[jboss-jira] [JBoss JIRA] (REMJMX-74) REMJMX-65 Overzealous disabling local authentication

Darran Lofthouse (JIRA) jira-events at lists.jboss.org
Tue Oct 22 05:09:02 EDT 2013 

    [ https://issues.jboss.org/browse/REMJMX-74?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12823883#comment-12823883 ] 

Darran Lofthouse commented on REMJMX-74:
----------------------------------------

Hello Rob unfortunately your comment is a little late due to time constraints we need this fixed and tagged yesterday ;-)  

The change you have made is correct, you do not have any credentials to use so you should not be setting them - I would recommend however you do revisit looking at supplying a callback handler at some point as that gives you an opportunity to prompt for a username and password if and only if it is actually required.

One final point you may want to consider, the main reason we made this change was so that once access control was enabled and users had an option in the client to force authentication to disable local authentication - I have now added an option 'org.jboss.remoting-jmx.excluded-sasl-mechanisms' which if set on the environment with the value 'JBOSS-LOCAL-USER' will disable local authentication.

                
> REMJMX-65 Overzealous disabling local authentication
> ----------------------------------------------------
>
>                 Key: REMJMX-74
>                 URL: https://issues.jboss.org/browse/REMJMX-74
>             Project: Remoting JMX
>          Issue Type: Bug
>          Components: Connection
>            Reporter: Darran Lofthouse
>            Assignee: Darran Lofthouse
>             Fix For: 1.1.2.CR1, 2.0.0.CR4
>
>
> REMJMX-65 is overzealous at disabling local authentication, if a username and credential is supplied in the environment then it does make sense to disable local authentication - however the availability of a callback handler is not a sufficient flag to also disable it.
> In the case of the callback handler the user may still only want to be prompted if the other mechanisms fail.
> This issue will remove the disabling of local authentication based on the presence of a callback handler and will instead add a configuration option that can be set on the environment.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list