Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Limit IWA-NTLM Configuration to Specific Endpoints and Resolve OAuth2 Access Issue #22104

Open
leonardorobertolopez opened this issue Dec 20, 2024 · 0 comments

Comments

@leonardorobertolopez
Copy link

leonardorobertolopez commented Dec 20, 2024

Description

In the current setup of WSO2 IS 5.11.0, the configuration in web.xml is overly broad, applying authentication restrictions globally to all server endpoints due to the /. This blocks access to critical OAuth2 endpoints, such as /oauth2/authorize, resulting in a 403 Forbidden response.

The issue arises because the configuration is intended to protect the admin console (/carbon/*) when using IWA-NTLM (Integrated Windows Authentication with NTLM), but it unintentionally affects unrelated endpoints like /oauth2/authorize.

Steps to Reproduce

  1. Enable the IWA-NTLM authenticator for the admin console by manually modifying the web.xml file. Add the following block:
<security-constraint>
    <display-name> Security Constraint for IWA</display-name>
    <web-resource-collection>
        <web-resource-name>Protected Area</web-resource-name>
        <url-pattern>/</url-pattern>
        <http-method>DELETE</http-method>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
        <http-method>PUT</http-method>
    </web-resource-collection>
    <auth-constraint>
        <role-name>Everyone</role-name>
    </auth-constraint>
</security-constraint>

(This block is generated by the following template web.xml.j2:)

{% if admin_console.authenticator.iwa_ui_authenticator.enable is sameas true %}
    <security-constraint>
        <display-name>Security Constraint for IWA</display-name>
        <web-resource-collection>
            <web-resource-name>Protected Area</web-resource-name>
            <url-pattern>/</url-pattern>
            <http-method>DELETE</http-method>
            <http-method>GET</http-method>
            <http-method>POST</http-method>
            <http-method>PUT</http-method>
        </web-resource-collection>
        <auth-constraint>
            <role-name>Everyone</role-name>
        </auth-constraint>
    </security-constraint>
{% endif %}
  1. Restart WSO2 IS.

  2. Attempt to access /oauth2/authorize.

  3. Observe the 403 Forbidden response and no relevant logs in wso2carbon.log.

Note: the scenario is without the use of deployment.toml file.

Version

5.11.0

Environment Details (with versions)

No response

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

1 participant