[jboss-jira] [JBoss JIRA] (AS7-3464) add-user.sh - possibility of setting another Realms should be considered again

Darran Lofthouse (JIRA) jira-events at lists.jboss.org
Fri Jan 27 05:16:48 EST 2012 

     [ https://issues.jboss.org/browse/AS7-3464?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Darran Lofthouse updated AS7-3464:
----------------------------------

    Fix Version/s: Open To Community
         Assignee:     (was: Anil Saldhana)


If anyone in the community would like to contribute what we actually need here is better detection of the name of the security realm in use by the AS instance.

By default we ship with the realm named ManagementRealm, however as the digest in the properties file is based on the username, realm and password we would recommend the use of different realms on different installations so that disclosing the properties file from one installation does not necessarily affect other instances that have users with the same username and password but a different realm.

The issue is that the name of the realm is defined in the standalone.xml and host.xml so as it stands now these need to be parsed if the server is not running to identify the name of the realm - if the server is running a connection to the server is an option (although a bit messy) to discover the realm.

Alternatively the name of the realm used for the digests could be separated from the config and stored in a file adjacent to the properties file, the first time add-user.sh is run the user would be asked to choose a realm name for their installation - that would be stored in the file and used for all subsequent calls to add-user.sh - this way unique realm names could be encouraged without forcing the core configuration to be modified.

This alternative location to specify the realm may be better considered for AS 7.2 or beyond when we will hopefully expand on the manageability of users and incorporate it there.
 
                
> add-user.sh - possibility of setting another Realms should be considered again
> ------------------------------------------------------------------------------
>
>                 Key: AS7-3464
>                 URL: https://issues.jboss.org/browse/AS7-3464
>             Project: Application Server 7
>          Issue Type: Bug
>          Components: Security
>    Affects Versions: 7.1.0.CR1b
>            Reporter: Pavel Janousek
>            Priority: Minor
>             Fix For: Open To Community
>
>
> I'm aware of add-user.sh isn't general tool for managing an user/groups/roles credential store at all. Is it supposed only as shorthand for quick definition of users access to admin console out of the box. Well..
> According previous paragraph it isn't to much meaningful for me to bring possibility of specify another realm during the invocation of this tool. I think already - Admin console can use another realm than ManagementRealm by change default configuration. I think already too - property file can't contain users definition belong multiple realms. As is stated in comment in the begin of file mgmt-users.properties, this file is for "declaration of users for the realm 'ManagementRealm'".
> I think we should avoid to insert new user with different realm there (it is possible now). add-user.sh doesn't manage any other file and other property file(s) can't be specified during invocation.
> I think this present situation/behavior should confuse hard our end-users - especially users with their own experiences with other JEE servers (Apache Geronimo, Sun/Oracle GlassFish etc.). 
> Because we don't provide/support any tool for general CRUD managing of credential store of type like property file(s) - like other JEE app. servers do, we really should use this script/tool only as way to simple very basic user creation in default AS7 environment, because we can't support this tool in any other situation with present behavior and in a such changed environments behavior or final state is hardly understandable (if we create property file (by other way) with the same username, but in different realms, we can't log to admin console never more; if we have users in one realm, switch AS7 instance to use other "admin" realm, we can't add any from existing user to this new realm; we don't know which user belongs to which realm later etc.)
> So conclusion - I think we should remove specification of Realm from input process of add-user.sh script at all and use this script only to define users belongs to ManagementRealm realm and manages only properly mgmt-users.properties files (standalone and domain configuration)

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list