issue with security-constraints

[sunilkalra123]

Just wondered if anyone has encountered this before.

Running the latest opengrok on tomcat 10.

enabled https by default in tomcat and configured security-constraints in web.xml that redirects to a form for authentication

when i go to the SSL site (no security-constraints) all looks and works fine.

When i enable SSL with security-constraints it logs in ok but the main page has no formatting. if i then navigate away and click "home" it renders fine.

when i have security-constraints enabled (with or without ssl) it seems to keep asking for credentials. for example, it logs in fine, i get the main search page, click search and it comes back with the login page. Again, authenticates ok. A few rounds of this and it then seems to settle down and work as intended

Edit: Ive done some more investigating. Catalina.out shows the following:
initial logon
org.apache.catalina.authenticator.AuthenticatorBase.invoke Security checking request GET /source/ org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[Protected Area]' against GET /index.jsp --> true org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[API Page]' against GET /index.jsp --> false org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[Protected Area]' against GET /index.jsp --> true org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[API Page]' against GET /index.jsp --> false org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling hasUserDataPermission() org.apache.catalina.realm.RealmBase.hasUserDataPermission User data constraint has no restrictions org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling authenticate()
Page loads and i click the search button
org.apache.catalina.authenticator.AuthenticatorBase.invoke Security checking request GET /source/search org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[Protected Area]' against GET /search --> true org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[API Page]' against GET /search --> false org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[Protected Area]' against GET /search --> true org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[API Page]' against GET /search --> false org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling hasUserDataPermission() org.apache.catalina.realm.RealmBase.hasUserDataPermission User data constraint has no restrictions org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling authenticate()
After this, it appears i can click the search button to my hearts content and it continues working
If i then click on a repo or project i get the following
org.apache.catalina.authenticator.AuthenticatorBase.invoke Security checking request GET /source/api/v1/suggest/config org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[Protected Area]' against GET /api/v1/suggest/config --> true org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[API Page]' against GET /api/v1/suggest/config --> true org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[Protected Area]' against GET /api/v1/suggest/config --> true org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[API Page]' against GET /api/v1/suggest/config --> true org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling hasUserDataPermission() org.apache.catalina.realm.RealmBase.hasUserDataPermission User data constraint has no restrictions org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling authenticate()
Now i can access all the code without further authentication

However, if I log in, then go to a repo/project i get asked to authenticate twice and then i can search or look at code without issue.

[vladak]

Looks like a problem in your web.xml security constraint configuration. See https://github.com/oracle/opengrok/wiki/Authorization-based-on-HTTP-Basic-Authentication#application-deployment-descriptor for inspiration.

[sunilkalra123]

Thats the documentation i initially used. I had to exclude more paths than specified because anything in the root dir would not be authenticated so the scripts and favicons would require more logins.

I will have to double check the syntax

[sunilkalra123]

i have double checked this with the config provided but i still end up with the same issue. the only change from the documentation is we are using form authentication and have specified a role name. What happens is that:

• i go to the main page and am presented with the login page
• enter the credentials
• presented with the main opengrok page but without any formatting. this appears to be because, although i have authenticated to get access to /source it hasn't authenticated me for /source/default and /source/js.
• i click on one of the unformatted links and am asked to log in again. this would now have given me accesss to /source/default or /source/js. i have to do this for every directory in /source

if i change the security constraints to have the following

`<security-constraint>
        <display-name>Not Authenticated</display-name>
        <web-resource-collection>
            <web-resource-name>API</web-resource-name>
            <url-pattern>/api/*</url-pattern>
        </web-resource-collection>
        <web-resource-collection>
            <web-resource-name>Web Assets</web-resource-name>
            <url-pattern>/default/*</url-pattern>
            <url-pattern>/js/*</url-pattern>
            <url-pattern>/search*</url-pattern>
        </web-resource-collection>

        <user-data-constraint>
            <transport-guarantee>NONE</transport-guarantee>
        </user-data-constraint>
    </security-constraint>`

even with this i still have to authenticate twice. i dont particulatly want to add more to this list.

To me (a non tomcat person) it looks like its not passing authentication for sub folders/files