Bug 1010819 - RTGov authentication does not work internally
RTGov authentication does not work internally
Status: CLOSED CURRENTRELEASE
Product: JBoss Fuse Service Works 6
Classification: JBoss
Component: Installer, Configuration (Show other bugs)
6.0.0 GA
Unspecified Unspecified
unspecified Severity urgent
: ER4
: 6.0.0
Assigned To: Douglas Palmer
Len DiMaggio
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-09-23 02:41 EDT by Jiri Pechanec
Modified: 2014-02-06 10:25 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-02-06 10:25:43 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
standalone.xml patch (871 bytes, patch)
2013-09-24 08:14 EDT, Eric Wittmann
no flags Details | Diff

  None (edit)
Description Jiri Pechanec 2013-09-23 02:41:48 EDT
After installation it is possible to log to RTGov console but whenever a user tries to add gadgets and use the server throws an exception and no data are available
08:41:11,041 ERROR [org.apache.catalina.core.ContainerBase.[jboss.web].[default-host].[/gadget-web].[ServiceOverviewProxyServlet]] (http-/127.0.0.1:8080-7) JBWEB000236: Servlet.service() for servlet ServiceOverviewProxyServlet threw exception: java.io.IOException: Server returned HTTP response code: 401 for URL: http://localhost:8080/overlord-rtgov/service/dependency/overview?width=300
        at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1625) [rt.jar:1.7.0_25]
        at org.overlord.gadgets.web.server.servlets.RestProxyServlet.doGet(RestProxyServlet.java:114) [classes:]
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:734) [jboss-servlet-api_3.0_spec-1.0.2.Final-redhat-1.jar:1.0.2.Final-redhat-1]
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:847) [jboss-servlet-api_3.0_spec-1.0.2.Final-redhat-1.jar:1.0.2.Final-redhat-1]
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:295) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]
        at org.apache.shindig.gadgets.servlet.ETagFilter.doFilter(ETagFilter.java:55) [shindig-gadgets-3.0.0-beta4.jar:3.0.0-beta4]
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:246) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:149) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]
        at org.jboss.as.jpa.interceptor.WebNonTxEmCloserValve.invoke(WebNonTxEmCloserValve.java:50) [jboss-as-jpa-7.2.0.Final-redhat-8.jar:7.2.0.Final-redhat-8]
        at org.jboss.as.jpa.interceptor.WebNonTxEmCloserValve.invoke(WebNonTxEmCloserValve.java:50) [jboss-as-jpa-7.2.0.Final-redhat-8.jar:7.2.0.Final-redhat-8]
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:481) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]
        at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169) [jboss-as-web-7.2.0.Final-redhat-8.jar:7.2.0.Final-redhat-8]
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:145) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:336) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]
        at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:856) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]
        at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:653) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]
        at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:920) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]
        at java.lang.Thread.run(Thread.java:724) [rt.jar:1.7.0_25]
Comment 1 Eric Wittmann 2013-09-24 08:14:36 EDT
Created attachment 802199 [details]
standalone.xml patch

The problem is that authentication has been switched over to SAML bearer token authentication (which does not require any credentials to be stored in the gadget server configuration file).  However, the gadget server has not been added as a recognized SAML assertion issuer in the overlord service provider login module configuration in standalone.xml.  This patch should fix the problem.
Comment 2 Thomas Hauser 2013-09-24 08:42:03 EDT
This change will require updates to the sramp cli-scripts used in the installer.
Comment 3 Len DiMaggio 2013-09-24 09:49:54 EDT
In order to unblock testing - please document how QE can correct the script to workaround the bug.
Comment 4 Eric Wittmann 2013-09-24 09:53:05 EDT
You could apply the attached patch to standalone.xml after installation of FSW is complete.
Comment 5 Thomas Hauser 2013-09-24 10:04:19 EDT
Within jboss-eap-6.1/cli-scripts/overlord-addSecurityDomains.cli, the final line needs to change from 

/subsystem=security/security-domain=overlord-jaxrs/authentication=classic:add(login-modules=[{code="org.overlord.commons.auth.jboss7.SAMLBearerTokenLoginModule",flag=sufficient,module-options={allowedIssuers="/s-ramp-ui,/s-ramp-governance,/dtgov-ui"}},{code=UsersRoles,flag=sufficient,module-options={usersProperties="${jboss.server.config.dir}/overlord-idp-users.properties",rolesProperties="${jboss.server.config.dir}/overlord-idp-roles.properties"}}]

to 

/subsystem=security/security-domain=overlord-jaxrs/authentication=classic:add(login-modules=[{code="org.overlord.commons.auth.jboss7.SAMLBearerTokenLoginModule",flag=sufficient,module-options={allowedIssuers="/s-ramp-ui,/s-ramp-governance,/dtgov-ui,/gadget-web"}},{code=UsersRoles,flag=sufficient,module-options={usersProperties="${jboss.server.config.dir}/overlord-idp-users.properties",rolesProperties="${jboss.server.config.dir}/overlord-idp-roles.properties"}}]
Comment 6 Thomas Hauser 2013-09-24 10:20:16 EDT
Not sure I should be assigned to this bug, by the way
Comment 7 Jiri Pechanec 2013-09-24 11:15:10 EDT
I can confirm the patch fixes the issues.
Comment 8 Nick Cross 2013-09-25 06:46:16 EDT
Fixed by 4c5c41b0a6c0f6c198de2731a86d6e493b405f71
Comment 10 Jiri Pechanec 2013-10-07 01:32:35 EDT
Verified in ER4 04-Oct-2013 04:44

Note You need to log in before you can comment on or make changes to this bug.