Bug 859968
| Summary: | IPA browser configuration won't work on Firefox >= 15 | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Dmitri Pal <dpal> | ||||
| Component: | ipa | Assignee: | Rob Crittenden <rcritten> | ||||
| Status: | CLOSED ERRATA | QA Contact: | IDM QE LIST <seceng-idm-qe-list> | ||||
| Severity: | unspecified | Docs Contact: | |||||
| Priority: | medium | ||||||
| Version: | 6.4 | CC: | mkosek, nsoman, pvoborni, xdong | ||||
| Target Milestone: | rc | ||||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | ipa-3.0.0-3.el6 | Doc Type: | Bug Fix | ||||
| Doc Text: |
Cause: Firefox of version 15 or newer does not allow signed JavaScript jars to gain escalated privileges allowing then to for example change browser configuration.
Consequence: Identity Management browser auto-configuration signed .jar will to configure the browser to be able to access Web UI via Kerberos authentication. This affects all Firefox browsers of version 15 or newer.
Fix: Identity Management is now deployed with own Firefox extension capable of configuring the browser for Kerberos authentication.
Result: Firefox users of all supported browser versions can take advantage of browser auto-configuration and authenticate via Kerberos.
|
Story Points: | --- | ||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2013-02-21 09:19:55 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | |||||||
| Bug Blocks: | 872085 | ||||||
| Attachments: |
|
||||||
|
Description
Dmitri Pal
2012-09-24 14:13:10 UTC
I can run the UI on FF15. So please provide steps to recreate the issue described here. (In reply to comment #2) > I can run the UI on FF15. So please provide steps to recreate the issue > described here. But can you authenticate with your Kerberos ticket? Authentication via user+password is not affected with this issue. In https://<ipa server>/config/browserconfig.html there is the 'configure browser' button. In FF 15 it doesn't do anything (from user perspective). There is an error in web console (Ctrl+Shift+K), but user can't see it. The outcome is that we can't configure automatically FF config options like network.negotiate-auth.trusted-uris and therefore, as Martin wrote, SSO doesn't work (if not configured manually). Fixed upstream. This provides a new Firefox extension for 15+. Older browsers will rely on the signed javascript file. master: 696fce5c8d4e480c6a731686c8952a4e7ace575f 247a3a43b7fb9eac9af9497e61cdc9c964bee4ff 206b6ca04b0e06b3bebf34d985f5310489fd7aac b4e19509c034942a4f6bc99c371774a0944b65eb 4e72bc7fc8e8cc677d67919cde70eb1df47f1d81 ipa-3-0: 1212e867986aca1f030433f9f40908361629198c e13a88a2e59a6cdee806fdc4a619a22bba9c3f35 2ba1fb5f87875a8793aad35224cb24d3b89f9883 8b9d0e1160683f0a759c5818f0aab8c2c18bf802 f9bafb2958c3ea1e60856f21a28776026de2b305 Created attachment 689183 [details]
browser configuation page works
verified in firefox ESR 10.0.10,which corresponds with Firefox 16.0.2
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2013-0528.html |