Security problem with hudson on glassfish

classic Classic list List threaded Threaded
17 messages Options
Reply | Threaded
Open this post in threaded view
|

Security problem with hudson on glassfish

Richard Bair-2
At the risk of looking, once more, like a complete newbie (which I  
am! almost anyway). I happily got Hudson on Tomcat working fine with  
security enabled. I simply edited my tomcat-users.xml file, created a  
user with the "admin" role, and viola.

However on Glassfish, I get "HTTP Status 400 - Invalid direct  
reference to form login page". I know I have my realm, user, and role  
setup right because if I use a different combination I simply get the  
"invalid login" page.

Any idea?

Thanks
Richard

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Security problem with hudson on glassfish

Richard Bair-2
Followup: I've tried 1.78 and 1.79 of Hudson.

Also, if I enter a bad username/password, then there is a log entry  
in my glassfish log files indicating a failed login attempt. If I  
enter the correct username/password, then there is *no* entry in the  
log file whatsoever. It just simply returns *either* 400, or 403  
(HTTP Status 403 - Access to the requested resource has been denied).

Richard

On Feb 8, 2007, at 9:44 AM, Richard Bair wrote:

> At the risk of looking, once more, like a complete newbie (which I  
> am! almost anyway). I happily got Hudson on Tomcat working fine  
> with security enabled. I simply edited my tomcat-users.xml file,  
> created a user with the "admin" role, and viola.
>
> However on Glassfish, I get "HTTP Status 400 - Invalid direct  
> reference to form login page". I know I have my realm, user, and  
> role setup right because if I use a different combination I simply  
> get the "invalid login" page.
>
> Any idea?
>
> Thanks
> Richard
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Security problem with hudson on glassfish

Richard Bair-2
Another Followup:

It turns out that logging into /hudson/login will yield the 400  
error, and /hudson/loginEntry yields the 403 error.

Why are there two login pages?

Richard

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Security problem with hudson on glassfish

Kohsuke Kawaguchi-2
Richard Bair wrote:
> Another Followup:
>
> It turns out that logging into /hudson/login will yield the 400  
> error, and /hudson/loginEntry yields the 403 error.
>
> Why are there two login pages?

Thanks for the details. It sounds like it's time to install GF and test
what's going on.


--
Kohsuke Kawaguchi
Sun Microsystems                   [hidden email]

smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Security problem with hudson on glassfish

Richard Bair-2
> Thanks for the details. It sounds like it's time to install GF and  
> test what's going on.

Cool. Good luck :-)

So, a bit more. I figured out what the /login and /loginEntry bits  
were all about. For anybody googling around later, the /loginEntry is  
specified in the web.xml as a protected resource. Tomcat (and  
GlassFish, apparently) don't want you to access the j_security_check  
URL directly. So /loginEntry exists to cause Tomcat (and Glassfish)  
to return the login form specified in the web.xml. Along with this is  
a JSESSIONID cookie.

In a subsequent post to j_security_check, this JSESSIONID is  
included. The j_username and j_password are then inspected by Tomcat  
(and Glassfish). If authenticated, then you are good to go.

Where I'm at now, is trying to figure out what redirect occurs after  
a successful login.

Richard

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Security problem with hudson on glassfish

Richard Bair-2
> Where I'm at now, is trying to figure out what redirect occurs  
> after a successful login.

Continuing with the saga:

After successfully logging in to j_security_check, I have the  
following headers:

Name: Date, Value: Thu, 08 Feb 2007 23:33:49 GMT
Name: Location, Value: http://swinglabs.org/hudson/loginEntry
Name: X-Powered-By, Value: Servlet/2.5
Name: Content-Type, Value: text/plain; charset=iso-8859-1
Name: Content-Length, Value: 0
Name: Server, Value: Sun Java System Application Server Platform  
Edition 9.0_01

The interesting one is the Location header. It is trying to redirect  
me to http://swinglabs.org/hudson/loginEntry. The browser then tries  
to go to this resource (and, it uses the session cookie obtained  
earlier). When it does, the 403 error comes back. For some reason,  
Glassfish doesn't want me to go back to that resource, maybe because  
it doesn't really exist.

It looks like, perhaps, there should be a loginEntry.jelly page that  
redirects to the home page or something. Just guessing wildly. I  
wonder what tomcat did...

Richard

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Security problem with hudson on glassfish

Richard Bair-2
BTW, I'm using the SwingX-WS library to do the sleuthing. Here's the  
code:

[code]
         Session s = new Session();
         Response r = s.post("http://swinglabs.org/hudson/loginEntry");
         Header sessionCookie = null;
         for (Header h : r.getHeaders()) {
             if (h.getName().equals("Set-Cookie")) {
                 String val = h.getValue();
                 String sessionid = val.substring(val.indexOf
("JSESSIONID=") + 11, val.indexOf(";"));
                 sessionCookie = new Header("JSESSIONID", sessionid);
             }
         }

         Request req = new Request();
         req.setMethod(Method.POST);
         req.setHeader(sessionCookie);
         req.setUrl("http://swinglabs.org/hudson/j_security_check");
         req.setParameters(
                 new Parameter("j_username", "admin"),
                 new Parameter("j_password", "secret"));
         r = s.execute(req);

         for (Header h : r.getHeaders()) {
             System.out.println(h);
         }

         req = new Request();
         req.setUrl("http://swinglabs.org/hudson/loginEntry");
         req.setHeader(sessionCookie);
         r = s.execute(req);
         System.out.println(r.getBody());
[/code]

Along the way I had println's to spit out the HTML and headers coming  
back from the server to see what it was up to.

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Security problem with hudson on glassfish

Kohsuke Kawaguchi-2

Good detective work!

I'll try your suggestion of adding a dummy loginEntry.jelly. That might
make GF happy.

When looking at HTTP headers, Firefox has this great "Live HTTP header"
extension. A must have for any developer, IMO.

Richard Bair wrote:

> BTW, I'm using the SwingX-WS library to do the sleuthing. Here's the  
> code:
>
> [code]
>          Session s = new Session();
>          Response r = s.post("http://swinglabs.org/hudson/loginEntry");
>          Header sessionCookie = null;
>          for (Header h : r.getHeaders()) {
>              if (h.getName().equals("Set-Cookie")) {
>                  String val = h.getValue();
>                  String sessionid = val.substring(val.indexOf
> ("JSESSIONID=") + 11, val.indexOf(";"));
>                  sessionCookie = new Header("JSESSIONID", sessionid);
>              }
>          }
>
>          Request req = new Request();
>          req.setMethod(Method.POST);
>          req.setHeader(sessionCookie);
>          req.setUrl("http://swinglabs.org/hudson/j_security_check");
>          req.setParameters(
>                  new Parameter("j_username", "admin"),
>                  new Parameter("j_password", "secret"));
>          r = s.execute(req);
>
>          for (Header h : r.getHeaders()) {
>              System.out.println(h);
>          }
>
>          req = new Request();
>          req.setUrl("http://swinglabs.org/hudson/loginEntry");
>          req.setHeader(sessionCookie);
>          r = s.execute(req);
>          System.out.println(r.getBody());
> [/code]
>
> Along the way I had println's to spit out the HTML and headers coming  
> back from the server to see what it was up to.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>

--
Kohsuke Kawaguchi
Sun Microsystems                   [hidden email]

smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Security problem with hudson on glassfish

Kohsuke Kawaguchi-2
In reply to this post by Richard Bair-2
Richard Bair wrote:
> Followup: I've tried 1.78 and 1.79 of Hudson.
>
> Also, if I enter a bad username/password, then there is a log entry  
> in my glassfish log files indicating a failed login attempt. If I  
> enter the correct username/password, then there is *no* entry in the  
> log file whatsoever. It just simply returns *either* 400, or 403  
> (HTTP Status 403 - Access to the requested resource has been denied).

OK, I must be even worse than you are. I can't even get the realm
associated with hudson. So I'm simply not prompted the username/password
when I login. I flipped through most of the admin UI, and I also
searched Google to no avail. How did you get that work?

Glassfish is really frustrating...

--
Kohsuke Kawaguchi
Sun Microsystems                   [hidden email]

smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Security problem with hudson on glassfish

Kohsuke Kawaguchi-2
In reply to this post by Kohsuke Kawaguchi-2
Kohsuke Kawaguchi wrote:
> Good detective work!
>
> I'll try your suggestion of adding a dummy loginEntry.jelly. That might
> make GF happy.

loginEntry page actually does exist. It's defined in Java code to
redirect to the top page. This is to "bounce back" people to the main
page after logging in.

--
Kohsuke Kawaguchi
Sun Microsystems                   [hidden email]

smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Security problem with hudson on glassfish

Richard Bair-2
In reply to this post by Kohsuke Kawaguchi-2
> Richard Bair wrote:
>> Followup: I've tried 1.78 and 1.79 of Hudson.
>> Also, if I enter a bad username/password, then there is a log  
>> entry  in my glassfish log files indicating a failed login  
>> attempt. If I  enter the correct username/password, then there is  
>> *no* entry in the  log file whatsoever. It just simply returns  
>> *either* 400, or 403  (HTTP Status 403 - Access to the requested  
>> resource has been denied).
>
> OK, I must be even worse than you are. I can't even get the realm  
> associated with hudson. So I'm simply not prompted the username/
> password when I login. I flipped through most of the admin UI, and  
> I also searched Google to no avail. How did you get that work?

If you click on the "/Configuration/Security" node in the admin UI,  
there is an option called "default realm". I think by default it is  
set to "file". So this tells you what realm Hudson will try to log  
into (since the web.xml doesn't specify a realm).

Next, click the "/Configuration/Security/Realms/file" node. In the  
detail page, click "Manage Users". Add a new user (your Hudson admin  
account). Make sure the user is assigned to the "admin" group.  
"Group" is basically role, as far as I can tell.

Good luck. I've also posted on the glassfish forums, but no feedback  
yet.

Thanks
Richard

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Security problem with hudson on glassfish

Richard Bair-2
In reply to this post by Kohsuke Kawaguchi-2
> Kohsuke Kawaguchi wrote:
>> Good detective work!
>> I'll try your suggestion of adding a dummy loginEntry.jelly. That  
>> might make GF happy.
>
> loginEntry page actually does exist. It's defined in Java code to  
> redirect to the top page. This is to "bounce back" people to the  
> main page after logging in.

Man, I looked everywhere for that thing. I didn't see loginEntry in  
the hudson sources, or in the Stapler sources. Where is it defined?

I did try adding a loginEntry HTML file, but that didn't work anyway.

Richard


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Security problem with hudson on glassfish

Richard Bair-2
Some more info from: http://www.developinjava.com/readarticle.php?
article_id=5

"Note that this role is not the same as the group “Users” defined in  
Glassfish earlier"

It looks like I misunderstood the GlassFish security scenario. It  
appears that, first, my assumption that "group" was == "role" is  
wrong. Second, I have to provide a sun-web.xml file to map between a  
"role" and a "group". Drat.

I'll keep on this trail and see where it leads me.

Richard

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Security problem with hudson on glassfish

Richard Bair-2
Bam! Got it.

There are, of course, many ways to go about this problem. But in  
order to get Hudson, out of the box to work, this is what you have to  
do:

1) Go to "/Configuration/Security". Note the Default Realm (which, by  
default, is "file").
2) Also in "/Configuration/Security", make sure "Default Principal to  
Role Mapping" is checked(!). Otherwise, you have to include a sun-
web.xml deployment descriptor with Hudson to map between a role-name  
(admin) and a principal-name/group-name.
3) Go to the Default Realm ("file" by default, /Configuration/
Security/Realms/file).
4) Click "manage users"
5) Add a new user
    a) Set the user name to "admin"
    b) Set a password
    c) Set the group to "admin". Technically, I don't think this part  
is required, but I did it just for good luck.
6) Deploy hudson.war

And it should work.

Cheers
Richard

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Security problem with hudson on glassfish

Kohsuke Kawaguchi-2
In reply to this post by Richard Bair-2
Richard Bair wrote:
> If you click on the "/Configuration/Security" node in the admin UI,  
> there is an option called "default realm". I think by default it is  
> set to "file". So this tells you what realm Hudson will try to log  

I checked my setting and it's set to file.

> into (since the web.xml doesn't specify a realm).

Should hudson specify <realm-name>? I thought it's up to a deployer, not
up the developer of Hudson. I mean, how useful is a name like "hudson
realm"?


> Next, click the "/Configuration/Security/Realms/file" node. In the  
> detail page, click "Manage Users". Add a new user (your Hudson admin  
> account). Make sure the user is assigned to the "admin" group.  
> "Group" is basically role, as far as I can tell.

Yep, I've done that. But still I'm not asked to enter password.

In fact I can access the whole admin UI without ever logging in. I think
something is definitely wrong.

--
Kohsuke Kawaguchi
Sun Microsystems                   [hidden email]

smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Security problem with hudson on glassfish

Kohsuke Kawaguchi-2
In reply to this post by Richard Bair-2
Richard Bair wrote:

>> Kohsuke Kawaguchi wrote:
>>> Good detective work!
>>> I'll try your suggestion of adding a dummy loginEntry.jelly. That  
>>> might make GF happy.
>>
>> loginEntry page actually does exist. It's defined in Java code to  
>> redirect to the top page. This is to "bounce back" people to the  
>> main page after logging in.
>
> Man, I looked everywhere for that thing. I didn't see loginEntry in  
> the hudson sources, or in the Stapler sources. Where is it defined?
It's in Java code, as the Hudson.doLoginEntry() method.

> I did try adding a loginEntry HTML file, but that didn't work anyway.
>
> Richard
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>

--
Kohsuke Kawaguchi
Sun Microsystems                   [hidden email]

smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Security problem with hudson on glassfish

Kohsuke Kawaguchi-2
In reply to this post by Richard Bair-2
Richard Bair wrote:

> Some more info from: http://www.developinjava.com/readarticle.php?
> article_id=5
>
> "Note that this role is not the same as the group “Users? defined in  
> Glassfish earlier"
>
> It looks like I misunderstood the GlassFish security scenario. It  
> appears that, first, my assumption that "group" was == "role" is  
> wrong. Second, I have to provide a sun-web.xml file to map between a  
> "role" and a "group". Drat.
>
> I'll keep on this trail and see where it leads me.
Well, sounds like I wasn't as bad as I originally thought then :-)

I did at that in sun-web.xml and put that in hudson.war, and deployed
it. But no difference. Not even an error message, as far as I can see.


--
Kohsuke Kawaguchi
Sun Microsystems                   [hidden email]

smime.p7s (4K) Download Attachment