[JBoss JIRA] (AS7-3464) add-user.sh - possibility of setting another Realms should be considered again
4:16 a.m.
[
https://issues.jboss.org/browse/AS7-3464?page=com.atlassian.jira.plugin.s...
]
Darran Lofthouse updated AS7-3464:
----------------------------------
Fix Version/s: Open To Community
Assignee: (was: Anil Saldhana)
If anyone in the community would like to contribute what we actually need here is better
detection of the name of the security realm in use by the AS instance.
By default we ship with the realm named ManagementRealm, however as the digest in the
properties file is based on the username, realm and password we would recommend the use of
different realms on different installations so that disclosing the properties file from
one installation does not necessarily affect other instances that have users with the same
username and password but a different realm.
The issue is that the name of the realm is defined in the standalone.xml and host.xml so
as it stands now these need to be parsed if the server is not running to identify the name
of the realm - if the server is running a connection to the server is an option (although
a bit messy) to discover the realm.
Alternatively the name of the realm used for the digests could be separated from the
config and stored in a file adjacent to the properties file, the first time add-user.sh is
run the user would be asked to choose a realm name for their installation - that would be
stored in the file and used for all subsequent calls to add-user.sh - this way unique
realm names could be encouraged without forcing the core configuration to be modified.
This alternative location to specify the realm may be better considered for AS 7.2 or
beyond when we will hopefully expand on the manageability of users and incorporate it
there.
add-user.sh - possibility of setting another Realms should be
considered again
------------------------------------------------------------------------------
Key: AS7-3464
URL: https://issues.jboss.org/browse/AS7-3464
Project: Application Server 7
Issue Type: Bug
Components: Security
Affects Versions: 7.1.0.CR1b
Reporter: Pavel Janousek
Priority: Minor
Fix For: Open To Community
I'm aware of add-user.sh isn't general tool for managing an user/groups/roles
credential store at all. Is it supposed only as shorthand for quick definition of users
access to admin console out of the box. Well..
According previous paragraph it isn't to much meaningful for me to bring possibility
of specify another realm during the invocation of this tool. I think already - Admin
console can use another realm than ManagementRealm by change default configuration. I
think already too - property file can't contain users definition belong multiple
realms. As is stated in comment in the begin of file mgmt-users.properties, this file is
for "declaration of users for the realm 'ManagementRealm'".
I think we should avoid to insert new user with different realm there (it is possible
now). add-user.sh doesn't manage any other file and other property file(s) can't
be specified during invocation.
I think this present situation/behavior should confuse hard our end-users - especially
users with their own experiences with other JEE servers (Apache Geronimo, Sun/Oracle
GlassFish etc.).
Because we don't provide/support any tool for general CRUD managing of credential
store of type like property file(s) - like other JEE app. servers do, we really should use
this script/tool only as way to simple very basic user creation in default AS7
environment, because we can't support this tool in any other situation with present
behavior and in a such changed environments behavior or final state is hardly
understandable (if we create property file (by other way) with the same username, but in
different realms, we can't log to admin console never more; if we have users in one
realm, switch AS7 instance to use other "admin" realm, we can't add any from
existing user to this new realm; we don't know which user belongs to which realm later
etc.)
So conclusion - I think we should remove specification of Realm from input process of
add-user.sh script at all and use this script only to define users belongs to
ManagementRealm realm and manages only properly mgmt-users.properties files (standalone
and domain configuration)
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
4673
days inactive
4673
days old
0 comments
1 participants
participants (1)
-
Darran Lofthouse (JIRA)