[jboss-jira] [JBoss JIRA] (AS7-4577) Management console security does not work if security-realm name is not "ManagementRealm"
R Stokoe (JIRA)
jira-events at lists.jboss.org
Fri Apr 20 15:40:18 EDT 2012
[ https://issues.jboss.org/browse/AS7-4577?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12686198#comment-12686198 ]
R Stokoe commented on AS7-4577:
-------------------------------
1) Did you try to reproduce using the steps I listed?
2) Some of my problems may have been due to wrong realm name in mgmt-users.properties but I did manage to get past those issues. As an asside, one of the problems i had was that jboss.server.base.dir is ignored by add-user. It still writes to $JBOSS_HOME/standalone/configuration/mgmt-users.properties and $JBOSS_HOME/domain/configuration/mgmt-users.properties. Do you know if there is yet an issue on that?
3) Here is a rundown of 2 tests I ran that demonstrate the problem. The only change between the 2 tests was to switch the names of the 2 security realms used by the 2 management interfaces. In both cases the interface using ManagementRealm worked and the other didn't.
mgmt-users.properties file was not changed between tests and contains the following users:
# Realm: ManagementRealm
user0=ea846d5c7e07c894095fa11df2010051
# Realm: ManagementRealm1
user1=a7002f5cac0db99fcb695838263d3caf
# Realm: ManagementRealm2
user2=6024ee0d490bb0c53edcddca36cca9d3
jboss command:
java -D[Standalone] -server -XX:+TieredCompilation -Xmx384m -Xmx512m -XX:MaxPermSize=256m -Djava.net.preferIPv4Stack=true -Dorg.jboss.resolver.warning=true -Dsun.rmi.dgc.client.gcInterval=3600000 -Dsun.rmi.dgc.server.gcInterval=3600000 -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true -Djboss.server.default.config=standalone-full.xml -Djboss.socket.binding.port-offset=300 -Djboss.socket.binding.port-offset=300 -Dorg.jboss.boot.log.file=/usr/jboss/jboss-as-7.1.1.Final/server/D4/log/boot.log -Dlogging.configuration=file:/usr/jboss/jboss-as-7.1.1.Final/server/D4/configuration/logging.properties -jar /usr/jboss/jboss-as-7.1.1.Final/jboss-modules.jar -mp /usr/jboss/jboss-as-7.1.1.Final/modules -jaxpmodule javax.xml.jaxp-provider org.jboss.as.standalone -Djboss.home.dir=/usr/jboss/jboss-as-7.1.1.Final -Djboss.server.base.dir=/usr/jboss/jboss-as-7.1.1.Final/server/D4
Note the following properties:
-Djboss.socket.binding.port-offset=300
-Djboss.server.base.dir=/usr/jboss/jboss-as-7.1.1.Final/server/D4
####################################################################################################
test 1
management portion of configuration:
<management>
<security-realms>
<security-realm name="ManagementRealm">
<authentication>
<properties path="mgmt-users.properties" relative-to="jboss.server.config.dir"/>
</authentication>
</security-realm>
<security-realm name="ManagementRealm1">
<server-identities>
<ssl>
<keystore path="mgmthttps.keystore" relative-to="jboss.server.config.dir" password="mgmtPasswd"/>
</ssl>
</server-identities>
<authentication>
<properties path="mgmt-users.properties" relative-to="jboss.server.config.dir"/>
</authentication>
</security-realm>
<security-realm name="ApplicationRealm">
<authentication>
<properties path="application-users.properties" relative-to="jboss.server.config.dir"/>
</authentication>
</security-realm>
</security-realms>
<management-interfaces>
<native-interface security-realm="ManagementRealm">
<socket-binding native="management-native"/>
</native-interface>
<http-interface security-realm="ManagementRealm1">
<socket-binding https="management-https"/>
</http-interface>
</management-interfaces>
</management>
.
.
.
<socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
<socket-binding name="management-native" interface="management" port="${jboss.management.native.port:9999}"/>
<socket-binding name="management-http" interface="management" port="${jboss.management.http.port:9990}"/>
<socket-binding name="management-https" interface="management" port="${jboss.management.https.port:9443}"/>
.
.
.
results:
interface port user works?
--------- ---- ---- ------
native 10299 user0 yes
https 97430 user1 no
####################################################################################################
Test 2
(security-realm names were switched)
config:
<management>
<security-realms>
<security-realm name="ManagementRealm1">
<authentication>
<properties path="mgmt-users.properties" relative-to="jboss.server.config.dir"/>
</authentication>
</security-realm>
<security-realm name="ManagementRealm">
<server-identities>
<ssl>
<keystore path="mgmthttps.keystore" relative-to="jboss.server.config.dir" password="mgmtPasswd"/>
</ssl>
</server-identities>
<authentication>
<properties path="mgmt-users.properties" relative-to="jboss.server.config.dir"/>
</authentication>
</security-realm>
<security-realm name="ApplicationRealm">
<authentication>
<properties path="application-users.properties" relative-to="jboss.server.config.dir"/>
</authentication>
</security-realm>
</security-realms>
<management-interfaces>
<native-interface security-realm="ManagementRealm1">
<socket-binding native="management-native"/>
</native-interface>
<http-interface security-realm="ManagementRealm">
<socket-binding https="management-https"/>
</http-interface>
</management-interfaces>
</management>
.
.
.
<socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
<socket-binding name="management-native" interface="management" port="${jboss.management.native.port:9999}"/>
<socket-binding name="management-http" interface="management" port="${jboss.management.http.port:9990}"/>
<socket-binding name="management-https" interface="management" port="${jboss.management.https.port:9443}"/>
.
.
.
results:
interface port user works?
--------- ---- ---- ------
native 10299 user1 no
https 97430 user0 yes
####################################################################################################
Test 3
Here is a diff between test 2 and 3:
< <http-interface security-realm="ManagementRealm">
< <socket-binding https="management-https"/>
---
> <http-interface security-realm="ManagementRealm1">
> <socket-binding http="management-http"/>
configuration:
<management>
<security-realms>
<security-realm name="ManagementRealm1">
<authentication>
<properties path="mgmt-users.properties" relative-to="jboss.server.config.dir"/>
</authentication>
</security-realm>
<security-realm name="ManagementRealm">
<server-identities>
<ssl>
<keystore path="mgmthttps.keystore" relative-to="jboss.server.config.dir" password="mgmtPasswd"/>
</ssl>
</server-identities>
<authentication>
<properties path="mgmt-users.properties" relative-to="jboss.server.config.dir"/>
</authentication>
</security-realm>
<security-realm name="ApplicationRealm">
<authentication>
<properties path="application-users.properties" relative-to="jboss.server.config.dir"/>
</authentication>
</security-realm>
</security-realms>
<management-interfaces>
<native-interface security-realm="ManagementRealm1">
<socket-binding native="management-native"/>
</native-interface>
<http-interface security-realm="ManagementRealm1">
<socket-binding http="management-http"/>
</http-interface>
</management-interfaces>
</management>
.
.
.
<socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
<socket-binding name="management-native" interface="management" port="${jboss.management.native.port:9999}"/>
<socket-binding name="management-http" interface="management" port="${jboss.management.http.port:9990}"/>
<socket-binding name="management-https" interface="management" port="${jboss.management.https.port:9443}"/>
.
.
.
results:
interface port user works?
--------- ---- ---- ------
native 10299 user1 no
http 10290 user1 no
> Management console security does not work if security-realm name is not "ManagementRealm"
> -----------------------------------------------------------------------------------------
>
> Key: AS7-4577
> URL: https://issues.jboss.org/browse/AS7-4577
> Project: Application Server 7
> Issue Type: Bug
> Components: Console, Domain Management
> Affects Versions: 7.1.1.Final
> Reporter: R Stokoe
> Assignee: Darran Lofthouse
> Priority: Critical
> Labels: admin-console, as7, https, management
> Fix For: 7.1.2.Final-redhat1
>
>
> Configuring management console security only works if security-realm name is "ManagementRealm". If any other name is used, authentication repeatedly silently fails.
> This makes it impossible to configure the native and http management interfaces differently. For example ssl only for http-interface.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the jboss-jira
mailing list