[jira] [Created] (BROOKLYN-417) In default install, web-console/REST from localhost needs username:password

Tue, 20 Dec 2016 06:41:42 -0800 

Aled Sage created BROOKLYN-417:
----------------------------------

             Summary: In default install, web-console/REST from localhost needs 
username:password
                 Key: BROOKLYN-417
                 URL: https://issues.apache.org/jira/browse/BROOKLYN-417
             Project: Brooklyn
          Issue Type: Bug
            Reporter: Aled Sage


Previously in a default install (in 0.9.0), on localhost one could connect to 
the web-console and REST api without any password (i.e. if no username:password 
had been set up).

Now with 0.10.0-SNAPSHOT, it requires that a username:password be supplied when 
connecting from localhost - but any values will do!

This was spotted by Alex during the 0.10.0 rc3 release vote on dev@brooklyn 
mailing list.

To reproduce, start Brooklyn:
{noformat}
./bin/brooklyn launch --noGlobalBrooklynProperties
{noformat}

Run the curl commands below, which will give the output shown:
{noformat}
$ curl -v http://localhost:8081/ 2>&1 | grep "< HTTP"
< HTTP/1.1 401 Unauthorized

$ curl -u anyuser:passwordignored -v http://localhost:8081/ 2>&1 | grep "<
HTTP"
< HTTP/1.1 200 OK
{noformat}

Looking at the stacktrace when the second curl command is made:

{noformat}
"brooklyn-jetty-server-8083-qtp412153403-31" prio=5 tid=0x00007fb9313f9800 
nid=0x6e03 at breakpoint[0x0000700001ff1000]
   java.lang.Thread.State: RUNNABLE
        at 
org.apache.brooklyn.rest.security.provider.BrooklynUserWithRandomPasswordSecurityProvider.authenticate(BrooklynUserWithRandomPasswordSecurityProvider.java:48)
        at 
org.apache.brooklyn.rest.security.jaas.BrooklynLoginModule.login(BrooklynLoginModule.java:270)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
        at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:606)
        at javax.security.auth.login.LoginContext.invoke(LoginContext.java:762)
        at 
javax.security.auth.login.LoginContext.access$000(LoginContext.java:203)
        at javax.security.auth.login.LoginContext$4.run(LoginContext.java:690)
        at javax.security.auth.login.LoginContext$4.run(LoginContext.java:688)
        at java.security.AccessController.doPrivileged(Native Method)
        at 
javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:687)
        at javax.security.auth.login.LoginContext.login(LoginContext.java:595)
        at 
org.eclipse.jetty.jaas.JAASLoginService.login(JAASLoginService.java:241)
        at 
org.eclipse.jetty.security.authentication.LoginAuthenticator.login(LoginAuthenticator.java:61)
        at 
org.eclipse.jetty.security.authentication.BasicAuthenticator.validateRequest(BasicAuthenticator.java:92)
        at 
org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:512)
        at 
org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:223)
        at 
org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1127)
        at 
org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515)
        at 
org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185)
        at 
org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1061)
        at 
org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
        at 
org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:215)
        at 
org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)
        at org.eclipse.jetty.server.Server.handle(Server.java:499)
        at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:310)
        at 
org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257)
        at 
org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:540)
        at 
org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635)
        at 
org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555)
        at java.lang.Thread.run(Thread.java:745)
{noformat}

However, in the first curl command (with no credentials)...

In 
{{org.eclipse.jetty.security.authentication.BasicAuthenticator.validateRequest()}},
 the credentials are null (obtained by calling 
{{request.getHeader(HttpHeader.AUTHORIZATION.asString())}}).

This means it skips the call to {{login()}}, and just returns 
{{SC_UNAUTHORIZED}}.




--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to