[Solved] Authentication issue in Sunstone js dist/login.js

Community Support
1

Dear OpenNebula developers

We found this issue some weeks ago, playing around with a new apache version and passenger.

The problem is this, we have a Sunstone standalone installation using apache 2.4.6 and passenger 5.0.30, the same installation that is described in the documentation. In our case we are using Sunstone remote auth:

:auth: remote

We use apache to handle the authentication and to set the REMOTE_USER variable (in our case we are using Kerberos):

http://docs.opennebula.org/5.0/deployment/sunstone_setup/suns_auth.html

The problem is this, when your user is are already authenticated by apache and he/she clicks on login button, the Auth header is overwritten by Sunstone javascript. REMOTE_USER is set to undefined and the user is not able to login. This behaviour is correct if you are using the login/password view, but it should change if you use the remote or x509 views which only have a login button without user/password input.

The workaround is quite easy, we only have to comment out the line where is located setRequestHeader in /usr/lib/one/sunstone/public/dist/login.js file, so it looks like this (but if we change the view by login/pass it will fail of course):



var token = username + ‘:’ + password;
var authString = 'Basic ';
if (typeof(btoa) === ‘function’)
authString += btoa(unescape(encodeURIComponent(token)))
else {
token = CryptoJS.enc.Utf8.parse(token);
authString += CryptoJS.enc.Base64.stringify(token)
}
//req.setRequestHeader(“Authorization”, authString);
},
success: function(response) {

And the REMOTE_USER is not unset, I don’t know why we didn’t find this issue before, maybe it depends on the browser and the apache version that are you using. In any case the login javascript should be changed to modify Auth header only for user/login views and keep it untouched for x509/remote views. We don’t know your plans about this, maybe you have another way to change the login behaviour, so we didn’t open a ticket yet, but we can open a PR to fix it.

Let us know what do you think about this :smile:

Cheers and thanks!
Alvaro

2

Hi,

Can you please open a ticket at http://dev.opennebula.org?
Thank you

3

Hi @cmartin

I have opened a ticket http://dev.opennebula.org/issues/4748 Thanks a lot!

Meanwhile we will take a look to create a patch and install the modified rpm in our testing cloud.

Cheers
Alvaro

4

Great, thanks.
You may be aware, but just in case I’ll mention that sunstone-server.conf has an ‘env’ parameter that can be set to ‘dev’, in which case the non-minimized files are served to the browser.

See here for more info:
http://docs.opennebula.org/5.0/integration/references/sunstone_dev.html

5

Thanks for the tip! yes, we didn’t tried the dev enviroment yet but we will, it looks quite useful for some hacks.

6

Hi

We have opened a PR to fix this, we have included an if condition to check that user and password variables are set to update the header. I have tested this patch in our conf and it’s working.

https://github.com/OpenNebula/one/pull/108