Bug #4748

Authentication issue in Sunstone js dist/login.js

Added by Alvaro Simon about 4 years ago. Updated about 4 years ago.

Status:ClosedStart date:08/25/2016
Priority:HighDue date:
Assignee:Carlos Martín% Done:

0%

Category:Sunstone
Target version:Release 5.2
Resolution:fixed Pull request:
Affected Versions:OpenNebula 4.14, OpenNebula 5.0

Description

Hi

We found this issue some weeks ago.
The issue affects to Sunstone standalone installations using apache and passenger as web server (but it could also affect to nginx installations). In our case we are using Sunstone remote auth:

:auth: remote

We use apache to handle the authentication and to set the REMOTE_USER variable (in our case we are using Kerberos):

http://docs.opennebula.org/5.0/deployment/sunstone_setup/suns_auth.html

The problem is this, when your user is are already authenticated by apache and the external auth mechanism and he/she clicks on login button, the Auth header is overwritten by Sunstone javascript. REMOTE_USER is set to undefined and the user is not able to login. This behaviour is correct if you are using the login/password view, but it should change if you use the remote or x509 views which only have a login button without user/password input.

The workaround is quite easy, we only have to comment out the line where is located setRequestHeader in /usr/lib/one/sunstone/public/dist/login.js file, so it looks like this (but if we change the view by login/pass it will fail of course):

...
...
var token = username + ':' + password;
var authString = 'Basic ';
if (typeof(btoa) === 'function')
authString += btoa(unescape(encodeURIComponent(token)))
else {
token = CryptoJS.enc.Utf8.parse(token);
authString += CryptoJS.enc.Base64.stringify(token)
}
//req.setRequestHeader("Authorization", authString);
},
success: function(response) {
...
...

And the REMOTE_USER is not unset, I don't know why we didn't find this issue before, maybe it depends on the browser and the apache version that are you using. In any case the login javascript should be changed to modify Auth header only for user/login views and keep it untouched for x509/remote views.

Could you take a look to this?

Cheers
Alvaro

Associated revisions

Revision abe78ed0
Added by Carlos Martín about 4 years ago

Merge pull request #108 from alvarosimon/fix_remote_user_auth

Bug #4748: Fix sunstone remote_auth login

History

#1 Updated by Alvaro Simon about 4 years ago

Hi

We have opened a PR to fix this issue, take a look to:
https://github.com/OpenNebula/one/pull/108

#2 Updated by Carlos Martín about 4 years ago

  • Target version set to Release 5.2

#3 Updated by Carlos Martín about 4 years ago

  • Status changed from Pending to Closed
  • Assignee set to Carlos Martín
  • Resolution set to fixed

Pull request merged, thank you!

Also available in: Atom PDF