[jboss-jira] [JBoss JIRA] (WFLY-8544) Elytron, management interface, legacy authentication is "checked" even if Elytron authentication is configured

Martin Choma (JIRA) issues at jboss.org
Mon Apr 10 02:44:00 EDT 2017 

Martin Choma created WFLY-8544:
----------------------------------

             Summary: Elytron, management interface,  legacy authentication is "checked" even if Elytron authentication is configured
                 Key: WFLY-8544
                 URL: https://issues.jboss.org/browse/WFLY-8544
             Project: WildFly
          Issue Type: Bug
          Components: Security
            Reporter: Martin Choma
            Assignee: Darran Lofthouse
            Priority: Blocker


Regression against DR15.
Authentication by legacy security realm is taken in account even if just Elytron authentication should be used. I don't say legacy authentication is used in priority before Elytron (that works as expected). Just that legacy authentication is somehow "initialized". In this case check "There are no user in mngmt-user.properties file" is performed

Reproducer:
* Configure Elytron authentication for management interface
{code}
/subsystem=elytron/filesystem-realm=exampleFsRealm:add(path=fs-realm-users,relative-to=jboss.server.config.dir)
/subsystem=elytron/filesystem-realm=exampleFsRealm/identity=user1:add()
/subsystem=elytron/filesystem-realm=exampleFsRealm/identity=user1:set-password( clear={password="password123"})
/subsystem=elytron/simple-role-decoder=from-roles-attribute:add(attribute=Roles)
/subsystem=elytron/security-domain=exampleFsSD:add(realms=[{realm=exampleFsRealm,role-decoder=from-roles-attribute}],default-realm=exampleFsRealm,permission-mapper=default-permission-mapper)
/subsystem=elytron/http-authentication-factory=example-fs-http-auth:add(http-server-mechanism-factory=global,security-domain=exampleFsSD,mechanism-configurations=[{mechanism-name=BASIC,mechanism-realm-configurations=[{realm-name=exampleApplicationDomain}]}])
/core-service=management/management-interface=http-interface:write-attribute(name=http-authentication-factory, value=example-fs-http-auth)
{code}
* impossible to acces management interface
{code}
curl --user user1:password123 http://localhost.localdomain:9990/management?operation=attribute\&name=server-state
{
    "outcome" : "failed",
    "failure-description" : "WFLYDMHTTP0006: The security realm is not ready to process requests, see http://localhost.localdomain:9990/error",
    "rolled-back" : "true"
}
{code}

Acces is granted once 
* security realm is undefined from management interface
{code}
/core-service=management/management-interface=http-interface:undefine-attribute(name=security-realm)
{code}

* User is added into ManagementRealm
{code}
./add-user.sh -u admin -p admin -r ManagementRealm
{code}

{code}
curl --user user1:password123 http://localhost.localdomain:9990/management?operation=attribute\&name=server-state
"running"
{code}



--
This message was sent by Atlassian JIRA
(v7.2.3#72005)

More information about the jboss-jira mailing list