-
Bug
-
Resolution: Done
-
Critical
-
fuse-7.x-GA
-
None
-
False
-
False
-
%
-
-
build3
-
?
-
Undefined
-
-
When enabling the hawtio.role property with a role name in Fuse 7 on JBoss EAP, authorization fails with the same trace logging as in the earlier ENTESB-4766.
15:41:21,398 DEBUG [io.hawt.web.auth.SessionExpiryFilter] (default task-3) Accessing [/hawtio/auth/login], hawtio path is [auth/login] 15:41:21,405 DEBUG [io.hawt.system.Authenticator] (default task-3) doAuthenticate[realm=legacy-ldap-domain, role=SuperUser, rolePrincipalClasses=org.jboss.security.SimplePrincipal, configuration=null, username=testadm, password=******] 15:41:21,407 TRACE [org.jboss.security] (default task-3) PBOX00221: Begin getAppConfigurationEntry(legacy-ldap-domain), size: 6 15:41:21,407 TRACE [org.jboss.security] (default task-3) PBOX00224: End getAppConfigurationEntry(legacy-ldap-domain), AuthInfo: AppConfigurationEntry[]: [0] LoginModule Class: org.jboss.security.auth.spi.LdapExtLoginModule ControlFlag: LoginModuleControlFlag: required Options: name=bindDN, value=CN=Directory\ Manager name=bindCredential, value=**** name=baseCtxDN, value=OU=People,DC=redhat,DC=com name=java.naming.factory.initial, value=com.sun.jndi.ldap.LdapCtxFactory name=java.naming.provider.url, value=ldap://services.test.redhat.com:389 name=baseFilter, value=(uid={0}) name=rolesCtxDN, value=ou=Groups,dc=redhat,dc=com name=roleFilter, value=(&(objectClass=GroupOfUniqueNames)(UniqueMember={1})) name=roleAttributeID, value=cn name=java.naming.security.authentication, value=simple 15:41:21,412 TRACE [org.jboss.security] (default task-3) PBOX00236: Begin initialize method 15:41:21,412 TRACE [org.jboss.security] (default task-3) PBOX00240: Begin login method 15:41:21,419 DEBUG [org.jboss.security] (default task-3) PBOX00269: Failed to parse roleRecursion as number, using default value 0 15:41:21,420 TRACE [org.jboss.security] (default task-3) PBOX00220: Logging into LDAP server with env {java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, java.naming.security.principal=CN=Directory\ Manager, baseCtxDN=OU=People,DC=redhat,DC=com, roleAttributeID=cn, roleFilter=(&(objectClass=GroupOfUniqueNames)(UniqueMember={1})), rolesCtxDN=ou=Groups,dc=redhat,dc=com, baseFilter=(uid={0}), jboss.security.security_domain=legacy-ldap-domain, java.naming.provider.url=ldap://services.test.redhat.com:389, bindDN=CN=Directory\ Manager, bindCredential=******, java.naming.security.authentication=simple, java.naming.security.credentials=******} 15:41:21,444 TRACE [org.jboss.security] (default task-3) PBOX00220: Logging into LDAP server with env {java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, java.naming.security.principal=uid=testadm,OU=People,DC=redhat,DC=com, baseCtxDN=OU=People,DC=redhat,DC=com, roleAttributeID=cn, roleFilter=(&(objectClass=GroupOfUniqueNames)(UniqueMember={1})), rolesCtxDN=ou=Groups,dc=redhat,dc=com, baseFilter=(uid={0}), jboss.security.security_domain=legacy-ldap-domain, java.naming.provider.url=ldap://services.test.redhat.com:389, bindDN=CN=Directory\ Manager, bindCredential=******, java.naming.security.authentication=simple, java.naming.security.credentials=******} 15:41:21,450 TRACE [org.jboss.security] (default task-3) PBOX00268: Assigning user to role Monitor 15:41:21,451 TRACE [org.jboss.security] (default task-3) PBOX00268: Assigning user to role Administrator 15:41:21,451 TRACE [org.jboss.security] (default task-3) PBOX00268: Assigning user to role admin 15:41:21,451 TRACE [org.jboss.security] (default task-3) PBOX00268: Assigning user to role viewer 15:41:21,451 TRACE [org.jboss.security] (default task-3) PBOX00268: Assigning user to role Operator 15:41:21,451 TRACE [org.jboss.security] (default task-3) PBOX00268: Assigning user to role Maintainer 15:41:21,451 TRACE [org.jboss.security] (default task-3) PBOX00268: Assigning user to role Deployer 15:41:21,452 TRACE [org.jboss.security] (default task-3) PBOX00268: Assigning user to role Auditor 15:41:21,452 TRACE [org.jboss.security] (default task-3) PBOX00268: Assigning user to role SuperUser 15:41:21,452 TRACE [org.jboss.security] (default task-3) PBOX00241: End login method, isValid: true 15:41:21,453 TRACE [org.jboss.security] (default task-3) PBOX00242: Begin commit method, overall result: true 15:41:21,455 DEBUG [io.hawt.system.Authenticator] (default task-3) Looking for rolePrincipalClass: org.jboss.security.SimplePrincipal 15:41:21,455 DEBUG [io.hawt.system.Authenticator] (default task-3) Checking principal, classname: org.jboss.security.SimplePrincipal toString: testadm 15:41:21,455 DEBUG [io.hawt.system.Authenticator] (default task-3) role testadm doesn't match SuperUser, continuing 15:41:21,455 DEBUG [io.hawt.system.Authenticator] (default task-3) Checking principal, classname: org.jboss.security.SimpleGroup toString: Roles(members:Operator,Maintainer,Auditor,viewer,Monitor,Administrator,admin,SuperUser,Deployer) 15:41:21,455 DEBUG [io.hawt.system.Authenticator] (default task-3) principal class org.jboss.security.SimpleGroup doesn't match org.jboss.security.SimplePrincipal, continuing 15:41:21,455 DEBUG [io.hawt.system.Authenticator] (default task-3) Checking principal, classname: org.jboss.security.SimpleGroup toString: CallerPrincipal(members:testadm) 15:41:21,455 DEBUG [io.hawt.system.Authenticator] (default task-3) principal class org.jboss.security.SimpleGroup doesn't match org.jboss.security.SimplePrincipal, continuing 15:41:21,455 DEBUG [io.hawt.system.Authenticator] (default task-3) User testadm does not have the required role SuperUser 15:41:21,456 TRACE [org.jboss.security] (default task-3) PBOX00354: Setting security roles ThreadLocal: null
Looking at the commit for the previous issue, code was added to parse out role names from the returned "Roles(members:...)" string in io.hawt.system.Authenticator (checkIfSubjectHasRequiredRoleOnJbossEAP(Subject subject, String role) and related methods).
Looking at the tag for Fuse 7.7 I do not see these changes carried into hawtio-2