Uploaded image for project: 'Red Hat Fuse'
  1. Red Hat Fuse
  2. ENTESB-5566

Multiple roles defined in hawtio.roles property not working in EAP

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Major
    • jboss-fuse-6.3
    • jboss-fuse-6.2.1
    • Hawtio
    • None
    • % %
    • Hide

      1. Change standalone.xml to use application realm and to define the hawtio.role:

      <property name="hawtio.realm" value="ApplicationRealm" />
<property name="hawtio.role" value="admin" />

      2. Add a user with admin role:

      $ ./bin/add-user.sh -a -u hawtio -p password1! -g admin

      3. Start the server and try to log in at http://localhost:8080/hawtio -> this should work

      4. Now change the hawtio roles definition to

      <property name="hawtio.roles" value="admin,viewer" />

      Login will fail now.

      Show
      1. Change standalone.xml to use application realm and to define the hawtio.role: <property name="hawtio.realm" value="ApplicationRealm" /> <property name="hawtio.role" value="admin" /> 2. Add a user with admin role: $ ./bin/add-user.sh -a -u hawtio -p password1! -g admin 3. Start the server and try to log in at http://localhost:8080/hawtio -> this should work 4. Now change the hawtio roles definition to <property name="hawtio.roles" value="admin,viewer" /> Login will fail now.
    • Sprint 5 - towards ER2

    Description

      Trying to define the roles allowed to access the hawtio console as documented in http://hawt.io/configuration/index.html, it was found that a single role works, whereas a setup with multiple roles, separated by comma, does not work:

      OK: <property name="hawtio.role" value="admin" />
      FAIL: <property name="hawtio.roles" value="admin,viewer" />

      DEBUG level logging shows that the role value is not split:

      14:40:41,593 DEBUG [io.hawt.system.Authenticator] (http-/127.0.0.1:8080-1) Checking principal Roles(members:admin,hawt,weiler) if it is a Jboss specific SimpleGroup containing group info
14:40:41,593 DEBUG [io.hawt.system.Authenticator] (http-/127.0.0.1:8080-1) Matching Jboss EAP group name admin to required role admin,viewer

      While the roles are split in the general checkIfSubjectHasRequiredRole method:
      https://github.com/hawtio/hawtio/blob/master/hawtio-system/src/main/java/io/hawt/system/Authenticator.java#L175
      https://github.com/hawtio/hawtio/blob/master/hawtio-system/src/main/java/io/hawt/system/Authenticator.java#L294
      the same split logic is missing in the WebSphere/EAP specific methods:

      Attachments

        Issue Links

          is cloned by

          Bug - A problem that impairs or prevents the functions of the product. ENTESB-5629 Authenticator.checkIfSubjectHasRequiredRoleOnWebsphere method is missing logic to handle multiple roles

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Activity

            People

              kearls@redhat.com Kevin Earls (Inactive)
              rhn-support-mputz Martin Weiler (Inactive)
              Martin Stepanek Martin Stepanek
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: