Remote connection to authenticated Jolokia may cause endless redirect loop

[grgrzybek]

I'm still finding the exact path, but generally I was trying to connect to remote Jolokia agent with basic authentication enabled. When connecting, I saw browser popup to enter Basic credentials for target Jolokia - when done properly, these credentials are then sent to remote Jolokia (browser adds Authorization header to xhr requests).

But at some point I've somehow stored bad credentials in browser's credential cache and then this Authorization header (with bad credentials) was added automatically not only for proxied request (to remote Jolokia), but to main hawtio causing 403 and logout...

[grgrzybek]

Also I can't (yet) determine when browser popup is displayed and when Hawtio React <ConnectLogin> is displayed...

[grgrzybek]

Some test scenarios I found:

Connect after clearing "HTTP authentications"

• run yarn start in top level dir of hawtio-next
• start remote Jolokia application with -javaagent:jolokia-agent-jvm-2.0.2-javaagent.jar=port=7778,protocol=http,debug=true,discoveryEnabled=true,user=grgr,password=grgr
• import this connection:

  [
  {
  "name": "grgr-test-jolokia",
  "scheme": "http",
  "host": "localhost",
  "port": 7778,
  "path": "/jolokia"
  }
  ]

• CTRL-SHIFT-DEL in Firefox (or similar in Chrome) to clear active logins:
• click "Connect" - new window/tab opens with URL like http://localhost:3000/hawtio/?con=name and native browser popup:
• when you enter invalid credentials, these are immediately tried by the browser - you can't see it in network tab, but you can see the packet in Wireshark. Native dialog is redisplayed.
• when you click "cancel", /hawtio/proxy/http/localhost/... requests end with 401 and Hawtio displays React dialog to enter the credentials
  • hitting cancel closes the tab
  • hitting close (x) closes the tab
  • entering wrong credentials displays "Incorrect username or password" - 401 request is visible in Wireshark
  • entering correct credentials refreshes the page, adds connect.salt and connect.credentials to session storage and additionally browser offers to store the credentials in its own storage. only one entry in password manager is created:
  • if we then close the tab and click "Connect" again from main Hawtio and if we didn't store the credentials in browser itself, native credentials popup is displayed again
  • but I checked that after saving credentials in the browser, we still see native dialog when clicking "Connect" again...
• if you'd type valid credentials, no React dialog would be shown and Firefox would offer to store the credentials. Nothing is stored in session storage.
  • if you save the credentials in browser, next time you click "Connect", no native or React dialog is shown. Two entries in password manager are stored:

Clearing "HTTP authentications" when connected tab is working

(session storage should not contain encrypted credentials, so we should use the path that doesn't involve React dialog from Hawtio.)

• Connected agent's tab is opened and we can see successful /proxy requests
• After clearing HTTP authentications we can see native dialog during next tick for proxy request
• closing the dialog without entering credentials - page is refreshed and native dialog is displayed again
• another close - we can see React dialog
• When entering bad credentials, dialog is redisplayed
• When entering correct credentials, browser offers to save them in password manager
• I swear that once I saw full-screen login page here...

[tadayosi]

• start remote Jolokia application with -javaagent:jolokia-agent-jvm-2.0.2-javaagent.jar=port=7778,protocol=http,debug=true,discoveryEnabled=true,user=grgr,password=grgr

We can also test it with this jbang script:

///usr/bin/env jbang --javaagent=org.jolokia:jolokia-agent-jvm:2.0.2:javaagent=port=8778,protocol=http,debug=true,discoveryEnabled=true,user=grgr,password=grgr "$0" "$@" ; exit $?
//DEPS org.apache.camel:camel-bom:4.6.0@pom
//DEPS org.apache.camel:camel-core
//DEPS org.apache.camel:camel-management
//DEPS org.apache.camel:camel-main
//DEPS org.apache.camel:camel-stream
//DEPS org.slf4j:slf4j-simple:2.0.13

// Camel imports
import org.apache.camel.*;
import org.apache.camel.builder.*;
import org.apache.camel.main.*;
import org.apache.camel.spi.*;
import static org.apache.camel.builder.PredicateBuilder.*;

import static java.lang.System.*;

class camel_jmx {

    public static void main(String... args) throws Exception {
        out.println("Running Camel route...");

        var main = new Main();
        main.configure().addRoutesBuilder(new RouteBuilder() {
            public void configure() throws Exception {
                from("timer:hello?period=3000")
                    .setBody().constant("Hello Camel!")
                    .to("stream:out");
            }
        });
        main.run();
    }
}

[grgrzybek]

Closing as can't reproduce and after some improvements from #832.