Bug 1025496 - Securing management console with LDAP authentication prevents access
Summary: Securing management console with LDAP authentication prevents access
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: Web Console
Version: 6.2.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: CR1
: EAP 6.2.0
Assignee: Darran Lofthouse
QA Contact: Jakub Cechacek
Russell Dickenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-10-31 19:48 UTC by Chris Dolphy
Modified: 2018-12-03 20:32 UTC (History)
8 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2013-12-15 16:15:50 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)
standalone.xml to reproduce issue (16.67 KB, text/xml)
2013-10-31 19:49 UTC, Chris Dolphy 		no flags Details
View All

Description Chris Dolphy 2013-10-31 19:48:16 UTC 
Description of problem:
Recieve following error in browser when trying to access /console:
  The management interface could not be loaded.
  Authentication required.
after enabling LDAP authentication for http-interface and although the user is successfully looked up in LDAP, 

Same configuration works in EAP 6.1.1.

Version-Release number of selected component (if applicable):
EAP 6.2.0 beta

How reproducible:
reproducible with steps below

Steps to Reproduce:
1.  setup LDAP server with appropriate user
2.  create outbound-connection.  e.g.

<outbound-connections>
   <ldap name="ldap_connection" url="ldap://localhost:10389" search-dn="uid=admin,ou=system" search-credential="secret"/>
</outbound-connections>

3.create ldap security realm:

<security-realm name="ldap_security_realm">
  <authentication>
    <ldap connection="ldap_connection" base-dn="ou=users,ou=system" recursive="true" user-dn="dn">
      <username-filter attribute="uid"/>
    </ldap>
  </authentication>
</security-realm>

4. change http-interface to use security-realm:  e.g.

<http-interface security-realm="ldap_security_realm">

5. login to http:localhost:9990/console

Actual results:

Login is accepted, but browser displays:
The management interface could not be loaded.
Authentication required.

Log file shows:

14:32:28,062 TRACE [org.jboss.as.domain.management.security] (HttpManagementService-threads - 1) Performing recursive search
14:32:28,062 TRACE [org.jboss.as.domain.management.security] (HttpManagementService-threads - 1) Searching for user 'testuser' using filter '(uid={0})'.
14:32:28,064 TRACE [org.jboss.as.domain.management.security] (HttpManagementService-threads - 1) DN 'cn=testuser,ou=users,ou=system' found for user 'testuser'
14:32:28,066 TRACE [org.jboss.as.domain.management.security] (HttpManagementService-threads - 1) Password verified for user 'testuser'


Expected results:

management console is displayed.

Additional info:

see attachment for standalone.xml
Comment 1 Chris Dolphy 2013-10-31 19:49:07 UTC 
Created attachment 818044 [details]
standalone.xml to reproduce issue
Comment 5 Darran Lofthouse 2013-11-01 12:07:38 UTC 
I will have a look.
Comment 6 Darran Lofthouse 2013-11-01 12:38:28 UTC 
A quick test on WildFly and WildFly does not seem affected.
Comment 7 Darran Lofthouse 2013-11-01 12:47:14 UTC 
I can reproduce on the latest EAP - there should not actually be anything specific to the console so for that reason I am going to take ownership for now while I investigate further.

Due to the different HTTP servers in use between WildFly and EAP I would suspect a mistake in the merge between the two.

I don't actually see a question being asked with the needinfo flag so I am going to clear it as I am now investigating.
Comment 8 Darran Lofthouse 2013-11-01 13:17:00 UTC 
Found it - an issue specific to the BasicAuthenticator within EAP, should only be a minor change.
Comment 10 Josef Cacek 2013-11-11 13:57:28 UTC 
Verified in CR1-preview.
Note You need to log in before you can comment on or make changes to this bug.