Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

No longer able to map unauthenticated users to the FHIRUsers security-role #1020

Closed
albertwang-ibm opened this issue May 4, 2020 · 5 comments
Closed

No longer able to map unauthenticated users to the FHIRUsers security-role #1020

albertwang-ibm opened this issue May 4, 2020 · 5 comments
Assignees
@lmsurpre
Labels
bug Something isn't working

Comments

@albertwang-ibm
Copy link
Contributor

albertwang-ibm commented May 4, 2020
edited by lmsurpre
Loading

We were using a configDropin to map special-subject EVERYONE to the FHIRUsers role (since authentication is being handled by a gateway).
Now, with the latest changes, this isn't working and it results in the health check failing with HTTP 401.
@albertwang-ibm albertwang-ibm added the bug Something isn't working label May 4, 2020
@albertwang-ibm albertwang-ibm added this to the Sprint 12 milestone May 4, 2020
@lmsurpre
Copy link
Member

lmsurpre commented May 4, 2020
edited
Loading

Reproduced locally just by adding a config override like this:

    <!-- webApp security is provided via IAM in IBM Cloud -->
    <webAppSecurity singleSignonEnabled="false" useAuthenticationDataForUnprotectedResource="false"/>
    <webApplication id="fhir-server-webapp">
        <application-bnd id="bind">
            <security-role id="users" name="FHIRUsers">
                <special-subject type="EVERYONE"/>
            </security-role>
        </application-bnd>
    </webApplication>

and hitting a protected endpoint.

This used to work for providing unauthenticated access to the endpoints, but doesn't seem to work with our latest configs.
I tried adding an id back in to the default server.xml but it didn't seem to make a difference.

But I was NOT able to reproduce locally for the $healthcheck endpoint, so not sure what is going on there.

@lmsurpre
Copy link
Member

lmsurpre commented May 5, 2020

I created a tiny reproducing case and openened it as an issue for OpenLiberty at OpenLiberty/open-liberty#12050.
We might need to revert the change to the use of @RolesAllowed until that can get addressed (or else come up with an alternative for our cloud deploy).

@lmsurpre lmsurpre changed the title fhir-server pods failed to start normally in CDT cloud deployment No longer able to map unauthenticated users to the FHIRUsers security-role May 5, 2020
@lmsurpre lmsurpre removed this from the Sprint 12 milestone May 8, 2020
@lmsurpre lmsurpre self-assigned this Jul 31, 2020
@lmsurpre lmsurpre mentioned this issue Sep 29, 2020
Merged
@lmsurpre lmsurpre mentioned this issue Nov 12, 2020
Closed
@lmsurpre
Copy link
Member

Our workaround has been to add the Authorization header via our kubernetes ingress. That said, I really thought the Liberty team would have this addressed by now; we might need to do something here...

@prb112
Copy link
Contributor

prb112 commented Feb 15, 2022
edited
Loading

This feature is going to be in the next release of OpenLIberty

@lmsurpre
Copy link
Member

lmsurpre commented Apr 1, 2022

I confirmed that this is working now by adding a configDropin with the following content to a local deploy;

<server>
    <webApplication id="fhir-server-webapp">
        <application-bnd id="bind">
            <security-role id="users" name="FHIRUsers">
                <special-subject type="EVERYONE"/>
            </security-role>
        </application-bnd>
    </webApplication>
</server>

with liberty 22.0.0.3 this is finally behaving as expected; I am able to invoke protected endpoints like $healthcheck without specifying a username/password:

$ curl -k -i 'https://localhost:9443/fhir-server/api/v4/$healthcheck'
HTTP/2 200 
date: Fri, 01 Apr 2022 19:05:37 GMT
content-length: 0
content-language: en-US

@lmsurpre lmsurpre closed this as completed Apr 1, 2022
@lmsurpre lmsurpre mentioned this issue Oct 4, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@lmsurpre lmsurpre

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@prb112 @lmsurpre @albertwang-ibm