So many users have requested the solution, so I decided to post it here in the
group.
Please remember my intent was just to bypass authentication for *topology
applet only* which would help me publish few Global Collections views (web
based) companywide in our portal without giving me administrative overhead to
create several users in Spectrum and manage user security.
While trying to find the solution out, at one point I was able to disable web
authentication all together, however then OneClick would not work then. So I
would *not recommend* curious folks try to disable authentication altogether
and get yourself in trouble.
Considerations:
1. The solution was tested/developed/found on Spectrum 9.2.1 running on
Solaris system which is *not* integrated to any external systems for
authentication.
2. You will have to restart tomcat.
3. Be careful in restricting the rights for the user in Spectrum to which
will be used for bypassing the authentication and choosing the password for
that account, because if someone does a view source on the web page that
password will be displayed in clear text.
4. Remember the below files might get overwritten at patch
application/upgrades and you will have to redo the work.
Solution:
1. Create a user in Spectrum which has privileges to Global Collections,
Models and Alarms. (currently I have given the user *test* Administrative
privileges and its password is also *test*).
2. Backup $SPECROOT/tomcat/webapps/spectrum/topology.applet and modify it
as follows:
a. Under object tag update the following code:
ORIGINAL
<param name="jsessionid" value="$$jsessionid">
<param name="user" value="$$user">
$$objparams
$$ssoobjparams
MODIFIED
<param name="jsessionid" value="$$jsessionid">
<param name="user" value="test">
<param name="password" value="test">
$$objparams
$$ssoobjparams
b. Under embed tag update the following code:
ORIGINAL
loginTitle="$$logintitle"
jsessionid="$$jsessionid"
user="$$user"
$$embedparams
$$ssoembedparams >
MODIFIED
jsessionid="$$jsessionid"
user="test"
password="test"
$$embedparams
$$ssoembedparams >
3. Backup $SPECROOT/tomcat/webapps/spectrum/WEB-INF/web.xml and search
for *topology.applet* and *comment* the *entire security-constraint section*
for it.
ORIGINAL
<security-constraint>
<web-resource-collection>
<web-resource-name>Topology Applet</web-resource-name>
<description>
This constraint controls access to topology applet in
Web server.
</description>
<url-pattern>/topology.applet</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
<user-data-constraint>
<description>
To use SSL for the web resources listed above, configure the
application server for SSL and change the transport-guarantee
from NONE to CONFIDENTIAL.
See the application server documentation and the Servlet 2.3
specification for additional information.
</description>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
MODIFIED
<!-- <security-constraint>
<web-resource-collection>
<web-resource-name>Topology Applet</web-resource-name>
<description>
This constraint controls access to topology applet in
Web server.
</description>
<url-pattern>/topology.applet</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
<user-data-constraint>
<description>
To use SSL for the web resources listed above, configure the
application server for SSL and change the transport-guarantee
from NONE to CONFIDENTIAL.
See the application server documentation and the Servlet 2.3
specification for additional information.
</description>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint> -->
4. Restart tomcat.
5. Launch the topology applet for your Global Collection and you should
not be challenged for authentication.
Please let us know if it works on RHEL and Windows in case you test it.
Cheers,
Saurabh Bohra
O: 860-766-0842 | M: 860-385-3597 | e-mail: [email protected]
From: Bohra, Saurabh [mailto:[email protected]]
Sent: Saturday, April 14, 2012 1:15 PM
To: spectrum
Subject: RE: [spectrum] Bypass Spectrum Authentication
Topology applet hacked from tomcat :) mission accomplished. If anyone is
interested let me know.
Cheers,
Saurabh Bohra
O: 860-766-0842 | M: 860-385-3597 | e-mail:
[email protected]<mailto:[email protected]>
From: Bohra, Saurabh
[mailto:[email protected]]<mailto:[mailto:[email protected]]>
Sent: Saturday, April 14, 2012 12:18 PM
To: spectrum
Cc: spectrum ([email protected]<mailto:[email protected]>)
Subject: RE: [spectrum] Bypass Spectrum Authentication
This is motivational. I am close to hacking tomcat...
Saurabh Bohra
O: 860-766-0842 | M: 860-385-3597 | e-mail:
[email protected]<mailto:[email protected]>
From: Andrew Stein
[mailto:[email protected]]<mailto:[mailto:[email protected]]>
Sent: Friday, April 13, 2012 7:29 PM
To: Bohra, Saurabh
Subject: Re: [spectrum] Bypass Spectrum Authentication
I'm sure you can "hack" tomcat
Sent from my iPhone. Please pardon any grammatical or spelling errors.
On Apr 13, 2012, at 4:22 PM, "Bohra, Saurabh"
<[email protected]<mailto:[email protected]>> wrote:
All,
Is it possible to bypass Spectrum Web Authentication and launch topology applet
without being challenged for credentials. I want to publish direct links to few
of our Global collections and do not want users to get challenged for
credentials, is this possible. A sample link could be as follows.
http://oneclick:8080/spectrum/topology.applet?mh=0x1000d4
thanks,
Saurabh Bohra
Sr. Network Mgmt Systems Analyst
ESPN Inc.
O: 860-766-0842 | M: 860-385-3597 | e-mail:
[email protected]<mailto:[email protected]>
* --To unsubscribe from spectrum, send email to
[email protected]<mailto:[email protected]> with the body: unsubscribe spectrum
[email protected]<mailto:[email protected]>
* --To unsubscribe from spectrum, send email to
[email protected]<mailto:[email protected]> with the body: unsubscribe spectrum
[email protected]<mailto:[email protected]>
* --To unsubscribe from spectrum, send email to
[email protected]<mailto:[email protected]> with the body: unsubscribe spectrum
[email protected]<mailto:[email protected]>
---
To unsubscribe from spectrum, send email to [email protected] with the body:
unsubscribe spectrum [email protected]
