-
Notifications
You must be signed in to change notification settings - Fork 22
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cannot login through the Connect plugin on http site #832
Comments
The Connect plugin's capability to connect to a remote JVM with BASIC authentication is now supported only when Hawtio is running on What we can do is to provide the user better UI feedback when they are trying to use the Connect plugin over BASIC authentication in an insecure way, which might lead to compromise the credentials over an insecure channel and thus is not supported. |
FYI, the issue is caused by support for secure session storage at #760. |
Somehow, even on http://localhost, browser can add the I've created #910 because I was able to broke something and I have to dig deeper. |
http://localhost is considered secure for development purposes (i guess :D) but http:// (other than 127.0.0.1) isn't. |
@mmuzikar @tadayosi I can't determine exactly when this dialog shows up... Usually browser-native popup appears like this: But sometimes I really saw the React dialog for entering credentials. I didn't check the session storage at that time. I was really looking for the effects of using crypto to store the credentials in session storage, but I didn't see it when naive browser popup appeared. I did some tests on http://localhost, different ports. I was building my own
Do you know how to ensure that React dialog ( |
Comment moved to #910 (comment) |
@grgrzybek Thanks for your detailed report. However, at this moment, it appears to me a different issue than the original one, as the original issue doesn't get involved with the browser native prompt. Maybe it's better to discuss it further with a separate issue, as it may require a different fix. |
For the record, when using
With XHR (used by Jolokia) every time an attempt is made and we didn't specify the credentials in browser-native popup, the popup will be redisplayed. Once the credentials are entered, the popup won't show until we clear "Active logins". With fetch API, if we'd use explicit |
When checking connections on http and my ip address different than 127.0.0.1 I see some weird issues with hanged connection.
EDIT: - it's about using |
If the connection is authenticated, you cannot use http with a hostname/ip address other than localhost/127.0.0.1. |
When connecting directly to Jolokia agent with Basic auth enabled, both invocations work:
When connecting via hawtioMiddleware proxy, this works:
but this fails:
now backend communication in Wireshark: The error is:
@tadayosi I know it's again a bit off topic, but maybe there's something wrong with hawtioMiddleware - I'm not yet that familiar with webpack's server + axios client. |
…t" (fixes #832) Signed-off-by: Grzegorz Grzybek <gr.grzybek@gmail.com>
I'll at some point add a documentation section about "Connect" plugin (dedicated (sub)chapter?), but here's a little summary:
For non-secure browsing contexts there's a warning on the connect page: List of configured connections may display yellow icons and the "Connect" button is disabled: And finally when editing a connection to secured Jolokia in non-secure browsing context, we can see the error: There are also some enhancements in secure contexts we display some more details when testing connection: we display current connection after connecting to remote agent: |
Currently it's impossible to login through insecure context. When trying to login the
window.crypto.subtle
object is undefined:Either hawtio should not work in insecure context at all (which is IMO the worse option) or hawtio should also work in insecure context.
Note:
localhost
or127.0.0.1
is considered safe by the browser so the subtle object is present, but when even on the PC's IP such ashttp://192.168.0.143:3000/hawtio/
the website is considered insecure and the object is missing. And there's no note about it, the button just doesn't do anything for the user.The text was updated successfully, but these errors were encountered: