]
Brian Stansberry updated WFCORE-301:
------------------------------------
Fix Version/s: 3.0.0.Alpha4
(was: 3.0.0.Alpha3)
Configuration of individual contexts for http management interface.
-------------------------------------------------------------------
Key: WFCORE-301
URL:
https://issues.jboss.org/browse/WFCORE-301
Project: WildFly Core
Issue Type: Sub-task
Components: Domain Management
Reporter: Darran Lofthouse
Assignee: Darran Lofthouse
Labels: affects_elytron
Fix For: 3.0.0.Alpha4
At the moment all management requests are handled over the '/management' context,
we also have a '/console' context to serve up the files for the admin console.
The '/management' context is secured using standard HTTP mechanisms, this
decision was taken so that clients could be written in different languages and all they
would need to know is how to use standard authentication mechanisms. Due to problems
where web browsers could run malicious scripts cross origin resource sharing is completely
disabled for this context.
We need to start to open up the handling of cross origin requests for a couple of
reasons: -
- Enabling Keycloak SSO support.
- Alternative console distribution options
The '/management' context is going to be retained as-is for legacy clients,
possibly even switched off by default.
A new context can then be added using non-browser based authentication, this could be SSO
Keycloak or could be a form of Digest authentication where the response is handled by the
console and not the web browser - either way as the browser is bypassed it is no longer at
risk of sending malicious cross origin requests.