Uploaded image for project: 'OpenNMS'
  1. OpenNMS
  2. NMS-14059

Add support for pre-authorization via HTTP header (to be used with pre-authentication)

    XMLWordPrintable

Details

    • Enhancement
    • Status: Resolved (View Workflow)
    • Minor
    • Resolution: Fixed
    • 29.0.6
    • 29.0.8
    • Web UI - General
    • Security Level: Default (Default Security Scheme)
    • None
    • Yes
    • Hide
      • Role(s) correctly passed through from the header named in the credentialsHeader property for users that do not exist in users.xml
      • Docs updated to reflect that credentialsHeader must have a value configured – probably should add a default one in both the docs and the shipping config file.
      • Docs specify how to pass multiple roles in the credentialsHeader header – does comma-separated work?
      Show
      Role(s) correctly passed through from the header named in the credentialsHeader property for users that do not exist in users.xml Docs updated to reflect that credentialsHeader must have a value configured – probably should add a default one in both the docs and the shipping config file. Docs specify how to pass multiple roles in the credentialsHeader header – does comma-separated work?

    Description

      Background

      When the OpenNMS web UI is set up behind a reverse proxy such as Apache HTTPD or NGINX, the authentication and authorization of users can be farmed out to some AAA module. In these scenarios, the OpenNMS webapp trusts the username and role(s) conveyed in a pair of custom HTTP headers. Docs exist for configuring this functionality, but they are pretty bare-bones.

       

      Problem

      1. The header configured for userHeader is honored, but the header configured for credentialsHeader is ignored.
      2. The docs do not mention that, if the user enables this feature, a value must be provided for credentialsHeader.

       

      Steps to Reproduce

      1. Start with a fresh install
      2. Edit $OPENNMS_HOME/jetty-webapps/opennms/WEB-INF/spring-security.d/header-preauth.xml as follows:
        1. Change the value of the enabled property to true
        2. Set the value of the credentialsHeader property to X-Remote-Roles
      3. Restart OpenNMS
      4. Run curl -H 'X-Remote-User: admin' -H 'X-Remote-Roles: ROLE_ADMIN' http://127.0.0.1:8980/opennms/rest/info and see that the info endpoint's output appears – pre-authentication worked
      5. Run curl -H 'X-Remote-User: ulf' -H 'X-Remote-Roles: ROLE_ADMIN' http://127.0.0.1:8980/opennms/rest/info

       

      Expected Result

      Output of the info endpoint appears as it did for the admin user

       

      Actual Result

      Request is rejected with code 401 Full authentication is required

       

      [vagrant@horizon-29-0-6 ~]$ curl -H 'X-Remote-User: ulf' -H 'X-Remote-Roles: ROLE_ADMIN' http://127.0.0.1:8980/opennms/rest/info
<html>
<head>
<meta http-equiv="Content-Type" content="text/html;charset=ISO-8859-1"/>
<title>Error 401 Full authentication is required to access this resource</title>
</head>
<body><h2>HTTP ERROR 401 Full authentication is required to access this resource</h2>
<table>
<tr><th>URI:</th><td>/opennms/rest/info</td></tr>
<tr><th>STATUS:</th><td>401</td></tr>
<tr><th>MESSAGE:</th><td>Full authentication is required to access this resource</td></tr>
<tr><th>SERVLET:</th><td>cxfRestServlet</td></tr>
</table>
<hr/><a href="https://eclipse.org/jetty">Powered by Jetty:// 9.4.44.v20210927</a><hr/></body>
</html>

       

      Further Notes

      The admin user works just fine because the ROLE_ADMIN assignment for that built-in user is coming from users.xml.

      Jesse thought the filter code might be returning a principal rather than a role assignment. I might be off the mark in recollecting his exact words here, my Spring Security knowledge is lacking.

      Attachments

        Issue Links

          related to

          Bug - A problem which impairs or prevents the functions of the product. NMS-14078 login.jsp page is still visible/accessible after being authenticated by pre-authentication

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Open

          Activity

            People

              j-white Jesse White
              jeffg Jeff Gehlbach
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.