First Last Prev Next    This bug is not in your last search results.
Bug 859968 - IPA browser configuration won't work on Firefox >= 15
IPA browser configuration won't work on Firefox >= 15
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: ipa (Show other bugs)
6.4
Unspecified Unspecified
medium Severity unspecified
: rc
: ---
Assigned To: Rob Crittenden
IDM QE LIST
:
Depends On:
Blocks: 872085
  Show dependency treegraph
 
Reported: 2012-09-24 10:13 EDT by Dmitri Pal
Modified: 2013-02-21 04:19 EST (History)
4 users (show)

See Also:
Fixed In Version: ipa-3.0.0-3.el6
Doc Type: Bug Fix
Doc Text:
Cause: Firefox of version 15 or newer does not allow signed JavaScript jars to gain escalated privileges allowing then to for example change browser configuration. Consequence: Identity Management browser auto-configuration signed .jar will to configure the browser to be able to access Web UI via Kerberos authentication. This affects all Firefox browsers of version 15 or newer. Fix: Identity Management is now deployed with own Firefox extension capable of configuring the browser for Kerberos authentication. Result: Firefox users of all supported browser versions can take advantage of browser auto-configuration and authenticate via Kerberos.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-02-21 04:19:55 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
browser configuation page works (230.95 KB, image/png)
2013-01-28 12:58 EST, Xiyang Dong 		no flags Details
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2013:0528 normal SHIPPED_LIVE Low: ipa security, bug fix and enhancement update 2013-02-21 03:22:21 EST

  None (edit)
Description Dmitri Pal 2012-09-24 10:13:10 EDT 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/3094

netscape.security.PrivilegeManager.enablePrivilege() call was deprecated in Firefox 15 and can't be used.

It completely breaks IPA browser configuration in signed .jar file. (https://test.example.com/ipa/config/browserconfig.html).

FF team recommends to make FF extension for any code which uses privileged code.

https://bugzilla.mozilla.org/show_bug.cgi?id=546848
https://bugzilla.mozilla.org/show_bug.cgi?id=757046

I think making FF extension just for configuring kerberos auth for one site is bad. I propose to give priority to ticket #823

We can offer configuration steps for: FF <= 14, FF >= 15, IE and Chrome. For FF <= 14 I would keep the configure.jar method.
Comment 2 Namita Soman 2012-10-01 13:05:28 EDT 
I can run the UI on FF15. So please provide steps to recreate the issue described here.
Comment 3 Martin Kosek 2012-10-02 03:20:50 EDT 
(In reply to comment #2)
> I can run the UI on FF15. So please provide steps to recreate the issue
> described here.

But can you authenticate with your Kerberos ticket? Authentication via user+password is not affected with this issue.
Comment 4 Petr Vobornik 2012-10-02 06:46:17 EDT 
In https://<ipa server>/config/browserconfig.html there is the 'configure browser' button. In FF 15 it doesn't do anything (from user perspective). There is an error in web console (Ctrl+Shift+K), but user can't see it. 

The outcome is that we can't configure automatically FF config options like network.negotiate-auth.trusted-uris and therefore, as Martin wrote, SSO doesn't work (if not configured manually).
Comment 5 Rob Crittenden 2012-10-05 11:58:50 EDT 
Fixed upstream.

This provides a new Firefox extension for 15+. Older browsers will rely on the signed javascript file.

master:
696fce5c8d4e480c6a731686c8952a4e7ace575f
247a3a43b7fb9eac9af9497e61cdc9c964bee4ff
206b6ca04b0e06b3bebf34d985f5310489fd7aac
b4e19509c034942a4f6bc99c371774a0944b65eb
4e72bc7fc8e8cc677d67919cde70eb1df47f1d81

ipa-3-0:
1212e867986aca1f030433f9f40908361629198c
e13a88a2e59a6cdee806fdc4a619a22bba9c3f35
2ba1fb5f87875a8793aad35224cb24d3b89f9883
8b9d0e1160683f0a759c5818f0aab8c2c18bf802 
f9bafb2958c3ea1e60856f21a28776026de2b305
Comment 8 Xiyang Dong 2013-01-28 12:58:05 EST 
Created attachment 689183 [details]
browser configuation page works

verified in firefox ESR 10.0.10,which corresponds with Firefox 16.0.2
Comment 10 errata-xmlrpc 2013-02-21 04:19:55 EST 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0528.html
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.