OpenNebula

Hi

We found this issue some weeks ago.
The issue affects to Sunstone standalone installations using apache and passenger as web server (but it could also affect to nginx installations). In our case we are using Sunstone remote auth:

:auth: remote

We use apache to handle the authentication and to set the REMOTE_USER variable (in our case we are using Kerberos):

http://docs.opennebula.org/5.0/deployment/sunstone_setup/suns_auth.html

The problem is this, when your user is are already authenticated by apache and the external auth mechanism and he/she clicks on login button, the Auth header is overwritten by Sunstone javascript. REMOTE_USER is set to undefined and the user is not able to login. This behaviour is correct if you are using the login/password view, but it should change if you use the remote or x509 views which only have a login button without user/password input.

The workaround is quite easy, we only have to comment out the line where is located setRequestHeader in /usr/lib/one/sunstone/public/dist/login.js file, so it looks like this (but if we change the view by login/pass it will fail of course):

...
    ...
    var token = username + ':' + password;
    var authString = 'Basic ';
    if (typeof(btoa) === 'function')
    authString += btoa(unescape(encodeURIComponent(token)))
    else {
    token = CryptoJS.enc.Utf8.parse(token);
    authString += CryptoJS.enc.Base64.stringify(token)
    }
    //req.setRequestHeader("Authorization", authString);
    },
    success: function(response) {
    ...
    ...

And the REMOTE_USER is not unset, I don't know why we didn't find this issue before, maybe it depends on the browser and the apache version that are you using. In any case the login javascript should be changed to modify Auth header only for user/login views and keep it untouched for x509/remote views.

Could you take a look to this?

Cheers
Alvaro