Impossible to log in the Hazelcast Management Center

0
votes

I am trying to log in the Hazelcast Management Center 3.12.8 without success so far, I got this message "Access denied!".

Here is what I did :

  1. I downloaded Hazelcast Management Center application from the Hazelcast website (zip version)
  2. I extracted the application
  3. I ran : java -jar hazelcast-mancenter-3.12.8.war 8083 mancenter
  4. I openned the application URL : http://localhost:8083/mancenter
  5. A first page ask to enter a new username and a password : user = admin , password = sq5rUQG4
  6. The following page finally ask the credentials defined right before

This is perfectly reproducible, any idea how to resolve this ?

2
hazelcast
I tried the exact steps you wrote, with the same username and password... and it works like a charm. Just one additional information: you need to set the security provider to "Default". Could you please checks the logs, as well as the content of the ~/hazelcast-mc/security.properties file?Nicolas

2 Answers

0
votes

In Chrome dev mode (F12) when I submit the login form, I can see an error :

{ "servlet":"dispatcher", "message":"Could not verify the provided CSRF token because your session was not found.", "url":"/mancenter/login", "status":"403" }

There is something weird with Chrome I think. I tried Chrome incognito mode and Firefox normal mode and the issue is resolved in this cases, I can access the Hazelcast Management Center !

Maybe I should delete all Chrome cookies ? Anyway I found a temporary solution.

0
votes

I was able to reproduce the problem you had in my local environment. We have the CSRF token generated on the server side. When you open the Management Center login page and restart Management Center process, the CSRF token you had on the page is no longer valid for Management Center. As you have found out yourself, you need to refresh the page in this case, so that a new, valid CSRF token is generated on the page.

I will create an issue in our internal issue tracker for this. We will show a clear message about what's wrong in this case. Or, better yet, if we can, we will implement an auto recovery mechanism which refreshes the page for you when this happens and re-sends the login request with a new CSRF token.