How to stop login from retrying once connection is lost

[amanda45762]

Hello,

I noticed once a session expires and you are already logged into jolokia/remote jmx inside hawtio, a popup appears with the message "Connection lost. Retrying...", which keeps attempting login to hawtio with the jolokia/remote jmx credentials. This is generating a login error message per minute, which I am trying to stop from happening.

Is there a way to NOT have hawtio keep retrying the connection every minute and completely kill the session (in all windows)? Or a way to set a default refresh rate across the board in hawtio?

[tadayosi]

Hi,

Unfortunately there is currently no way to disable retrying connections but you can change the update rate at the preferences.

Note increasing the update rate also affects the normal case in a way that it doesn't get aware of the server changes sooner.

Disabling retry connections seems to be a useful enhancement, so we can consider adding the option to the prefereces in a future release.

[tadayosi]

Tracked with hawtio/hawtio-next#705

[amanda45762]

There also seems to be a bug with the connection retries itself. I have configured hawtio to use LDAP for logins using a login.conf file containing the below:

hawtio {
    com.sun.security.auth.module.LdapLoginModule REQUIRED
    userProvider="${LDAP_USER_PROVIDER}"
    authIdentity="{USERNAME}@****.com"
    userFilter="${LDAP_USER_FILTER}"
    useSSL=false
    debug=true;
};

And I'm using these JVM args: -Dhawtio.authenticationEnabled: "true" -Dhawtio.authenticationContainerDiscoveryClasses: "" -Dhawtio.realm: "hawtio" -Djava.security.auth.login.config: "/opt/tomcat/conf/login.conf" -Dhawtio.sessionTimeout: "1200" -Dhawtio.proxyAllowlist: "*" -Dendpoints.jolokia.sensitive: "false"

This works fine. After I've logged into hawtio, I connect to the jvm agent using a user/password specified in the JVM agent configuration options like so: agentContext=/jolokia,user=***,password=***. Once I've created a connection, a new window automatically pops up with jmx functions.

The bug occurs when the original window loses connection (or I logout of it), but the second window remains open and keeps retrying connections. These connection retries are going through LDAP, which is not configured for the jvm agent, so the bug is that it is attempting to go through LDAP. I am getting these LDAP login errors every 5 seconds (the refresh rate):
Login failed due to: Cannot bind to LDAP server [LdapLoginModule] authentication-first mode; SSL disabled [LdapLoginModule] user provider: ldap://**** [LdapLoginModule] attempting to authenticate user: **** [LdapLoginModule] authentication failed [LdapLoginModule] aborted authentication
I think this is the block of code I'm referring to: https://github.com/hawtio/hawtio-integration/blob/deebfd1ea93bd6e0cfa5bf63b9d7e7768a8b6110/plugins/jvm/ts/jolokia/jolokiaService.ts#L238-L268

If there is no way to disable the refresh rate by default and I don't want to use a longer session timeout, is there way to prevent the jolokia login retries and just logout the user entirely in all windows? Or a way for the retries to NOT go through LDAP? Am I doing something wrong with the hawtio authentication realm or any other system properties I can use?

[tadayosi]

that said, I don't recommend double authentication when connecting to a remote JVM. Why do you need to connect to a remote authenticated JVM from another authenticated console?

[amanda45762]

do you have a link to the latest hawtio v3?

[tadayosi]

https://github.com/hawtio/hawtio

[amanda45762]

whats the difference between hawtio-default-3.0.0-RC1.war and hawtio-war-3.0.0-RC1.war?

[tadayosi]

hawtio-default.war includes additional support dependencies such as hawtio-local-jvm-mbean while hawtio-war.war is barebone.

[grgrzybek]

I'd like to ask something.

I've reproduced the problem and indeed - if you logout in main window (so you get Clear-Site-Data: "cache", "cookies" response header), the window which performs /proxy requests (the original window performs /jolokia requests) is getting Location: /hawtio/login 302 response.

The problem is that io.hawt.web.auth.LoginRedirectFilter#isRedirectRequired() treats /proxy as secured path, because it's not among io.hawt.web.auth.AuthenticationConfiguration#UNSECURED_PATHS.

And this is where it gets confusing - unsecured paths static field doesn't contain /proxy, but it contains /jolokia, however /jolokia is technically secured - it's mapped to io.hawt.web.auth.AuthenticationFilter in web.xml...

Because it is secured, io.hawt.web.auth.LoginRedirectFilter#tryAuthenticateRequest() is called, but the credentials come from Authorization header which are being sent not to Hawtio main app, but are used by Hawtio Proxy Servlet when communicating with remote Java Agent.

I can do whatever is needed, but I'm not sure what's needed ;) See my observations:

• definitely, when the request is for Proxy servlet, the Authorization header should not be used to get the credentials used by io.hawt.system.Authenticator#authenticate() - here I'm 100% sure and it'd solve [hawtio 3.0.0] Jolokia login incorrectly going through LDAP after losing connection, generating many errors due to refresh rate #3178
• when user is logged out from main Hawtio window - should it be immediately logged out from ALL (potentially many) windows for "Connect"?
  • if yes, then we'd solve How to stop login from retrying once connection is lost hawtio-next#705 by simply removing the reason of "connection lost"
  • if no, we'd need some clarification, because in fact we're NOT logged out from the remote agent - we keep sending proper Basic Auth credentials through main Hawtio's Proxy. Mind that this "connection lost" warning is VERY misleading, as we've lost connection not to the remote agent, but to the proxy servlet
• however, if we choose option 2 above, we're in quite awkward situation - we've logged in into main Hawtio (potentially through OIDC) and used its functionality (proxy) to connect to remote Jolokia agent - if we don't log out the "Connect" windows/tabs, it's practically as if we've used main Hawtio (its proxy servlet) without any authentication...

What do you think?

[grgrzybek]

#3178 is now fixed.

Summary of changes for How to stop login from retrying once connection is lost

• /proxy/* requests are now authenticated
• hawtio-next handles 401 code from proxy servlet in special way - if there's WWW-Authenticate: Basic xxx from remote Jolokia agent it is now translated to WWW-Authenticate: Hawtio original-scheme="Basic" xxx, so browser doesn't show native credentials dialog - this ensures that React dialog is used to enter the credentials if needed
• Cannot login through the Connect plugin on http site hawtio-next#832 fixes the "insecure browsing context" (when accessing non-localhost over http) - there's special warning displayed and we simply can't connect to remote Jolokia agent if it's secured
• Authorization header sent for proxy requests is never used for JAAS authentication in Hawtio - this is the main fix for this issue.
• How to stop login from retrying once connection is lost hawtio-next#705 is fixed, so the warning is shown once
• [hawtio 3.0.0] Jolokia login incorrectly going through LDAP after losing connection, generating many errors due to refresh rate #3178 enforces active session (containing authenticated JAAS subject) when accessing proxy. If there's no session or there's no authentication, 403 is returned and the tab redirects to /login page. Logging in brings you back to connect tab
• Additionally with Remote connection config uses wrong state hawtio-next#906, we display active connection name for tabs opened from main Hawtio after clicking "Connect" button.