Red Hat SummitCe contenu n'est pas disponible dans la langue sélectionnée.
Chapter 4. Security and Authentication of HawtIO
HawtIO enables authentication out of the box depending on the runtimes/containers it runs with. To use HawtIO with your application, either setting up authentication for the runtime or disabling HawtIO authentication is necessary.
4.1. Configuration properties
The following table lists the Security-related configuration properties for the HawtIO core system.
| Name | Default | Description |
|---|---|---|
| hawtio.authenticationContainerDiscoveryClasses | io.hawt.web.tomcat.TomcatAuthenticationContainerDiscovery | List of used AuthenticationContainerDiscovery implementations separated by a comma. By default, there is just TomcatAuthenticationContainerDiscovery, which is used to authenticate users on Tomcat from tomcat-users.xml file. Feel free to remove it if you want to authenticate users on Tomcat from the configured JAAS login module or feel free to add more classes of your own. |
| hawtio.authenticationContainerTomcatDigestAlgorithm | NONE | When using the Tomcat tomcat-users.xml file, passwords can be hashed instead of plain text. Use this to specify the digest algorithm; valid values are NONE, MD5, SHA, SHA-256, SHA-384, and SHA-512. |
| hawtio.authenticationEnabled | true | Whether or not security is enabled. |
| hawtio.keycloakClientConfig | classpath:keycloak.json | Keycloak configuration file used for the front end. It is mandatory if Keycloak integration is enabled. |
| hawtio.keycloakEnabled | false | Whether to enable or disable Keycloak integration. |
| hawtio.noCredentials401 | false | Whether to return HTTP status 401 when authentication is enabled, but no credentials have been provided. Returning 401 will cause the browser popup window to prompt for credentials. By default this option is false, returning HTTP status 403 instead. |
| hawtio.realm | hawtio | The security realm used to log in. |
| hawtio.rolePrincipalClasses | Fully qualified principal class name(s). A comma can separate multiple classes. | |
| hawtio.roles | Admin, manager, viewer | The user roles are required to log in to the console. A comma can separate multiple roles to allow. Set to * or an empty value to disable role checking when HawtIO authenticates a user. |
| hawtio.tomcatUserFileLocation | conf/tomcat-users.xml | Specify an alternative location for the tomcat-users.xml file, e.g. /production/userlocation/. |
4.2. Quarkus
HawtIO is secured with the authentication mechanisms that Quarkus and also Keycloak provide.
If you want to disable HawtIO authentication for Quarkus, add the following configuration to application.properties:
quarkus.hawtio.authenticationEnabled = false
quarkus.hawtio.authenticationEnabled = false4.2.1. Quarkus authentication mechanisms
HawtIO is just a web application in terms of Quarkus, so the various mechanisms Quarkus provides are used to authenticate HawtIO in the same way it authenticates a Web application.
Here we show how you can use the properties-based authentication with HawtIO for demonstrating purposes.
The properties-based authentication is not recommended for use in production. This mechanism is for development and testing purposes only.
To use the properties-based authentication with HawtIO, add the following dependency to
pom.xml:<dependency> <groupId>io.quarkus</groupId> <artifactId>quarkus-elytron-security-properties-file</artifactId> </dependency><dependency> <groupId>io.quarkus</groupId> <artifactId>quarkus-elytron-security-properties-file</artifactId> </dependency>Copy to Clipboard Copied! Toggle word wrap Toggle overflow You can then define users in
application.propertiesto enable the authentication. For example, defining a userhawtiowith passwords3cr3t!and roleadminwould look like the following:quarkus.security.users.embedded.enabled = true quarkus.security.users.embedded.plain-text = true quarkus.security.users.embedded.users.hawtio = s3cr3t! quarkus.security.users.embedded.roles.hawtio = admin
quarkus.security.users.embedded.enabled = true quarkus.security.users.embedded.plain-text = true quarkus.security.users.embedded.users.hawtio = s3cr3t! quarkus.security.users.embedded.roles.hawtio = adminCopy to Clipboard Copied! Toggle word wrap Toggle overflow
Example:
See Quarkus example for a working example of the properties-based authentication.
4.2.2. Quarkus with Keycloak
4.3. Spring Boot
In addition to the standard JAAS authentication, HawtIO on Spring Boot can be secured through Spring Security or Keycloak. If you want to disable HawtIO authentication for Spring Boot, add the following configuration to application.properties:
hawtio.authenticationEnabled = false
hawtio.authenticationEnabled = false4.3.1. Spring Security
To use Spring Security with HawtIO:
Add
org.springframework.boot:spring-boot-starter-securityto the dependencies inpom.xml:<dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-security</artifactId> </dependency>
<dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-security</artifactId> </dependency>Copy to Clipboard Copied! Toggle word wrap Toggle overflow Spring Security configuration in
src/main/resources/application.propertiesshould look like the following:spring.security.user.name = hawtio spring.security.user.password = s3cr3t! spring.security.user.roles = admin,viewer
spring.security.user.name = hawtio spring.security.user.password = s3cr3t! spring.security.user.roles = admin,viewerCopy to Clipboard Copied! Toggle word wrap Toggle overflow A security config class has to be defined to set up how to secure the application with Spring Security:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
Example:
See springboot-security example for a working example.
4.3.1.1. Connecting to a remote application with Spring Security
If you try to connect to a remote Spring Boot application with Spring Security enabled, make sure the Spring Security configuration allows access from the HawtIO console. Most likely, the default CSRF protection prohibits remote access to the Jolokia endpoint and thus causes authentication failures at the HawtIO console.
Be aware that it will expose your application to the risk of CSRF attacks.
The easiest solution is to disable CSRF protection for the Jolokia endpoint at the remote application as follows.
Copy to Clipboard Copied! Toggle word wrap Toggle overflow To secure the Jolokia endpoint even without Spring Security’s CSRF protection, you need to provide a
jolokia-access.xmlfile undersrc/main/resources/like the following (snippet) so that only trusted nodes can access it:Copy to Clipboard Copied! Toggle word wrap Toggle overflow
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}