default task-3) Checking principal, classname: org.jboss.security.SimpleGroup toString: Roles(members:Operator,Maintainer,Auditor,viewer,Monitor,Administrator,admin,SuperUser,Deployer)
      15:41:21,455 DEBUG [io.hawt.system.Authenticator] (default task-3) principal class org.jboss.security.SimpleGroup doesn't match org.jboss.security.SimplePrincipal, continuing
      15:41:21,455 DEBUG [io.hawt.system.Authenticator] (default task-3) Checking principal, classname: org.jboss.security.SimpleGroup toString: CallerPrincipal(members:testadm)
      15:41:21,455 DEBUG [io.hawt.system.Authenticator] (default task-3) principal class org.jboss.security.SimpleGroup doesn't match org.jboss.security.SimplePrincipal, continuing
      15:41:21,455 DEBUG [io.hawt.system.Authenticator] (default task-3) User testadm does not have the required role SuperUser
      15:41:21,456 TRACE [org.jboss.security] (default task-3) PBOX00354: Setting security roles ThreadLocal: null
      

      Looking at the commit for the previous issue, code was added to parse out role names from the returned "Roles(members:...)" string in io.hawt.system.Authenticator (checkIfSubjectHasRequiredRoleOnJbossEAP(Subject subject, String role) and related methods).

      Looking at the tag for Fuse 7.7 I do not see these changes carried into hawtio-2

              rhn-support-tasato Tadayoshi Sato
              rhn-support-dhawkins Duane Hawkins
              Juri Solovjov Juri Solovjov
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated:
                Resolved: