Details

    • Type: Bug Bug
    • Status: Resolved
    • Priority: Blocker Blocker
    • Resolution: Fixed
    • Affects Version/s: 1.0-M5
    • Fix Version/s: 1.1, 1.2
    • Component/s: console
    • Security Level: public (Regular issues)
    • Labels:
      None
    • Patch Info:
      Patch Available

      Description

      Currently there are no web app security settings on /console-standard.

      Either security needs to be added to it, or if that proves to be impossible, it needs to be rolled into a single web app with /console

        Issue Links

          Activity

          Hide
          Aaron Mulder added a comment -

          Can't release with no security on core admin console functionality

          Show
          Aaron Mulder added a comment - Can't release with no security on core admin console functionality
          Hide
          Joe Bohn added a comment -

          Is this still a blocking issue now that the redirect always forces the user to /console?
          Is there someway to bypass the redirect and still compromise the system?

          Show
          Joe Bohn added a comment - Is this still a blocking issue now that the redirect always forces the user to /console? Is there someway to bypass the redirect and still compromise the system?
          Hide
          Matt Hogstrom added a comment -

          Aaron, is this a 1.0 item or can it be deferred to 1.1?

          Show
          Matt Hogstrom added a comment - Aaron, is this a 1.0 item or can it be deferred to 1.1?
          Hide
          Aaron Mulder added a comment -

          Someone said they would work on a patch for this. If a patch is submitted by tomorrow I'll test it and apply it. Otherwise, we can move this to 1.1.

          Show
          Aaron Mulder added a comment - Someone said they would work on a patch for this. If a patch is submitted by tomorrow I'll test it and apply it. Otherwise, we can move this to 1.1.
          Hide
          Paul McMahan added a comment -

          This attached patch adds security to the console-standard context
          as follows:

          • adds a security constraint to console-standard that requires admin
            role priveleges to access any resource. The auth method is set to
            BASIC, but it could have just as well been set to any other
            type since console users aren't expected to reference that
            web-app directly from their browsers (except for the DWR servlet,
            but I'll get to that).
          • adds a servlet to console-framework that forwards requests of
            the form /console/dwr/X to /console-standard/dwr/X. By the
            time this servlet is accessed the authorization has been
            established so forwarding the request internally into the
            console-standard context propagates the principal
            across the contexts. (effectively a poor man's version of single
            sign on)
          • adds a security constraint to console-framework that requires
            admin priveleges to access the new servlet described above
          • updates console-framework/project.xml to build the new servlet
            described above
          • adds a filter to the console-standard web-app that intercepts
            requests made to the existing dwr servlet (forwarded via the new
            servlet in mentioned above) and maps the original request
            attributes back into the request. This is done so that the DWR
            servlet can build self-referrential URLs (which it does by
            querying the attributes of the request) that are routed back
            through the console-framework webapp and are thus authenticated.
          • updates the tomcat and jetty console plans to enable the
            geronimo-properties-realm on the console-standard context
          • updates the Information portlet to route its AJAX/DWR requests
            through the new servlet in console-framework mentioned above

          This patch was tested on the 1.0 branch and it applies OK to HEAD
          but I had compile problems in the security-builder module (not
          caused by this patch) and couldn't test it out. I will keep trying
          to build head and test asap.

          --------------------------------------------------------------
          Other approaches to address this issue that were investigated and
          abandoned :

          • enable the single signon valve in the web container configuration.
            works great but is a server wide setting, which is not desirable.
            There may be some way to scope the valve to a groups of contexts
            but AFAIK this would still require altering the web container's
            configuration to accomodate the admin console, which IMO is not
            desirable
          • use BASIC authentication instead of FORM authentication. enables
            authentication to work cross context since both context prompt
            for the geronimo-properties-realm domain which the browser can
            provide across all contexts. But forces the console to use the
            browser's popup dialog instead of the nice login page, which
            again is not desirable
          • merge console-standard and console-framework into a single webapp.
            I didn't even try this since, architecturally, I wanted to remain
            as close to the "standard" pluto configuration as possible since
            Geronimo may soon upgrade to pluto 1.1 and/or jetspeed 2.0
          • move the DWR servlet into console-framework webapp. This approach
            would be easier to implement and require fewer changes (no new
            servlet or filter). But longer term there will be more AJAX
            enabled functions in the console and creating a classloader
            boundary between the UI code and DWR (or whatever AJAX impl gets
            plugged in) will cause problems.
          • implement a custom realm gbean that allows users that have
            authenticated to one console context to automatically get
            access to the other (unchallenged). didn't get very far with
            that idea - don't think its possible since there's no access to
            the HTTP requests,context,etc
          Show
          Paul McMahan added a comment - This attached patch adds security to the console-standard context as follows: adds a security constraint to console-standard that requires admin role priveleges to access any resource. The auth method is set to BASIC, but it could have just as well been set to any other type since console users aren't expected to reference that web-app directly from their browsers (except for the DWR servlet, but I'll get to that). adds a servlet to console-framework that forwards requests of the form /console/dwr/X to /console-standard/dwr/X. By the time this servlet is accessed the authorization has been established so forwarding the request internally into the console-standard context propagates the principal across the contexts. (effectively a poor man's version of single sign on) adds a security constraint to console-framework that requires admin priveleges to access the new servlet described above updates console-framework/project.xml to build the new servlet described above adds a filter to the console-standard web-app that intercepts requests made to the existing dwr servlet (forwarded via the new servlet in mentioned above) and maps the original request attributes back into the request. This is done so that the DWR servlet can build self-referrential URLs (which it does by querying the attributes of the request) that are routed back through the console-framework webapp and are thus authenticated. updates the tomcat and jetty console plans to enable the geronimo-properties-realm on the console-standard context updates the Information portlet to route its AJAX/DWR requests through the new servlet in console-framework mentioned above This patch was tested on the 1.0 branch and it applies OK to HEAD but I had compile problems in the security-builder module (not caused by this patch) and couldn't test it out. I will keep trying to build head and test asap. -------------------------------------------------------------- Other approaches to address this issue that were investigated and abandoned : enable the single signon valve in the web container configuration. works great but is a server wide setting, which is not desirable. There may be some way to scope the valve to a groups of contexts but AFAIK this would still require altering the web container's configuration to accomodate the admin console, which IMO is not desirable use BASIC authentication instead of FORM authentication. enables authentication to work cross context since both context prompt for the geronimo-properties-realm domain which the browser can provide across all contexts. But forces the console to use the browser's popup dialog instead of the nice login page, which again is not desirable merge console-standard and console-framework into a single webapp. I didn't even try this since, architecturally, I wanted to remain as close to the "standard" pluto configuration as possible since Geronimo may soon upgrade to pluto 1.1 and/or jetspeed 2.0 move the DWR servlet into console-framework webapp. This approach would be easier to implement and require fewer changes (no new servlet or filter). But longer term there will be more AJAX enabled functions in the console and creating a classloader boundary between the UI code and DWR (or whatever AJAX impl gets plugged in) will cause problems. implement a custom realm gbean that allows users that have authenticated to one console context to automatically get access to the other (unchallenged). didn't get very far with that idea - don't think its possible since there's no access to the HTTP requests,context,etc
          Hide
          Paul McMahan added a comment -

          verified that patch works OK on HEAD

          Show
          Paul McMahan added a comment - verified that patch works OK on HEAD
          Hide
          Donald Woods added a comment -

          Verified patch works on branches/1.0

          Show
          Donald Woods added a comment - Verified patch works on branches/1.0
          Hide
          Donald Woods added a comment -

          This enhancement adds the final missing security restrictions (of requiring SSL to access the console) that was started by GERONIMO-973.

          Show
          Donald Woods added a comment - This enhancement adds the final missing security restrictions (of requiring SSL to access the console) that was started by GERONIMO-973 .
          Hide
          Jeff Genender added a comment -

          Sending applications/console-framework/project.xml
          Adding applications/console-framework/src/java
          Adding applications/console-framework/src/java/org
          Adding applications/console-framework/src/java/org/apache
          Adding applications/console-framework/src/java/org/apache/geronimo
          Adding applications/console-framework/src/java/org/apache/geronimo/console
          Adding applications/console-framework/src/java/org/apache/geronimo/console/servlet
          Adding applications/console-framework/src/java/org/apache/geronimo/console/servlet/ContextForwardServlet.java
          Sending applications/console-framework/src/webapp/WEB-INF/web.xml
          Sending applications/console-standard/src/java/org/apache/geronimo/console/databasemanager/wizard/DatabasePoolPortlet.java
          Adding applications/console-standard/src/java/org/apache/geronimo/console/databasemanager/wizard/DownloadInfo.java
          Adding applications/console-standard/src/java/org/apache/geronimo/console/databasemanager/wizard/DownloadMonitor.java
          Sending applications/console-standard/src/java/org/apache/geronimo/console/databasemanager/wizard/DriverDownloader.java
          Adding applications/console-standard/src/java/org/apache/geronimo/console/servlet
          Adding applications/console-standard/src/java/org/apache/geronimo/console/servlet/ForwardDispatchFilter.java
          Sending applications/console-standard/src/webapp/WEB-INF/dwr.xml
          Sending applications/console-standard/src/webapp/WEB-INF/view/dbwizard/selectDownload.jsp
          Sending applications/console-standard/src/webapp/WEB-INF/view/infomanager/svrInfoNormal.jsp
          Sending applications/console-standard/src/webapp/WEB-INF/web.xml
          Sending configs/console-jetty/src/plan/plan.xml
          Sending configs/console-tomcat/src/plan/plan.xml
          Transmitting file data ..............
          Committed revision 389296.

          Show
          Jeff Genender added a comment - Sending applications/console-framework/project.xml Adding applications/console-framework/src/java Adding applications/console-framework/src/java/org Adding applications/console-framework/src/java/org/apache Adding applications/console-framework/src/java/org/apache/geronimo Adding applications/console-framework/src/java/org/apache/geronimo/console Adding applications/console-framework/src/java/org/apache/geronimo/console/servlet Adding applications/console-framework/src/java/org/apache/geronimo/console/servlet/ContextForwardServlet.java Sending applications/console-framework/src/webapp/WEB-INF/web.xml Sending applications/console-standard/src/java/org/apache/geronimo/console/databasemanager/wizard/DatabasePoolPortlet.java Adding applications/console-standard/src/java/org/apache/geronimo/console/databasemanager/wizard/DownloadInfo.java Adding applications/console-standard/src/java/org/apache/geronimo/console/databasemanager/wizard/DownloadMonitor.java Sending applications/console-standard/src/java/org/apache/geronimo/console/databasemanager/wizard/DriverDownloader.java Adding applications/console-standard/src/java/org/apache/geronimo/console/servlet Adding applications/console-standard/src/java/org/apache/geronimo/console/servlet/ForwardDispatchFilter.java Sending applications/console-standard/src/webapp/WEB-INF/dwr.xml Sending applications/console-standard/src/webapp/WEB-INF/view/dbwizard/selectDownload.jsp Sending applications/console-standard/src/webapp/WEB-INF/view/infomanager/svrInfoNormal.jsp Sending applications/console-standard/src/webapp/WEB-INF/web.xml Sending configs/console-jetty/src/plan/plan.xml Sending configs/console-tomcat/src/plan/plan.xml Transmitting file data .............. Committed revision 389296.
          Hide
          Aaron Mulder added a comment -

          This has been fixed in 1.2; but I'd like to apply it to 1.1

          Show
          Aaron Mulder added a comment - This has been fixed in 1.2; but I'd like to apply it to 1.1
          Hide
          Paul McMahan added a comment -

          Tested the patch on the 1.1 branch and it works OK.

          Show
          Paul McMahan added a comment - Tested the patch on the 1.1 branch and it works OK.
          Hide
          Aaron Mulder added a comment -

          Applied to 1.1

          Show
          Aaron Mulder added a comment - Applied to 1.1

            People

            • Assignee:
              Aaron Mulder
              Reporter:
              Aaron Mulder
            • Votes:
              1 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development