Uploaded image for project: 'Hawkular Metrics'
  1. Hawkular Metrics
  2. HWKMETRICS-346

Fix bogus Hawkular Component security rules

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Done
    • Affects Version/s: 0.12.0
    • Fix Version/s: 0.12.1
    • Component/s: None
    • Labels:
      None

      Description

      Hawkular component has bogus security rules.

      Because we need allow display of the root welcome page, the / url-pattern was set as an unsecured url-pattern. But this implies that requests without credentials are not rejected by the container, and dispatched to application code instead...

      If we remove this mapping, the container rejects requests with invalid credentials as expected (401). But requests without credentials are redirected to KC login page (302). And we can no longer display the status page.

      Security rules should be the following:

      • status page / and status endpoint /status can be queried freely
      • requests without credentials should be rejected (401)
      • requests with invalid credentials should be rejected (401)

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  tsegismont Thomas Segismont
                  Reporter:
                  tsegismont Thomas Segismont
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  1 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: