Bug 1010819

Summary: RTGov authentication does not work internally
Product: [JBoss] JBoss Fuse Service Works 6 Reporter: Jiri Pechanec <jpechane>
Component: Installer, ConfigurationAssignee: Douglas Palmer <dpalmer>
Status: CLOSED CURRENTRELEASE QA Contact: Len DiMaggio <ldimaggi>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 6.0.0 GACC: atangrin, eric.wittmann, jcoleman, ncross, soa-p-jira
Target Milestone: ER4   
Target Release: 6.0.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-02-06 15:25:43 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
standalone.xml patch none

Description Jiri Pechanec 2013-09-23 06:41:48 UTC 
After installation it is possible to log to RTGov console but whenever a user tries to add gadgets and use the server throws an exception and no data are available
08:41:11,041 ERROR [org.apache.catalina.core.ContainerBase.[jboss.web].[default-host].[/gadget-web].[ServiceOverviewProxyServlet]] (http-/127.0.0.1:8080-7) JBWEB000236: Servlet.service() for servlet ServiceOverviewProxyServlet threw exception: java.io.IOException: Server returned HTTP response code: 401 for URL: http://localhost:8080/overlord-rtgov/service/dependency/overview?width=300
        at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1625) [rt.jar:1.7.0_25]
        at org.overlord.gadgets.web.server.servlets.RestProxyServlet.doGet(RestProxyServlet.java:114) [classes:]
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:734) [jboss-servlet-api_3.0_spec-1.0.2.Final-redhat-1.jar:1.0.2.Final-redhat-1]
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:847) [jboss-servlet-api_3.0_spec-1.0.2.Final-redhat-1.jar:1.0.2.Final-redhat-1]
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:295) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]
        at org.apache.shindig.gadgets.servlet.ETagFilter.doFilter(ETagFilter.java:55) [shindig-gadgets-3.0.0-beta4.jar:3.0.0-beta4]
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:246) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:149) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]
        at org.jboss.as.jpa.interceptor.WebNonTxEmCloserValve.invoke(WebNonTxEmCloserValve.java:50) [jboss-as-jpa-7.2.0.Final-redhat-8.jar:7.2.0.Final-redhat-8]
        at org.jboss.as.jpa.interceptor.WebNonTxEmCloserValve.invoke(WebNonTxEmCloserValve.java:50) [jboss-as-jpa-7.2.0.Final-redhat-8.jar:7.2.0.Final-redhat-8]
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:481) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]
        at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169) [jboss-as-web-7.2.0.Final-redhat-8.jar:7.2.0.Final-redhat-8]
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:145) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:336) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]
        at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:856) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]
        at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:653) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]
        at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:920) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]
        at java.lang.Thread.run(Thread.java:724) [rt.jar:1.7.0_25]
Comment 1 Eric Wittmann 2013-09-24 12:14:36 UTC 
Created attachment 802199 [details]
standalone.xml patch

The problem is that authentication has been switched over to SAML bearer token authentication (which does not require any credentials to be stored in the gadget server configuration file).  However, the gadget server has not been added as a recognized SAML assertion issuer in the overlord service provider login module configuration in standalone.xml.  This patch should fix the problem.
Comment 2 Thomas Hauser 2013-09-24 12:42:03 UTC 
This change will require updates to the sramp cli-scripts used in the installer.
Comment 3 Len DiMaggio 2013-09-24 13:49:54 UTC 
In order to unblock testing - please document how QE can correct the script to workaround the bug.
Comment 4 Eric Wittmann 2013-09-24 13:53:05 UTC 
You could apply the attached patch to standalone.xml after installation of FSW is complete.
Comment 5 Thomas Hauser 2013-09-24 14:04:19 UTC 
Within jboss-eap-6.1/cli-scripts/overlord-addSecurityDomains.cli, the final line needs to change from 

/subsystem=security/security-domain=overlord-jaxrs/authentication=classic:add(login-modules=[{code="org.overlord.commons.auth.jboss7.SAMLBearerTokenLoginModule",flag=sufficient,module-options={allowedIssuers="/s-ramp-ui,/s-ramp-governance,/dtgov-ui"}},{code=UsersRoles,flag=sufficient,module-options={usersProperties="${jboss.server.config.dir}/overlord-idp-users.properties",rolesProperties="${jboss.server.config.dir}/overlord-idp-roles.properties"}}]

to 

/subsystem=security/security-domain=overlord-jaxrs/authentication=classic:add(login-modules=[{code="org.overlord.commons.auth.jboss7.SAMLBearerTokenLoginModule",flag=sufficient,module-options={allowedIssuers="/s-ramp-ui,/s-ramp-governance,/dtgov-ui,/gadget-web"}},{code=UsersRoles,flag=sufficient,module-options={usersProperties="${jboss.server.config.dir}/overlord-idp-users.properties",rolesProperties="${jboss.server.config.dir}/overlord-idp-roles.properties"}}]
Comment 6 Thomas Hauser 2013-09-24 14:20:16 UTC 
Not sure I should be assigned to this bug, by the way
Comment 7 Jiri Pechanec 2013-09-24 15:15:10 UTC 
I can confirm the patch fixes the issues.
Comment 8 Nick Cross 2013-09-25 10:46:16 UTC 
Fixed by 4c5c41b0a6c0f6c198de2731a86d6e493b405f71
Comment 10 Jiri Pechanec 2013-10-07 05:32:35 UTC 
Verified in ER4 04-Oct-2013 04:44