fix handling 401 in actuator requests: distinguish between SBA security and target app actuator security. #2019
Conversation
…ty and target app actuator security.
There was a problem hiding this comment.
We are not sure if this change is useful for everyone. Why not redirect to login page when instance says it requres authentication? Maybe authenticated users are allowed to invoke the actuator endpoint on the instance. There are so many ways to integrate authentication and authorization.
Adding the header would be ok. Maybe it is then possible to decide based on the header in the security config?
| const isInstanceActuatorRequest = url => url.match(/^instances[/][^/]+[/]actuator([/].*)?$/); | ||
| const isInstanceActuatorRequest = error => { | ||
| return error.response && error.response.headers['sba-proxy-response'] === 'sba-proxy-response'; | ||
| }; |
There was a problem hiding this comment.
With this change the function name is not correct anymore. The name says it is checking if the request is going to the instance, but the implementation is checking where the response came from.
| @AdminController | ||
| public class InstancesProxyController { | ||
|
|
||
| private static final String PROXY_RESPONSE_HEADER = "sba-proxy-response"; |
There was a problem hiding this comment.
The header name is not 100% clear to me. The frontend receives all responses from the sba backend (proxy).
So does the presence of the header mean
- it is coming from proxy itself
- from instance trough proxy
So maybe there is a better name that does not require deep thinking/reading related code everytime stmblng across this header.
|
Since this is a very special use case and not a general one and due to missing responses, we close this issue. |
3 participants
Note: This PR based on #2018 , please review and merge #2018 first.
Example:
We want allow any user to access /applications.html but do not want to allow get heap dumps or inspect configuration properties.
Than we configure:
That when user open applications.html and then drill down to instance it will get 401.
This 401 should be handled and user should be redirected to login page.
But if user will get 401 from proxied request (target app security does not allow access endpoint) then no redirect should be performed.
To distinguish between SBA security and target app security I introduced new header. If it exists then user request bypassed SBA security and 401 was received from target app.