0
votes

trying to add in authentication to hawtio using JAAS by following the configuration docs

Started by using jetty's demo-base test-jaas war to configure a basic JAAS/jetty login and was able to authenticate/authorize.

Tried to incorporate the same concept into hawtio by reading the docs but I'm convinced that it doesn't even seem to reach out to ldap since when I tried this with the demo war I would get logs like "found user? true" .

I've decided to just ignore authorization for now and just try to authenticate with ldap. If anyone has any suggestions on what I can try to do to debug this further, I would appreciate it.

Here's my realm config:

hawtio {
   org.eclipse.jetty.jaas.spi.LdapLoginModule required
   debug="true"
   useLdaps="false"
   contextFactory="com.sun.jndi.ldap.LdapCtxFactory"
   hostname="10.10.10.10"
   port="389"
   bindDn="[email protected]"
   bindPassword="asdf"
   authenticationMethod="simple"
   forceBindingLogin="false"
   userBaseDn="cn=Users,dc=test,dc=com"
   userRdnAttribute="cn"
   userIdAttribute="sAMAccountName"
   userPasswordAttribute="userPassword"
   userObjectClass="user"
   roleBaseDn="cn=Schema Admins,cn=Users,dc=test,dc=com"
   roleNameAttribute="name"
   roleMemberAttribute="member"
   roleObjectClass="group";
};

some of the web.xml for hawtio regarding jaas/authentication/roles:

<env-entry>
    <description>Enable/disable hawtio's authentication filter, value is really a boolean</description>
    <env-entry-name>hawtio/authenticationEnabled</env-entry-name>
    <env-entry-type>java.lang.String</env-entry-type>
    <env-entry-value>true</env-entry-value>
  </env-entry>

  <env-entry>
    <description>Authorized user role, empty string disables authorization</description>
    <env-entry-name>hawtio/role</env-entry-name>
    <env-entry-type>java.lang.String</env-entry-type>
    <env-entry-value>*</env-entry-value>
  </env-entry>

  <env-entry>
    <description>JAAS classname that would contain the role principal, empty string disables authorization</description>
    <env-entry-name>hawtio/rolePrincipalClasses</env-entry-name>
    <env-entry-type>java.lang.String</env-entry-type>
    <env-entry-value></env-entry-value>
  </env-entry>

  <env-entry>
    <description>JAAS realm used to authenticate users</description>
    <env-entry-name>hawtio/realm</env-entry-name>
    <env-entry-type>java.lang.String</env-entry-type>
    <env-entry-value>hawtio</env-entry-value>
  </env-entry>

and some of the logs i'm looking at

DEBUG | qtp580024961-17 | doAuthenticate[realm=hawtio, role=*, rolePrincipalClasses=, configuration=null, username=dummy, password=******]
DEBUG | qtp580024961-17 | Unknown callback class [org.eclipse.jetty.jaas.callback.ObjectCallback]
WARN  | qtp580024961-17 | Login failed due to: Login Failure: all modules ignored
DEBUG | qtp580024961-17 | Failed stacktrace:
javax.security.auth.login.LoginException: Login Failure: all modules ignored
        at javax.security.auth.login.LoginContext.invoke(Unknown Source)
        at javax.security.auth.login.LoginContext.access$000(Unknown Source)
        at javax.security.auth.login.LoginContext$4.run(Unknown Source)
        at javax.security.auth.login.LoginContext$4.run(Unknown Source)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.login.LoginContext.invokePriv(Unknown Source)
        at javax.security.auth.login.LoginContext.login(Unknown Source)
        at io.hawt.system.Authenticator.doAuthenticate(Authenticator.java:131)
        at io.hawt.system.Authenticator.authenticate(Authenticator.java:92)
        at io.hawt.web.AuthenticationFilter.doFilter(AuthenticationFilter.java:168)
        at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1650)
        at io.hawt.web.XXSSProtectionFilter.doFilter(XXSSProtectionFilter.java:28)
        at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1650)
        at io.hawt.web.XFrameOptionsFilter.doFilter(XFrameOptionsFilter.java:28)
        at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1650)
        at io.hawt.web.CORSFilter.doFilter(CORSFilter.java:42)
        at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1650)
        at io.hawt.web.CacheHeadersFilter.doFilter(CacheHeadersFilter.java:37)
        at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1650)
        at io.hawt.web.SessionExpiryFilter.process(SessionExpiryFilter.java:126)
        at io.hawt.web.SessionExpiryFilter.doFilter(SessionExpiryFilter.java:69)
        at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1650)
        at io.hawt.web.RedirectFilter.process(RedirectFilter.java:86)
        at io.hawt.web.RedirectFilter.doFilter(RedirectFilter.java:72)
        at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1650)
        at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:583)
        at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
        at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:577)
        at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:223)
        at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1125)
        at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515)
        at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185)
        at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1059)
        at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
        at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:215)
        at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:110)
        at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)
        at org.eclipse.jetty.server.Server.handle(Server.java:497)
        at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:311)
        at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:248)
        at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:540)
        at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:610)
        at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:539)
        at java.lang.Thread.run(Unknown Source)
1
hawtio.war is just another servlet war. If you haven't configured the LDAP login module correctly it won't successfully authenticate. I'd suggest you try with a simpler war and make sure your LDAP login module config works. There are SO questions that may be useful for your issue: stackoverflow.com/questions/12873237/… - Tadayoshi Sato
That's kind of the part that confuses me. I used the demo-base/test-jaas war to configure the LDAP login module and it works great. I'm not exactly sure how to trace Unknown callback class [org.eclipse.jetty.jaas.callback.ObjectCallback] but from what I understand this is responsible for even trying to send authentication over. - jc43
What about changing to forceBindingLogin="true" as suggested in the link? Doesn't it work for you? - Tadayoshi Sato
Nope, didn't do anything. I decided to do some packet sniffing with wireshark and so far I've confirmed that the ldap bind dn and password are going through and getting acknowledged, then does an unbind request. Whereas in the "working" example, there would be 3 ldap requests: a binddn login, a user query, then a role query. Not sure how that helps. - jc43

1 Answers

1
votes

This is more of a workaround solution, but finally got hawtio to be configured by using a different ldaploginmodule

Must be some sort of configuration with the org.eclipse.jetty.jaas.spi.LdapLoginModule class.