[jboss-jira] [JBoss JIRA] (WFCORE-301) Configuration of individual contexts for http management interface.

Darran Lofthouse (JIRA) issues at jboss.org
Mon Sep 19 05:55:00 EDT 2016 

    [ https://issues.jboss.org/browse/WFCORE-301?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13294947#comment-13294947 ] 

Darran Lofthouse commented on WFCORE-301:
-----------------------------------------

[~brian.stansberry] Status probably was nice to have but not enough time for us to address it ;-) As we have the other issue with plenty of traffic now this one can probably be closed as a duplicate.

Also this issue was very focused on configuration of the HTTP management interface, now that we have subsystem support in the host controller as discussed on other threads a better solution may be for a custom subsystem to register it's own handler on the HTTP management interface - that way we don't need generic configuration for this resource.

> Configuration of individual contexts for http management interface.
> -------------------------------------------------------------------
>
>                 Key: WFCORE-301
>                 URL: https://issues.jboss.org/browse/WFCORE-301
>             Project: WildFly Core
>          Issue Type: Sub-task
>          Components: Domain Management
>            Reporter: Darran Lofthouse
>            Assignee: Darran Lofthouse
>              Labels: affects_elytron
>             Fix For: 3.0.0.Alpha9
>
>
> At the moment all management requests are handled over the '/management' context, we also have a '/console' context to serve up the files for the admin console.
> The '/management' context is secured using standard HTTP mechanisms, this decision was taken so that clients could be written in different languages and all they would need to know is how to use standard authentication mechanisms.  Due to problems where web browsers could run malicious scripts cross origin resource sharing is completely disabled for this context.
> We need to start to open up the handling of cross origin requests for a couple of reasons: -
>  - Enabling Keycloak SSO support.
>  - Alternative console distribution options
> The '/management' context is going to be retained as-is for legacy clients, possibly even switched off by default.
> A new context can then be added using non-browser based authentication, this could be SSO Keycloak or could be a form of Digest authentication where the response is handled by the console and not the web browser - either way as the browser is bypassed it is no longer at risk of sending malicious cross origin requests.



--
This message was sent by Atlassian JIRA
(v6.4.11#64026)

More information about the jboss-jira mailing list