What I'm trying to do:
I'm trying to run a sample spring boot application with embedded Jolokia, configure a basic authentication on it and connect to it from hawt.io, I kind of pilot project.
My setup (everything on localhost, no firewalls):
I'm using the latest spring boot available for my sample application of using jolokia and hawt.io (Disclaimer I'm fairly new to spring boot and spring security)
Spring Boot version: 1.5.2 RELEASE Spring Security: 4.2.2 RELEASE Jolokia: 1.3.5
Test 1: running without spring security at all (I've set management.security.enabled=false in application.properties) - everything works as expected, I'm able to connect to localhost:8080/jolokia without any user/password both from my browser and from hawt.io application which I'm running locally
Test 2: comment out the line management.security.enabled=false and create the following configuration file to plug in the spring security:
@Configuration
@EnableWebSecurity
public class SpringSecurityConfiguration extends WebSecurityConfigurerAdapter {
@Autowired
public void configureGlobalSecurity(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication()
.withUser("admin")
.password("admin")
.roles("ACTUATOR");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/").permitAll()
.antMatchers("/error").permitAll()
.antMatchers("/jolokia/**").hasRole("ACTUATOR")
.and().httpBasic();
}
}
After this step, I see that when connecting to localhost:8080/jolokia from the browser I see a basic authentication popup, I enter admin/admin and see Jolokia responding, so I conclude that my spring security setup is OK
Now its time to run hawt.io:
java -jar hawtio-app-1.5.0.jar --port 5555
And now when I hit "connect" on hawt.io UI after entering the details of my localhost:8080 / jolokia connection (It doesn't have any user/password text fields) it throws me to the hawt.io login screen. And when I enter admin/admin there I see a "Failed to Connect, Forbidden" UI message.
I've tried to see the requests that hawt.io sends to my localhost:8080 (using burp suite), and I see that before seeing a hawt.io login screen I see a lot of 401 (Unauthorized) responses when attempting to query jolokia on 8080 (of course I do, because it before entering admin/admin - so no chance to know that in advance). After I enter the login screen of hawtio enter admin/admin and press "login" - I don't see any requests from hawt.io to 8080 at all. I only see one request from UI to hawt.io server which responds with 403. So I suspect its an internal authentication window of hawt.io itself and it has nothing to do with jolokia.
So what I'm asking is - what I'm missing in this setup, how should I config hawt.io to be able to connect to my setup?
Thanks a lot in advance
Adding the jolokia hostname to the property hawtio.proxyWhitelist did the job for me.