Management API Security Possible Configuration Samples
When defining the management API security there are a couple of options regarding how we could structure the configuration, for these options we also need to consider how it will look for both domain deployments and for a standalone server.
So far these samples show the authentication configuration, the ACLs for authorization still need to be considered.
Host Focussed Configuration (Authentication)
For "Host Focussed" the bulk of the configuration would be in the host.xml.
Domain Example
domain.xml
<?xml version="1.0" ?>
<domain xmlns="urn:jboss:domain:1.0">
...
</domain>
host.xml
<?xml version="1.0" ?>
<host xmlns="urn:jboss:domain:1.0">
...
<management>
<datasource-pools>
<pool name="UsersDatabase">
<pool-option name="driver" value="org.something.JDBCDriver"/>
<pool-option name="url" value="db://somehost:someport"/>
</pool>
</datasource-pools>
<security>
<security-domain>
<login-module code="Database" flag="required">
<module-option name="PoolName" value="UsersDatabase" />
</login-module>
</security-domain>
</security>
<native-api interface="public" port="9991"/>
<http-api interface="public" port="9992"/>
</management>
<domain-controller>
<remote host="127.0.0.1" port="9999"/>
</domain-controller>
...
</host>
Standalone Example
standalone.xml
<server xmlns="urn:jboss:domain:1.0"
...
<management>
<datasource-pools>
<pool name="UsersDatabase">
<pool-option name="driver" value="org.something.JDBCDriver"/>
<pool-option name="url" value="db://somehost:someport"/>
</pool>
</datasource-pools>
<security>
<security-domain>
<login-module code="Database" flag="required">
<module-option name="PoolName" value="UsersDatabase" />
</login-module>
</security-domain>
</security>
<native-api interface="public" port="9991"/>
<http-api interface="public" port="9992"/>
</management>
...
</server>
Domain Central Configuration (Authentication)
For "Domain Central" configuration as much of the configuration as possible will be in the domain.xml, remote nodes will recieve this configuration when they connect to the master domain controller.
Domain Example
domain.xml
<?xml version="1.0" ?>
<domain xmlns="urn:jboss:domain:1.0">
...
<management>
<datasource-pools>
<pool name="UsersDatabase">
<pool-option name="driver" value="org.something.JDBCDriver"/>
<pool-option name="url" value="db://somehost:someport"/>
</pool>
</datasource-pools>
<security>
<security-domain>
<login-module code="Database" flag="required">
<module-option name="PoolName" value="UsersDatabase" />
</login-module>
</security-domain>
</security>
</management>
...
</domain>
host.xml
<?xml version="1.0" ?>
<host xmlns="urn:jboss:domain:1.0">
...
<management-apis>
<native-api interface="public" port="9991"/>
<http-api interface="public" port="9992"/>
</management-apis>
<domain-controller> <remote host="127.0.0.1" port="9999"/>
</domain-controller>
...
</host>
Standalone Example
standalone.xml
<server xmlns="urn:jboss:domain:1.0"
...
<management>
<datasource-pools>
<pool name="UsersDatabase">
<pool-option name="driver" value="org.something.JDBCDriver"/>
<pool-option name="url" value="db://somehost:someport"/>
</pool>
</datasource-pools>
<security>
<security-domain>
<login-module code="Database" flag="required">
<module-option name="PoolName" value="UsersDatabase" />
</login-module>
</security-domain>
</security>
</management>
<management-apis>
<native-api interface="public" port="9991"/>
<http-api interface="public" port="9992"/>
</management-apis>
...
</server>