[jira] [Commented] (BROOKLYN-417) In default install, web-console/REST from localhost needs username:password

Wed, 21 Dec 2016 08:03:59 -0800 

    [ 
https://issues.apache.org/jira/browse/BROOKLYN-417?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15767365#comment-15767365
 ] 

ASF GitHub Bot commented on BROOKLYN-417:
-----------------------------------------

Github user aledsage commented on the issue:

    https://github.com/apache/brooklyn-server/pull/499
  
    Thanks @sjcorbett, I can confirm they both pass for me. Merging now, and 
will cherry-pick into the 0.10.0 branch.


> In default install, web-console/REST from localhost needs username:password
> ---------------------------------------------------------------------------
>
>                 Key: BROOKLYN-417
>                 URL: https://issues.apache.org/jira/browse/BROOKLYN-417
>             Project: Brooklyn
>          Issue Type: Bug
>            Reporter: Aled Sage
>
> Previously in a default install (in 0.9.0), on localhost one could connect to 
> the web-console and REST api without any password (i.e. if no 
> username:password had been set up).
> Now with 0.10.0-SNAPSHOT, it requires that a username:password be supplied 
> when connecting from localhost - but any values will do!
> This was spotted by Alex during the 0.10.0 rc3 release vote on dev@brooklyn 
> mailing list.
> To reproduce, start Brooklyn:
> {noformat}
> ./bin/brooklyn launch --noGlobalBrooklynProperties
> {noformat}
> Run the curl commands below, which will give the output shown:
> {noformat}
> $ curl -v http://localhost:8081/ 2>&1 | grep "< HTTP"
> < HTTP/1.1 401 Unauthorized
> $ curl -u anyuser:passwordignored -v http://localhost:8081/ 2>&1 | grep "<
> HTTP"
> < HTTP/1.1 200 OK
> {noformat}
> Looking at the stacktrace when the second curl command is made:
> {noformat}
> "brooklyn-jetty-server-8083-qtp412153403-31" prio=5 tid=0x00007fb9313f9800 
> nid=0x6e03 at breakpoint[0x0000700001ff1000]
>    java.lang.Thread.State: RUNNABLE
>         at 
> org.apache.brooklyn.rest.security.provider.BrooklynUserWithRandomPasswordSecurityProvider.authenticate(BrooklynUserWithRandomPasswordSecurityProvider.java:48)
>         at 
> org.apache.brooklyn.rest.security.jaas.BrooklynLoginModule.login(BrooklynLoginModule.java:270)
>         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>         at 
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
>         at 
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>         at java.lang.reflect.Method.invoke(Method.java:606)
>         at 
> javax.security.auth.login.LoginContext.invoke(LoginContext.java:762)
>         at 
> javax.security.auth.login.LoginContext.access$000(LoginContext.java:203)
>         at javax.security.auth.login.LoginContext$4.run(LoginContext.java:690)
>         at javax.security.auth.login.LoginContext$4.run(LoginContext.java:688)
>         at java.security.AccessController.doPrivileged(Native Method)
>         at 
> javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:687)
>         at javax.security.auth.login.LoginContext.login(LoginContext.java:595)
>         at 
> org.eclipse.jetty.jaas.JAASLoginService.login(JAASLoginService.java:241)
>         at 
> org.eclipse.jetty.security.authentication.LoginAuthenticator.login(LoginAuthenticator.java:61)
>         at 
> org.eclipse.jetty.security.authentication.BasicAuthenticator.validateRequest(BasicAuthenticator.java:92)
>         at 
> org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:512)
>         at 
> org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:223)
>         at 
> org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1127)
>         at 
> org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515)
>         at 
> org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185)
>         at 
> org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1061)
>         at 
> org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
>         at 
> org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:215)
>         at 
> org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)
>         at org.eclipse.jetty.server.Server.handle(Server.java:499)
>         at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:310)
>         at 
> org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257)
>         at 
> org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:540)
>         at 
> org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635)
>         at 
> org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555)
>         at java.lang.Thread.run(Thread.java:745)
> {noformat}
> However, in the first curl command (with no credentials)...
> In 
> {{org.eclipse.jetty.security.authentication.BasicAuthenticator.validateRequest()}},
>  the credentials are null (obtained by calling 
> {{request.getHeader(HttpHeader.AUTHORIZATION.asString())}}).
> This means it skips the call to {{login()}}, and just returns 
> {{SC_UNAUTHORIZED}}.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to