You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@activemq.apache.org by francesco <fr...@unimore.it> on 2013/10/24 11:35:13 UTC
Endless Failed to log in, Forbidden with hawt.io
Good morning,
there is something I don't understand with the new hawt.io console. While I
can authenticate on the older console (http://localhost:8161/admin)
the newer console (http://localhost:8161/hawtio/#/login) never accepts
credentials which are valid for older console.
I think the issue could be pointed out in the following log line:
INFO | Starting hawtio authentication filter, JAAS realm: "karaf"
authorized role: "admin" role principal classes:
"org.apache.karaf.jaas.boot.principal.RolePrincipal"
(in contrast with:
INFO | Welcome to hawtio 1.2-M19 : http://hawt.io/ : Don't cha wish your
console was hawt
like me? ;-)
INFO | Starting hawtio authentication filter, JAAS authentication disabled
showed in
http://mail-archives.apache.org/mod_mbox/activemq-dev/201310.mbox/%3CJIRA.12671586.1380637651206.11044.1380637764220@arcas%3E)
How can I disable the hawt.io jaas authentication to stick to the auth
settings in ${ACTIVEMQ_CONF}/jetty.xml?
thank you,
Francesco
--
View this message in context: http://activemq.2283324.n4.nabble.com/Endless-Failed-to-log-in-Forbidden-with-hawt-io-tp4673183.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.
Re: Endless Failed to log in, Forbidden with hawt.io
Posted by francesco <fr...@unimore.it>.
Sorry to re-animate this thread after so long time, but I came up with
another solution to authenticate hawtio:
http://bacedifo.blogspot.it/2014/01/protect-your-hawtio-activemq-590.html
<http://bacedifo.blogspot.it/2014/01/protect-your-hawtio-activemq-590.html>
this time with LDAP.
By the way: I wasn't unable to succeed with standard authentication because
I fiddled with login.config, so it was my fault.
thank you for your help,
Francesco
--
View this message in context: http://activemq.2283324.n4.nabble.com/Endless-Failed-to-log-in-Forbidden-with-hawt-io-tp4673183p4676205.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.
Re: Endless Failed to log in, Forbidden with hawt.io
Posted by James Strachan <ja...@gmail.com>.
Incidentally in later hawtio releases we tried to make the explicit
speciifying of rolePrincipleClasses optional which seems to make it easier
to authenticate on different containers (older karaf, tomcat etc) so maybe
upgrading to 1.2-M27 of hawtio might help?
On 4 November 2013 16:52, gmicky <mi...@gmail.com> wrote:
> Hello Francesco,
>
> I was struggling with same issue and it was due to custom startup script
> for
> activemq which declared variable ACTIVEMQ_OPTS. If this variable is
> previously declared - options from /apache-activemq-5.9.0/bin/activemq
> script are not loaded and hawio authentication is not working.
>
>
> After you start activemq use ps and check that JVM is started with
> following
> options:
> -Djava.util.logging.config.file=logging.properties
> -Dhawtio.realm=activemq
> -Dhawtio.role=admins
> -Dhawtio.rolePrincipalClasses=org.apache.activemq.jaas.GroupPrincipal
> -Djava.security.auth.login.config=$ACTIVEMQ_CONF/login.config"
>
> Without these you wont be able to authenticate into hawio
>
> Michal
>
>
>
> --
> View this message in context:
> http://activemq.2283324.n4.nabble.com/Endless-Failed-to-log-in-Forbidden-with-hawt-io-tp4673183p4673839.html
> Sent from the ActiveMQ - User mailing list archive at Nabble.com.
>
--
James
-------
Red Hat
Email: jstracha@redhat.com
Web: http://fusesource.com
Twitter: jstrachan, fusenews
Blog: http://macstrac.blogspot.com/
Open Source Integration
Re: Endless Failed to log in, Forbidden with hawt.io
Posted by gmicky <mi...@gmail.com>.
Hello Francesco,
I was struggling with same issue and it was due to custom startup script for
activemq which declared variable ACTIVEMQ_OPTS. If this variable is
previously declared - options from /apache-activemq-5.9.0/bin/activemq
script are not loaded and hawio authentication is not working.
After you start activemq use ps and check that JVM is started with following
options:
-Djava.util.logging.config.file=logging.properties -Dhawtio.realm=activemq
-Dhawtio.role=admins
-Dhawtio.rolePrincipalClasses=org.apache.activemq.jaas.GroupPrincipal
-Djava.security.auth.login.config=$ACTIVEMQ_CONF/login.config"
Without these you wont be able to authenticate into hawio
Michal
--
View this message in context: http://activemq.2283324.n4.nabble.com/Endless-Failed-to-log-in-Forbidden-with-hawt-io-tp4673183p4673839.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.
Re: Endless Failed to log in, Forbidden with hawt.io
Posted by francesco <fr...@unimore.it>.
Sorry but it's too hard for me to upgrade to hawtio 1.2-M24. As a
quick-and-dirty workaround, just comment-out from
webapps/hawtio/WEB-INF/web.xml:
<filter-mapping>
<filter-name>AuthenticationFilter</filter-name>
<url-pattern>/auth/*</url-pattern>
</filter-mapping>
and hawtio in completely free (no login, nothing) so put a reverse proxy on
port 8161 and access throught apache2 with ldap or krb5 auth.
ciao,
Francesco
--
View this message in context: http://activemq.2283324.n4.nabble.com/Endless-Failed-to-log-in-Forbidden-with-hawt-io-tp4673183p4673475.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.
Re: Endless Failed to log in, Forbidden with hawt.io
Posted by francesco <fr...@unimore.it>.
I'm using AMQ standalone.
According to startup messages, I have hawtio M23
INFO | jetty-7.6.9.v20130131
INFO | Welcome to hawtio 1.2-M23 : http://hawt.io/ : Don't cha wish your
console was hawt like me? ;-)
INFO | started
o.e.j.w.WebAppContext{/hawtio,file:/opt/apache-activemq-5.9.0/webapps/hawtio/},/opt/apache-activemq-5.9.0/webapps/hawtio
INFO | Starting hawtio authentication filter, JAAS realm: "karaf"
authorized role: "admin" role principal classes:
"org.apache.karaf.jaas.boot.principal.RolePrincipal"
But I double checked and the linux version of apache-activemq-5.9.0:
gpg --verify apache-activemq-5.9.0-bin.tar.gz.asc
gpg: Signature made mar 15 ott 2013 01:03:37 CEST using DSA key ID 69CC103E
gpg: Good signature from "Gary Tully (key for apache releases)
<ga...@gmail.com>"
ships with that version of hawtio.
I'm going to check how to upgrade.
Claus, thank you for time spent helping me,
Francesco
--
View this message in context: http://activemq.2283324.n4.nabble.com/Endless-Failed-to-log-in-Forbidden-with-hawt-io-tp4673183p4673230.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.
Re: Endless Failed to log in, Forbidden with hawt.io
Posted by Claus Ibsen <cl...@gmail.com>.
Hi
Try with M24 which is the version shipped out of the box with AMQ 5.9.
And are you running inside Karaf? Or AMQ standalone?
On Thu, Oct 24, 2013 at 12:39 PM, francesco
<fr...@unimore.it> wrote:
> Thank you for the quick answer!
>
> That clarifies me about the differences in authentication in older console
> and in hawtio.
>
> As far as I understand, in the default configuration, both console have a
> user 'admin' with password 'admin'. So, I should be able to login to hawtio
> with that user.
>
> Is it maybe a matter of groups?
>
> groups.properties reads:
> admins=admin
>
> isn't it wrong?
>
> Doesn't mean user 'admins' is in group 'admin'? As my user is 'admin', it
> should be:
> admin=admin
>
> BTW: it doesn't allow me to login either,
>
> thank you,
>
> Francesco
>
>
>
> --
> View this message in context: http://activemq.2283324.n4.nabble.com/Endless-Failed-to-log-in-Forbidden-with-hawt-io-tp4673183p4673185.html
> Sent from the ActiveMQ - User mailing list archive at Nabble.com.
--
Claus Ibsen
-----------------
Red Hat, Inc.
Email: cibsen@redhat.com
Twitter: davsclaus
Blog: http://davsclaus.com
Author of Camel in Action: http://www.manning.com/ibsen
Re: Endless Failed to log in, Forbidden with hawt.io
Posted by francesco <fr...@unimore.it>.
Thank you for the quick answer!
That clarifies me about the differences in authentication in older console
and in hawtio.
As far as I understand, in the default configuration, both console have a
user 'admin' with password 'admin'. So, I should be able to login to hawtio
with that user.
Is it maybe a matter of groups?
groups.properties reads:
admins=admin
isn't it wrong?
Doesn't mean user 'admins' is in group 'admin'? As my user is 'admin', it
should be:
admin=admin
BTW: it doesn't allow me to login either,
thank you,
Francesco
--
View this message in context: http://activemq.2283324.n4.nabble.com/Endless-Failed-to-log-in-Forbidden-with-hawt-io-tp4673183p4673185.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.
Re: Endless Failed to log in, Forbidden with hawt.io
Posted by francesco <fr...@unimore.it>.
Il 04/11/2013 18:41, gmicky [via ActiveMQ] ha scritto:
>
>
> Hello Francesco,
>
> I was struggling with this issue as well on my side it was due to using
> custom startup script which sets custom ACTIVEMQ_OPTS.
>
> in apache-activemq-5.9.0/bin/activemq some variables are setup which are
> needed for hawkio to authenticate and those are only loaded if ACTIVEMQ_OPTS
> variable is not previously declared.
>
> When you run activemq use ps ax and check that JVM used for activemq is not
> missing following parameters from apache-activemq-5.9.0/bin/activemq file:
>
> ACTIVEMQ_OPTS="$ACTIVEMQ_OPTS $ACTIVEMQ_OPTS_MEMORY
> -Djava.util.logging.config.file=logging.properties -Dhawtio.realm=activemq
> -Dhawtio.role=admins
> -Dhawtio.rolePrincipalClasses=org.apache.activemq.jaas.GroupPrincipal
> -Djava.security.auth.login.config=$ACTIVEMQ_CONF/login.config"
>
> Without those authentication for hawio console will not work.
thank you so much!
In my setup also startup variables are messed up, so I think it has to
be as you are saying,
Again, thank you for your time,
Francesco
--
View this message in context: http://activemq.2283324.n4.nabble.com/Endless-Failed-to-log-in-Forbidden-with-hawt-io-tp4673183p4673885.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.
Re: Endless Failed to log in, Forbidden with hawt.io
Posted by gmicky <mi...@gmail.com>.
Hello Francesco,
I was struggling with this issue as well on my side it was due to using
custom startup script which sets custom ACTIVEMQ_OPTS.
in apache-activemq-5.9.0/bin/activemq some variables are setup which are
needed for hawkio to authenticate and those are only loaded if ACTIVEMQ_OPTS
variable is not previously declared.
When you run activemq use ps ax and check that JVM used for activemq is not
missing following parameters from apache-activemq-5.9.0/bin/activemq file:
ACTIVEMQ_OPTS="$ACTIVEMQ_OPTS $ACTIVEMQ_OPTS_MEMORY
-Djava.util.logging.config.file=logging.properties -Dhawtio.realm=activemq
-Dhawtio.role=admins
-Dhawtio.rolePrincipalClasses=org.apache.activemq.jaas.GroupPrincipal
-Djava.security.auth.login.config=$ACTIVEMQ_CONF/login.config"
Without those authentication for hawio console will not work.
--
View this message in context: http://activemq.2283324.n4.nabble.com/Endless-Failed-to-log-in-Forbidden-with-hawt-io-tp4673183p4673838.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.
Re: Endless Failed to log in, Forbidden with hawt.io
Posted by Claus Ibsen <cl...@gmail.com>.
Hi
See the docs/WebConsole readme file for details.
On Thu, Oct 24, 2013 at 11:35 AM, francesco
<fr...@unimore.it> wrote:
> Good morning,
>
> there is something I don't understand with the new hawt.io console. While I
> can authenticate on the older console (http://localhost:8161/admin)
> the newer console (http://localhost:8161/hawtio/#/login) never accepts
> credentials which are valid for older console.
>
> I think the issue could be pointed out in the following log line:
> INFO | Starting hawtio authentication filter, JAAS realm: "karaf"
> authorized role: "admin" role principal classes:
> "org.apache.karaf.jaas.boot.principal.RolePrincipal"
>
> (in contrast with:
> INFO | Welcome to hawtio 1.2-M19 : http://hawt.io/ : Don't cha wish your
> console was hawt
> like me? ;-)
> INFO | Starting hawtio authentication filter, JAAS authentication disabled
> showed in
> http://mail-archives.apache.org/mod_mbox/activemq-dev/201310.mbox/%3CJIRA.12671586.1380637651206.11044.1380637764220@arcas%3E)
>
> How can I disable the hawt.io jaas authentication to stick to the auth
> settings in ${ACTIVEMQ_CONF}/jetty.xml?
>
> thank you,
>
> Francesco
>
>
>
> --
> View this message in context: http://activemq.2283324.n4.nabble.com/Endless-Failed-to-log-in-Forbidden-with-hawt-io-tp4673183.html
> Sent from the ActiveMQ - User mailing list archive at Nabble.com.
--
Claus Ibsen
-----------------
Red Hat, Inc.
Email: cibsen@redhat.com
Twitter: davsclaus
Blog: http://davsclaus.com
Author of Camel in Action: http://www.manning.com/ibsen