[
https://issues.apache.org/jira/browse/BROOKLYN-417?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15767128#comment-15767128
]
Aled Sage commented on BROOKLYN-417:
------------------------------------
We discussed this on the dev@brooklyn mailing list (subject "[DISCUSS][VOTE]
Release Apache Brooklyn 0.10.0 [rc3]").
The conclusion is that we will default to no authentication, if no
configuration is supplied. This will apply to both local and remote connections
(i.e. we treat everything the same).
We will make this change for classic (i.e. non-karaf), as this is the focus for
the 0.10.0 release. For 0.11.0 and onwards, we will further discuss how we want
this to behave (including in karaf).
> In default install, web-console/REST from localhost needs username:password
> ---------------------------------------------------------------------------
>
> Key: BROOKLYN-417
> URL: https://issues.apache.org/jira/browse/BROOKLYN-417
> Project: Brooklyn
> Issue Type: Bug
> Reporter: Aled Sage
>
> Previously in a default install (in 0.9.0), on localhost one could connect to
> the web-console and REST api without any password (i.e. if no
> username:password had been set up).
> Now with 0.10.0-SNAPSHOT, it requires that a username:password be supplied
> when connecting from localhost - but any values will do!
> This was spotted by Alex during the 0.10.0 rc3 release vote on dev@brooklyn
> mailing list.
> To reproduce, start Brooklyn:
> {noformat}
> ./bin/brooklyn launch --noGlobalBrooklynProperties
> {noformat}
> Run the curl commands below, which will give the output shown:
> {noformat}
> $ curl -v http://localhost:8081/ 2>&1 | grep "< HTTP"
> < HTTP/1.1 401 Unauthorized
> $ curl -u anyuser:passwordignored -v http://localhost:8081/ 2>&1 | grep "<
> HTTP"
> < HTTP/1.1 200 OK
> {noformat}
> Looking at the stacktrace when the second curl command is made:
> {noformat}
> "brooklyn-jetty-server-8083-qtp412153403-31" prio=5 tid=0x00007fb9313f9800
> nid=0x6e03 at breakpoint[0x0000700001ff1000]
> java.lang.Thread.State: RUNNABLE
> at
> org.apache.brooklyn.rest.security.provider.BrooklynUserWithRandomPasswordSecurityProvider.authenticate(BrooklynUserWithRandomPasswordSecurityProvider.java:48)
> at
> org.apache.brooklyn.rest.security.jaas.BrooklynLoginModule.login(BrooklynLoginModule.java:270)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:606)
> at
> javax.security.auth.login.LoginContext.invoke(LoginContext.java:762)
> at
> javax.security.auth.login.LoginContext.access$000(LoginContext.java:203)
> at javax.security.auth.login.LoginContext$4.run(LoginContext.java:690)
> at javax.security.auth.login.LoginContext$4.run(LoginContext.java:688)
> at java.security.AccessController.doPrivileged(Native Method)
> at
> javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:687)
> at javax.security.auth.login.LoginContext.login(LoginContext.java:595)
> at
> org.eclipse.jetty.jaas.JAASLoginService.login(JAASLoginService.java:241)
> at
> org.eclipse.jetty.security.authentication.LoginAuthenticator.login(LoginAuthenticator.java:61)
> at
> org.eclipse.jetty.security.authentication.BasicAuthenticator.validateRequest(BasicAuthenticator.java:92)
> at
> org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:512)
> at
> org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:223)
> at
> org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1127)
> at
> org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515)
> at
> org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185)
> at
> org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1061)
> at
> org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
> at
> org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:215)
> at
> org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)
> at org.eclipse.jetty.server.Server.handle(Server.java:499)
> at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:310)
> at
> org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257)
> at
> org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:540)
> at
> org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635)
> at
> org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555)
> at java.lang.Thread.run(Thread.java:745)
> {noformat}
> However, in the first curl command (with no credentials)...
> In
> {{org.eclipse.jetty.security.authentication.BasicAuthenticator.validateRequest()}},
> the credentials are null (obtained by calling
> {{request.getHeader(HttpHeader.AUTHORIZATION.asString())}}).
> This means it skips the call to {{login()}}, and just returns
> {{SC_UNAUTHORIZED}}.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
