Red Hat Bugzilla – Bug 1011058
[Admin Portal] Relogin with username/password via login screen after being automatically logged off causes HTTP auth dialog
Last modified: 2014-06-12 10:11:48 EDT
Created attachment 801684 [details]
engine.log, ssl_access_log, ssl_request_log
Description of problem:
Relogin with username/password (admin@internal) via usual RHEVM login screen after being automatically logged off causes appearance of HTTP authentication dialog.
Closing this HTTP authentication dialog with 'Cancel' opens for me again valid UI of Administration Portal. I did not need to type anything in HTTP auth dialog, just 'Cancel', I was logged via normal RHEVM login page anyway.
The appearance of HTTP auth dialog is odd and confusing.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. login into Admin Portal
2. let the app to automatically log you off
3. type again credentials
HTTP auth dialog blocking loading of Admin portal UI
no such HTTP auth dialog should appear
I was relogging around cca 16:21 IIRC
Created attachment 801685 [details]
OK, I've tried to reproduce this bug on following scenarios (3 times each):
A1. Log into WebAdmin
A2. Wait long enough so that Engine user session will be invalidated
A3. WebAdmin login screen appears
A4. Log into WebAdmin
B1. Log into WebAdmin
B2. Stop Engine service and wait some time
B3. Start Engine service
B4. WebAdmin login screen appears
B5. Log into WebAdmin
I didn't encounter "Authentication Required" popup at all. I guess this has something to do with Engine config/infra?
Looking at engine.log around 16:21 - I see two logical operations:
1. WebAdmin GUI login [OK]
DEBUG [org.ovirt.engine.core.bll.LoginAdminUserCommand] (ajp-/127.0.0.1:8702-2) IsUserAutorizedToRunAction: Login - no permission check
DEBUG [org.ovirt.engine.core.bll.adbroker.LdapBrokerBase] (ajp-/127.0.0.1:8702-2) RunAdAction Entry, actionType=AuthenticateUser
DEBUG [org.ovirt.engine.core.bll.LoginAdminUserCommand] (ajp-/127.0.0.1:8702-2) Found permission 97c0963b-a7bf-4b6a-8e05-1a449c9d330e for user when running LoginAdminUser, on Bottom with id bbb00000-0000-0000-0000-123456789bbb
DEBUG [org.ovirt.engine.core.bll.MultiLevelAdministrationHandler] (ajp-/127.0.0.1:8702-2) LoginAdminUser: User logged to admin using role SuperUser
DEBUG [org.ovirt.engine.core.bll.LoginAdminUserCommand] (ajp-/127.0.0.1:8702-2) Checking if user admin@internal is an admin, result true
INFO [org.ovirt.engine.core.bll.LoginAdminUserCommand] (ajp-/127.0.0.1:8702-2) Running command: LoginAdminUserCommand internal: false.
INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp-/127.0.0.1:8702-2) Correlation ID: null, Call Stack: null, Custom Event ID: -1, Message: User admin@internal logged in.
2. REST API create session [FAIL]
DEBUG [org.ovirt.engine.core.bll.ValidateSessionQuery] (ajp-/127.0.0.1:8702-7) Calling ValidateSession
DEBUG [org.ovirt.engine.core.bll.ValidateSessionQuery] (ajp-/127.0.0.1:8702-7) Input session ID is: 8f076fa4-9c73-4509-a0fa-11bbb0237440
DEBUG [org.ovirt.engine.core.bll.ValidateSessionQuery] (ajp-/127.0.0.1:8702-7) Didn't find session user
DEBUG [org.ovirt.engine.core.bll.ValidateSessionQuery] (ajp-/127.0.0.1:8702-7) ValidateSession ended
INFO [org.ovirt.engine.api.restapi.security.auth.LoginValidator] (ajp-/127.0.0.1:8702-7) Validating session failed, reason: Session does not exist.
So operation 2. failed on "Session does not exist" - I'll have to investigate a bit more.
Scratch my last comment, I was able to reliably reproduce this issue after all.
In case REST API session is alive and Engine session is dead (timeout due to user inactivity), after WebAdmin GUI login, two regressions occur:
- web browser un-conditionally shows "Authorization Required" popup upon HTTP 401 response
- response doesn't contain JSESSIONID header which breaks UI Plugin REST API integration
Working on a fix.
workaround is fairly easy - close the browser (entirely, i.e. all browser's windows that are opened in the client) and re-open it.
[brand new sessions will be created, so problem should disappear].
reducing severity to 'high'.
*** Bug 1036215 has been marked as a duplicate of this bug. ***
cannot reproduce with UserSessionTimeOutInterval=1.
Closing as part of 3.4.0