Details
-
Enhancement
-
Status: Resolved (View Workflow)
-
Minor
-
Resolution: Fixed
-
29.0.6
-
Security Level: Default (Default Security Scheme)
-
None
-
Yes
-
Description
Background
When the OpenNMS web UI is set up behind a reverse proxy such as Apache HTTPD or NGINX, the authentication and authorization of users can be farmed out to some AAA module. In these scenarios, the OpenNMS webapp trusts the username and role(s) conveyed in a pair of custom HTTP headers. Docs exist for configuring this functionality, but they are pretty bare-bones.
Problem
- The header configured for userHeader is honored, but the header configured for credentialsHeader is ignored.
- The docs do not mention that, if the user enables this feature, a value must be provided for credentialsHeader.
Steps to Reproduce
- Start with a fresh install
- Edit $OPENNMS_HOME/jetty-webapps/opennms/WEB-INF/spring-security.d/header-preauth.xml as follows:
- Change the value of the enabled property to true
- Set the value of the credentialsHeader property to X-Remote-Roles
- Restart OpenNMS
- Run curl -H 'X-Remote-User: admin' -H 'X-Remote-Roles: ROLE_ADMIN' http://127.0.0.1:8980/opennms/rest/info and see that the info endpoint's output appears – pre-authentication worked
- Run curl -H 'X-Remote-User: ulf' -H 'X-Remote-Roles: ROLE_ADMIN' http://127.0.0.1:8980/opennms/rest/info
Expected Result
Output of the info endpoint appears as it did for the admin user
Actual Result
Request is rejected with code 401 Full authentication is required
[vagrant@horizon-29-0-6 ~]$ curl -H 'X-Remote-User: ulf' -H 'X-Remote-Roles: ROLE_ADMIN' http://127.0.0.1:8980/opennms/rest/info <html> <head> <meta http-equiv="Content-Type" content="text/html;charset=ISO-8859-1"/> <title>Error 401 Full authentication is required to access this resource</title> </head> <body><h2>HTTP ERROR 401 Full authentication is required to access this resource</h2> <table> <tr><th>URI:</th><td>/opennms/rest/info</td></tr> <tr><th>STATUS:</th><td>401</td></tr> <tr><th>MESSAGE:</th><td>Full authentication is required to access this resource</td></tr> <tr><th>SERVLET:</th><td>cxfRestServlet</td></tr> </table> <hr/><a href="https://eclipse.org/jetty">Powered by Jetty:// 9.4.44.v20210927</a><hr/></body> </html>
Further Notes
The admin user works just fine because the ROLE_ADMIN assignment for that built-in user is coming from users.xml.
Jesse thought the filter code might be returning a principal rather than a role assignment. I might be off the mark in recollecting his exact words here, my Spring Security knowledge is lacking.
Attachments
Issue Links
- related to
-
NMS-14078 login.jsp page is still visible/accessible after being authenticated by pre-authentication
-
- Open
-