X-Pack security issue Realm Oauth2

PinkiMondal · February 26, 2018, 10:16am

Hi

I am using xpack 5.5.0. I am implementing oauth realm security and installed it as an extension inside elasticsearch xpack plugin.
Now I have a Java application which uses spring security. I want to access kibana from that application but it should be authenticated using Oauth token.
Suppose I am login in as "roy"(user) and I have roles defined in X-pack. I have used JDBC to store what roles assigned to which user.

As I login from Java application I got Access token and User name now I am sending Authorization, Tenant and AccessToken to kibana using nginx but I am getting below exception:

15:24:26.343 [qtp1645651979-20] DEBUG o.s.s.w.a.i.FilterSecurityInterceptor - Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@9055e4a6: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS
15:24:26.344 [qtp1645651979-20] DEBUG o.s.s.access.vote.AffirmativeBased - Voter: org.springframework.security.web.access.expression.WebExpressionVoter@3bff8da2, returned: -1
15:24:26.345 [qtp1645651979-20] DEBUG o.s.s.w.a.ExceptionTranslationFilter - Access is denied (user is anonymous); redirecting to authentication entry point
org.springframework.security.access.AccessDeniedException: Access is denied
at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:83) ~[spring-security-core-4.0.2.RELEASE.jar:4.0.2.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) [spring-security-web-3.2.7.RELEASE.jar:3.2.7.RELEASE]
at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:45) [spring-security-web-3.2.7.RELEASE.jar:3.2.7.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) [spring-security-web-3.2.7.RELEASE.jar:3.2.7.RELEASE]
at org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilter(BasicAuthenticationFilter.java:150) [spring-security-web-3.2.7.RELEASE.jar:3.2.7.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) [spring-security-web-3.2.7.RELEASE.jar:3.2.7.RELEASE]
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:199) [spring-security-web-3.2.7.RELEASE.jar:3.2.7.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) [spring-security-web-3.2.7.RELEASE.jar:3.2.7.RELEASE]
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192) [spring-security-web-3.2.7.RELEASE.jar:3.2.7.RELEASE]
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160) [spring-security-web-3.2.7.RELEASE.jar:3.2.7.RELEASE]
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346) [spring-web-4.2.5.RELEASE.jar:4.2.5.RELEASE]
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262) [spring-web-4.2.5.RELEASE.jar:4.2.5.RELEASE]
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652) [jetty-servlet-9.2.10.v20150310.jar:9.2.10.v20150310]
at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:585) [jetty-servlet-9.2.10.v20150310.jar:9.2.10.v20150310]
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143) [jetty-server-9.2.10.v20150310.jar:9.2.10.v20150310]
at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:577) [jetty-security-9.2.10.v20150310.jar:9.2.10.v20150310]
at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:223) [jetty-server-9.2.10.v20150310.jar:9.2.10.v20150310]
at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1127) [jetty-server-9.2.10.v20150310.jar:9.2.10.v20150310]
at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515) [jetty-servlet-9.2.10.v20150310.jar:9.2.10.v20150310]
at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185) [jetty-server-9.2.10.v20150310.jar:9.2.10.v20150310]
at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1061) [jetty-server-9.2.10.v20150310.jar:9.2.10.v20150310]
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141) [jetty-server-9.2.10.v20150310.jar:9.2.10.v20150310]
at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:215) [jetty-server-9.2.10.v20150310.jar:9.2.10.v20150310]
at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:110) [jetty-server-9.2.10.v20150310.jar:9.2.10.v20150310]
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97) [jetty-server-9.2.10.v20150310.jar:9.2.10.v20150310]
at org.eclipse.jetty.server.Server.handle(Server.java:497) [jetty-server-9.2.10.v20150310.jar:9.2.10.v20150310]
at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:310) [jetty-server-9.2.10.v20150310.jar:9.2.10.v20150310]
at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257) [jetty-server-9.2.10.v20150310.jar:9.2.10.v20150310]
at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:540) [jetty-io-9.2.10.v20150310.jar:9.2.10.v20150310]
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635) [jetty-util-9.2.10.v20150310.jar:9.2.10.v20150310]
at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555) [jetty-util-9.2.10.v20150310.jar:9.2.10.v20150310]
at java.lang.Thread.run(Thread.java:745) [na:1.8.0_05]
15:24:26.413 [qtp1645651979-20] DEBUG o.s.s.w.u.matcher.AndRequestMatcher - Trying to match using NegatedRequestMatcher [requestMatcher=Ant [pattern='//favicon.ico']]
15:24:26.413 [qtp1645651979-20] DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Checking match of request : '/fetch/roles'; against '//favicon.ico'
15:24:26.413 [qtp1645651979-20] DEBUG o.s.s.w.u.m.NegatedRequestMatcher - matches = true

Please help me out

LeeDr · March 6, 2018, 9:54pm

Is it possible you could upgrade to 6.2.2? Oauth support was added to Kibana in 6.2.0.

TimV · March 8, 2018, 1:20am

That stack trace is coming from your own application, and it's not clear to me what the problem is, or how it relates to the elastic stack.
I'm happy to help resolve issues with custom realms, but you'll need to ask more specific questions, and provide more detailed descriptions of the problem you're facing.

We actually shipped SAML support in 6.2. OAuth support is planned, but we're not ready to provide details on the timeframe.

LeeDr · March 9, 2018, 4:54pm

Oops, right @TimV. My mistake. SAML support is in 6.2.0.

PinkiMondal · March 12, 2018, 9:25am

I am using custom realm which is being used in xpack now I am getting this error I dont know why and How Can I debug my custom realm and Package it without Gradle
Can someone help me out and provide me the steps

system · April 9, 2018, 9:25am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Authentication of [kibana] was terminated by realm Kibana	3	713	February 7, 2018
Xpack File User is not authorized Elasticsearch	5	3493	April 5, 2017
How to perform authentication in kibana? Kibana	24	3133	October 5, 2017
Kibana 6.5.1 won't start up after enabling xpack security in elasticsearch Kibana elastic-stack-security	3	4714	January 1, 2019
Kibana5 Oauth2 authentication with Xpack user roles Kibana	2	2065	March 25, 2017

X-Pack security issue Realm Oauth2

Related topics