[
https://issues.jboss.org/browse/WFCORE-2061?page=com.atlassian.jira.plugi...
]
Tadayoshi Sato edited comment on WFCORE-2061 at 11/30/16 7:47 AM:
------------------------------------------------------------------
Thanks [~dlofthouse] for the clarification. I totally understand it.
However, if we don't want to lose the entire RBAC by avoiding the
{{Subject.doAs(...)}}, do you think adding a {{RealmUser}} principal manually like below
can be an acceptable temporary workaround at application side? This seems to be working
just fine.
{code:java}
subject.getPrincipals().add(new RealmUser("admin"));
{code}
was (Author: tadayosi):
Thanks [~dlofthouse] for the clarification. I totally understand it.
However, if we don't want to lose the entire RBAC by avoiding the
{{Subject.doAs(...)}}, do you think adding a {{RealmUser}} principal manually like below
can be an acceptable temporary workaround? This seems to be working just fine.
{code:java}
subject.getPrincipals().add(new RealmUser("admin"));
{code}
JMX access unauthorized after RBAC enabled
------------------------------------------
Key: WFCORE-2061
URL:
https://issues.jboss.org/browse/WFCORE-2061
Project: WildFly Core
Issue Type: Bug
Components: JMX, Security
Affects Versions: 2.2.0.Final
Reporter: Tadayoshi Sato
Assignee: Darran Lofthouse
Fix For: 3.0.0.Alpha14
Attachments: standalone.xml, wildfly-jmx-auth.zip
After RBAC is enabled, even a user ({{"admin"}}) with {{SuperUser}} role fails
to get authorized access to JMX with the following code:
{code:java}
MBeanServer mBeanServer = ...
Subject subject = new Subject();
// Login
new LoginContext("test-domain", subject, callbacks -> { ...
}).login();
// Access to JMX
Subject.doAs(subject, (PrivilegedAction<Object>) () -> {
mBeanServer.getAttribute(new ObjectName("java.lang:type=Memory"),
"HeapMemoryUsage"));
return null;
});
{code}
RBAC and role-mapping are enabled in {{standalone.xml}} like this:
{code:xml}
<access-control provider="rbac">
<role-mapping>
<role name="SuperUser">
<include>
<user name="$local"/>
<user name="admin"/>
</include>
</role>
</role-mapping>
</access-control>
[...]
<subsystem xmlns="urn:jboss:domain:security:1.2">
<security-domains>
[...]
<security-domain name="test-domain"
cache-type="default">
<authentication>
<login-module code="RealmDirect"
flag="required">
<module-option name="realm"
value="ManagementRealm"/>
</login-module>
</authentication>
</security-domain>
{code}
The code gets this error in the server log:
{code}
javax.management.JMRuntimeException: WFLYJMX0037: Unauthorized access
at
org.jboss.as.jmx.PluggableMBeanServerImpl.authorizeMBeanOperation(PluggableMBeanServerImpl.java:1203)
at
org.jboss.as.jmx.PluggableMBeanServerImpl.authorizeMBeanOperation(PluggableMBeanServerImpl.java:1190)
at
org.jboss.as.jmx.PluggableMBeanServerImpl.getAttribute(PluggableMBeanServerImpl.java:387)
at com.redhat.issues.wildfly.JmxServlet.readMBeanAttribute(JmxServlet.java:87)
at com.redhat.issues.wildfly.JmxServlet.lambda$process$0(JmxServlet.java:53)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:360)
at com.redhat.issues.wildfly.JmxServlet.process(JmxServlet.java:52)
at com.redhat.issues.wildfly.JmxServlet.doGet(JmxServlet.java:44)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:687)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
{code}
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)