Details
-
Bug
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
None
-
None
Description
Previously in a default install (in 0.9.0), on localhost one could connect to the web-console and REST api without any password (i.e. if no username:password had been set up).
Now with 0.10.0-SNAPSHOT, it requires that a username:password be supplied when connecting from localhost - but any values will do!
This was spotted by Alex during the 0.10.0 rc3 release vote on dev@brooklyn mailing list.
To reproduce, start Brooklyn:
./bin/brooklyn launch --noGlobalBrooklynProperties
Run the curl commands below, which will give the output shown:
$ curl -v http://localhost:8081/ 2>&1 | grep "< HTTP" < HTTP/1.1 401 Unauthorized $ curl -u anyuser:passwordignored -v http://localhost:8081/ 2>&1 | grep "< HTTP" < HTTP/1.1 200 OK
Looking at the stacktrace when the second curl command is made:
"brooklyn-jetty-server-8083-qtp412153403-31" prio=5 tid=0x00007fb9313f9800 nid=0x6e03 at breakpoint[0x0000700001ff1000]
java.lang.Thread.State: RUNNABLE
at org.apache.brooklyn.rest.security.provider.BrooklynUserWithRandomPasswordSecurityProvider.authenticate(BrooklynUserWithRandomPasswordSecurityProvider.java:48)
at org.apache.brooklyn.rest.security.jaas.BrooklynLoginModule.login(BrooklynLoginModule.java:270)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:762)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:690)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:688)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:687)
at javax.security.auth.login.LoginContext.login(LoginContext.java:595)
at org.eclipse.jetty.jaas.JAASLoginService.login(JAASLoginService.java:241)
at org.eclipse.jetty.security.authentication.LoginAuthenticator.login(LoginAuthenticator.java:61)
at org.eclipse.jetty.security.authentication.BasicAuthenticator.validateRequest(BasicAuthenticator.java:92)
at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:512)
at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:223)
at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1127)
at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515)
at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185)
at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1061)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:215)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)
at org.eclipse.jetty.server.Server.handle(Server.java:499)
at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:310)
at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257)
at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:540)
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635)
at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555)
at java.lang.Thread.run(Thread.java:745)
However, in the first curl command (with no credentials)...
In org.eclipse.jetty.security.authentication.BasicAuthenticator.validateRequest(), the credentials are null (obtained by calling request.getHeader(HttpHeader.AUTHORIZATION.asString())).
This means it skips the call to login(), and just returns SC_UNAUTHORIZED.
Attachments
Issue Links
- links to
