Uploaded image for project: 'Red Hat Fuse'
  1. Red Hat Fuse
  2. ENTESB-4766

Authorization not working for Hawtio on EAP

    XMLWordPrintable

Details

    • 6.3 Sprint 1 (4-Jan->29-Jan)
    • Hide
      • Add system property to standalone.xml:
        <property name="hawtio.role" value="manager"/>
        
      • Configure hawtio-domain to use UserRoles, Ldap or similar LoginModule
      • Start EAP, try to log in to the hawtio console with a user which has the same role as configured earlier
      • Log in will fail - related DEBUG logging:
        15:13:07,897 TRACE [org.jboss.security] (http-/127.0.0.1:8080-5) PBOX000288: Properties file defaultRoles.properties loaded, users: [userA]
        15:13:07,897 TRACE [org.jboss.security] (http-/127.0.0.1:8080-5) PBOX000240: Begin login method
        15:13:07,897 TRACE [org.jboss.security] (http-/127.0.0.1:8080-5) PBOX000241: End login method, isValid: true
        15:13:07,898 TRACE [org.jboss.security] (http-/127.0.0.1:8080-5) PBOX000242: Begin commit method, overall result: true
        15:13:07,898 TRACE [org.jboss.security] (http-/127.0.0.1:8080-5) PBOX000285: Adding role manager to group Roles
        
        ... logging above shows that user 'userA' belongs to group 'manager' ...
        
        15:13:07,898 DEBUG [io.hawt.system.Authenticator] (http-/127.0.0.1:8080-5) Looking for rolePrincipalClass: org.jboss.security.SimplePrincipal
        15:13:07,898 DEBUG [io.hawt.system.Authenticator] (http-/127.0.0.1:8080-5) Checking principal, classname: org.jboss.security.SimplePrincipal toString: userA
        15:13:07,898 DEBUG [io.hawt.system.Authenticator] (http-/127.0.0.1:8080-5) role userA doesn't match manager, continuing
        15:13:07,898 DEBUG [io.hawt.system.Authenticator] (http-/127.0.0.1:8080-5) Checking principal, classname: org.jboss.security.SimpleGroup toString: Roles(members:manager)
        15:13:07,898 DEBUG [io.hawt.system.Authenticator] (http-/127.0.0.1:8080-5) principal class org.jboss.security.SimpleGroup doesn't match org.jboss.security.SimplePrincipal, continuing
        15:13:07,898 DEBUG [io.hawt.system.Authenticator] (http-/127.0.0.1:8080-5) Checking principal, classname: org.jboss.security.SimpleGroup toString: CallerPrincipal(members:userA)
        15:13:07,898 DEBUG [io.hawt.system.Authenticator] (http-/127.0.0.1:8080-5) principal class org.jboss.security.SimpleGroup doesn't match org.jboss.security.SimplePrincipal, continuing
        
        ... role could not be found...:
        
        15:13:07,898 DEBUG [io.hawt.system.Authenticator] (http-/127.0.0.1:8080-5) User userA does not have the required role manager
        
      Show
      Add system property to standalone.xml: <property name="hawtio.role" value="manager"/> Configure hawtio-domain to use UserRoles, Ldap or similar LoginModule Start EAP, try to log in to the hawtio console with a user which has the same role as configured earlier Log in will fail - related DEBUG logging: 15:13:07,897 TRACE [org.jboss.security] (http-/127.0.0.1:8080-5) PBOX000288: Properties file defaultRoles.properties loaded, users: [userA] 15:13:07,897 TRACE [org.jboss.security] (http-/127.0.0.1:8080-5) PBOX000240: Begin login method 15:13:07,897 TRACE [org.jboss.security] (http-/127.0.0.1:8080-5) PBOX000241: End login method, isValid: true 15:13:07,898 TRACE [org.jboss.security] (http-/127.0.0.1:8080-5) PBOX000242: Begin commit method, overall result: true 15:13:07,898 TRACE [org.jboss.security] (http-/127.0.0.1:8080-5) PBOX000285: Adding role manager to group Roles ... logging above shows that user 'userA' belongs to group 'manager' ... 15:13:07,898 DEBUG [io.hawt.system.Authenticator] (http-/127.0.0.1:8080-5) Looking for rolePrincipalClass: org.jboss.security.SimplePrincipal 15:13:07,898 DEBUG [io.hawt.system.Authenticator] (http-/127.0.0.1:8080-5) Checking principal, classname: org.jboss.security.SimplePrincipal toString: userA 15:13:07,898 DEBUG [io.hawt.system.Authenticator] (http-/127.0.0.1:8080-5) role userA doesn't match manager, continuing 15:13:07,898 DEBUG [io.hawt.system.Authenticator] (http-/127.0.0.1:8080-5) Checking principal, classname: org.jboss.security.SimpleGroup toString: Roles(members:manager) 15:13:07,898 DEBUG [io.hawt.system.Authenticator] (http-/127.0.0.1:8080-5) principal class org.jboss.security.SimpleGroup doesn't match org.jboss.security.SimplePrincipal, continuing 15:13:07,898 DEBUG [io.hawt.system.Authenticator] (http-/127.0.0.1:8080-5) Checking principal, classname: org.jboss.security.SimpleGroup toString: CallerPrincipal(members:userA) 15:13:07,898 DEBUG [io.hawt.system.Authenticator] (http-/127.0.0.1:8080-5) principal class org.jboss.security.SimpleGroup doesn't match org.jboss.security.SimplePrincipal, continuing ... role could not be found...: 15:13:07,898 DEBUG [io.hawt.system.Authenticator] (http-/127.0.0.1:8080-5) User userA does not have the required role manager
    • Hide

      Remove 'hawtio.role' property

      Show
      Remove 'hawtio.role' property

    Description

      Restricting access to the hawtio console on EAP fails to properly compare the user roles with the one defined by the 'hawtio.role' property.

      Related to: https://github.com/hawtio/hawtio/issues/1983

      Attachments

        Activity

          People

            ggrzybek Grzegorz Grzybek
            rhn-support-mputz Martin Weiler
            Viliam Kasala Viliam Kasala
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: