Details
-
Bug
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
None
-
None
Description
Previously in a default install (in 0.9.0), on localhost one could connect to the web-console and REST api without any password (i.e. if no username:password had been set up).
Now with 0.10.0-SNAPSHOT, it requires that a username:password be supplied when connecting from localhost - but any values will do!
This was spotted by Alex during the 0.10.0 rc3 release vote on dev@brooklyn mailing list.
To reproduce, start Brooklyn:
./bin/brooklyn launch --noGlobalBrooklynProperties
Run the curl commands below, which will give the output shown:
$ curl -v http://localhost:8081/ 2>&1 | grep "< HTTP" < HTTP/1.1 401 Unauthorized $ curl -u anyuser:passwordignored -v http://localhost:8081/ 2>&1 | grep "< HTTP" < HTTP/1.1 200 OK
Looking at the stacktrace when the second curl command is made:
"brooklyn-jetty-server-8083-qtp412153403-31" prio=5 tid=0x00007fb9313f9800 nid=0x6e03 at breakpoint[0x0000700001ff1000] java.lang.Thread.State: RUNNABLE at org.apache.brooklyn.rest.security.provider.BrooklynUserWithRandomPasswordSecurityProvider.authenticate(BrooklynUserWithRandomPasswordSecurityProvider.java:48) at org.apache.brooklyn.rest.security.jaas.BrooklynLoginModule.login(BrooklynLoginModule.java:270) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at javax.security.auth.login.LoginContext.invoke(LoginContext.java:762) at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203) at javax.security.auth.login.LoginContext$4.run(LoginContext.java:690) at javax.security.auth.login.LoginContext$4.run(LoginContext.java:688) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:687) at javax.security.auth.login.LoginContext.login(LoginContext.java:595) at org.eclipse.jetty.jaas.JAASLoginService.login(JAASLoginService.java:241) at org.eclipse.jetty.security.authentication.LoginAuthenticator.login(LoginAuthenticator.java:61) at org.eclipse.jetty.security.authentication.BasicAuthenticator.validateRequest(BasicAuthenticator.java:92) at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:512) at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:223) at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1127) at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515) at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185) at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1061) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141) at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:215) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97) at org.eclipse.jetty.server.Server.handle(Server.java:499) at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:310) at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257) at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:540) at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635) at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555) at java.lang.Thread.run(Thread.java:745)
However, in the first curl command (with no credentials)...
In org.eclipse.jetty.security.authentication.BasicAuthenticator.validateRequest(), the credentials are null (obtained by calling request.getHeader(HttpHeader.AUTHORIZATION.asString())).
This means it skips the call to login(), and just returns SC_UNAUTHORIZED.
Attachments
Issue Links
- links to