monit-general
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: M/Monit with HTTP basic auth

From: Jan-Henrik Haukeland
Subject: Re: M/Monit with HTTP basic auth
Date: Tue, 13 Oct 2015 14:52:21 +0200 
We've looked at this more closer since yesterday and my initial assessment was 
not entirely correct; There actually is no technical reason why sessions cannot 
be activated for Basic Auth. so you can switch the authentication method for 
the M/Monit app. The only problem (as you found out) is that sessions were not 
activated. This have now been changed and the next point release of M/Monit 
(3.5.2 probably) will work with Basic Auth as well as with Form Based Auth. 
Thank you for bringing this to our attention.

> On 12 Oct 2015, at 23:36, Philippe Wooding <address@hidden> wrote:
> 
> Thanks for your response.
> If indeed, it is by design and things are unlikely to change, then the 
> M/Monit documentation (https://mmonit.com/documentation/mmonit_manual.pdf) 
> should probably be updated to state that the web site can’t use anything else 
> than form based authentication.
> It would have avoided my spending time trying to understand why it wasn’t 
> working :-)
> Do you know why only the status page breaks when using basic auth?
> What information does the session hold?
> 
> Cheers
> 
>> On 12 Oct 2015, at 23:05, Jan-Henrik Haukeland <address@hidden> wrote:
>> 
>> You pretty much explained this yourself. It is correct what you found, when 
>> Basic Auth is used, no session is created. The M/Monit app, as it is, 
>> depends on a session being created and therefor only supports login via form 
>> based auth. The exception is the /collector page which actually uses Basic 
>> Auth. This is to lower resource usage - if you have thousands of Monit 
>> agents reporting in to M/Monit, creating a session for each of these 
>> connections with no logout can be expensive. The bottom line is that this is 
>> by design and unlikely to change. 
>> 
>> Ps. The reason you where able to start with form based auth and then switch 
>> to basic auth is because M/Monit sessions are persistent over a restart so 
>> you are still logged into M/Monit via your browser’s zsessionid cookie.
>> 
>> 
>>> On 12 Oct 2015, at 21:44, Philippe Wooding <address@hidden> wrote:
>>> 
>>> Hi all,
>>> 
>>> I’ve started using M/Monit (3.5.1-linux-x64) and would like to use HTTP 
>>> basic auth instead of the default login form.
>>> However, HTTP auth seems to be broken.
>>> When I log in, I get the index page ok, but when I switch to the ‘status’ 
>>> tab, I get a ‘Page not found’ error popup.
>>> With the standard form based auth, everything works ok.
>>> I traced the basic auth error down to the lack of the ‘zsessionid’ cookie.
>>> It never gets created with basic auth and seems to be required by the 
>>> following query:
>>> http://127.0.0.1:8080/session/get?key=sHostGroup&key=sLed&key=sHostName
>>> 
>>> If I start by using form based auth and then switch to basic auth, the 
>>> cookie is known to the browser and everything
>>> is fine until I restart my browser.
>>> 
>>> Is anyone else out there using HTTP auth or does my description ring a bell?
>>> 
>>> Cheers,
>>> 
>>> P Wooding
>> 
>> 
>> 
>> --
>> To unsubscribe:
>> https://lists.nongnu.org/mailman/listinfo/monit-general
> 
> --
> To unsubscribe:
> https://lists.nongnu.org/mailman/listinfo/monit-general
reply via email to
[Prev in Thread] Current Thread [Next in Thread]