Bug #4748
Authentication issue in Sunstone js dist/login.js
Status: | Closed | Start date: | 08/25/2016 | |
---|---|---|---|---|
Priority: | High | Due date: | ||
Assignee: | Carlos Martín | % Done: | 0% | |
Category: | Sunstone | |||
Target version: | Release 5.2 | |||
Resolution: | fixed | Pull request: | ||
Affected Versions: | OpenNebula 4.14, OpenNebula 5.0 |
Description
Hi
We found this issue some weeks ago.
The issue affects to Sunstone standalone installations using apache and passenger as web server (but it could also affect to nginx installations). In our case we are using Sunstone remote auth:
:auth: remote
We use apache to handle the authentication and to set the REMOTE_USER variable (in our case we are using Kerberos):
http://docs.opennebula.org/5.0/deployment/sunstone_setup/suns_auth.html
The problem is this, when your user is are already authenticated by apache and the external auth mechanism and he/she clicks on login button, the Auth header is overwritten by Sunstone javascript. REMOTE_USER is set to undefined and the user is not able to login. This behaviour is correct if you are using the login/password view, but it should change if you use the remote or x509 views which only have a login button without user/password input.
The workaround is quite easy, we only have to comment out the line where is located setRequestHeader in /usr/lib/one/sunstone/public/dist/login.js file, so it looks like this (but if we change the view by login/pass it will fail of course):
...
...
var token = username + ':' + password;
var authString = 'Basic ';
if (typeof(btoa) === 'function')
authString += btoa(unescape(encodeURIComponent(token)))
else {
token = CryptoJS.enc.Utf8.parse(token);
authString += CryptoJS.enc.Base64.stringify(token)
}
//req.setRequestHeader("Authorization", authString);
},
success: function(response) {
...
...
And the REMOTE_USER is not unset, I don't know why we didn't find this issue before, maybe it depends on the browser and the apache version that are you using. In any case the login javascript should be changed to modify Auth header only for user/login views and keep it untouched for x509/remote views.
Could you take a look to this?
Cheers
Alvaro
Associated revisions
History
#1 Updated by Alvaro Simon almost 5 years ago
Hi
We have opened a PR to fix this issue, take a look to:
https://github.com/OpenNebula/one/pull/108
#2 Updated by Carlos Martín almost 5 years ago
- Target version set to Release 5.2
#3 Updated by Carlos Martín almost 5 years ago
- Status changed from Pending to Closed
- Assignee set to Carlos Martín
- Resolution set to fixed
Pull request merged, thank you!