Jolokia with basic authentication in Spring Boot application and hawt.io

Question

What I'm trying to do:

I'm trying to run a sample spring boot application with embedded Jolokia, configure a basic authentication on it and connect to it from hawt.io, I kind of pilot project.

My setup (everything on localhost, no firewalls):

• Spring application on port 8080 (default)
• Hawtio on port 5555

I'm using the latest spring boot available for my sample application of using jolokia and hawt.io (Disclaimer I'm fairly new to spring boot and spring security)

Spring Boot version: 1.5.2 RELEASE Spring Security: 4.2.2 RELEASE Jolokia: 1.3.5

Test 1: running without spring security at all (I've set management.security.enabled=false in application.properties) - everything works as expected, I'm able to connect to localhost:8080/jolokia without any user/password both from my browser and from hawt.io application which I'm running locally

Test 2: comment out the line management.security.enabled=false and create the following configuration file to plug in the spring security:

@Configuration
@EnableWebSecurity
public class SpringSecurityConfiguration extends WebSecurityConfigurerAdapter {

@Autowired
public void configureGlobalSecurity(AuthenticationManagerBuilder auth) throws Exception {
    auth.inMemoryAuthentication()
            .withUser("admin")
            .password("admin")
            .roles("ACTUATOR");
}

@Override
protected void configure(HttpSecurity http) throws Exception {
    http
            .authorizeRequests()
            .antMatchers("/").permitAll()
            .antMatchers("/error").permitAll()
            .antMatchers("/jolokia/**").hasRole("ACTUATOR")
            .and().httpBasic();
 }
}

After this step, I see that when connecting to localhost:8080/jolokia from the browser I see a basic authentication popup, I enter admin/admin and see Jolokia responding, so I conclude that my spring security setup is OK

Now its time to run hawt.io:

java -jar hawtio-app-1.5.0.jar --port 5555

And now when I hit "connect" on hawt.io UI after entering the details of my localhost:8080 / jolokia connection (It doesn't have any user/password text fields) it throws me to the hawt.io login screen. And when I enter admin/admin there I see a "Failed to Connect, Forbidden" UI message.

I've tried to see the requests that hawt.io sends to my localhost:8080 (using burp suite), and I see that before seeing a hawt.io login screen I see a lot of 401 (Unauthorized) responses when attempting to query jolokia on 8080 (of course I do, because it before entering admin/admin - so no chance to know that in advance). After I enter the login screen of hawtio enter admin/admin and press "login" - I don't see any requests from hawt.io to 8080 at all. I only see one request from UI to hawt.io server which responds with 403. So I suspect its an internal authentication window of hawt.io itself and it has nothing to do with jolokia.

So what I'm asking is - what I'm missing in this setup, how should I config hawt.io to be able to connect to my setup?

Thanks a lot in advance

Answer 1

Adding the jolokia hostname to the property hawtio.proxyWhitelist did the job for me.

Answer 2

Try adding endpoints.jolokia.sensitive=false to Spring Boot application.properties.

By default Spring Boot treats Jolokia as a "sensitive" resource, which may cause authorization errors accessing Jolokia.