[jboss-jira] [JBoss JIRA] (WFCORE-2646) Elytron, management interface, legacy authentication is "checked" even if Elytron authentication is configured
Ondrej Lukas (JIRA)
issues at jboss.org
Tue Apr 11 07:12:01 EDT 2017
[ https://issues.jboss.org/browse/WFCORE-2646?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Ondrej Lukas updated WFCORE-2646:
---------------------------------
Description:
Regression against DR15.
Authentication by legacy security realm is taken in account even if just Elytron authentication should be used. I don't say legacy authentication is used in priority before Elytron (that works as expected). Just that legacy authentication is somehow "initialized". In this case check "There are no user in mngmt-user.properties file" is performed
Reproducer:
* Configure Elytron authentication for management interface
{code}
/subsystem=elytron/filesystem-realm=exampleFsRealm:add(path=fs-realm-users,relative-to=jboss.server.config.dir)
/subsystem=elytron/filesystem-realm=exampleFsRealm/identity=user1:add()
/subsystem=elytron/filesystem-realm=exampleFsRealm/identity=user1:set-password( clear={password="password123"})
/subsystem=elytron/simple-role-decoder=from-roles-attribute:add(attribute=Roles)
/subsystem=elytron/security-domain=exampleFsSD:add(realms=[{realm=exampleFsRealm,role-decoder=from-roles-attribute}],default-realm=exampleFsRealm,permission-mapper=default-permission-mapper)
/subsystem=elytron/http-authentication-factory=example-fs-http-auth:add(http-server-mechanism-factory=global,security-domain=exampleFsSD,mechanism-configurations=[{mechanism-name=BASIC,mechanism-realm-configurations=[{realm-name=exampleApplicationDomain}]}])
/core-service=management/management-interface=http-interface:write-attribute(name=http-authentication-factory, value=example-fs-http-auth)
{code}
* impossible to acces management interface
{code}
curl --user user1:password123 http://localhost.localdomain:9990/management?operation=attribute\&name=server-state
{
"outcome" : "failed",
"failure-description" : "WFLYDMHTTP0006: The security realm is not ready to process requests, see http://localhost.localdomain:9990/error",
"rolled-back" : "true"
}
{code}
Access is granted once
* security realm is undefined from management interface
{code}
/core-service=management/management-interface=http-interface:undefine-attribute(name=security-realm)
{code}
* Or user is added into ManagementRealm
{code}
./add-user.sh -u admin -p admin -r ManagementRealm
{code}
{code}
curl --user user1:password123 http://localhost.localdomain:9990/management?operation=attribute\&name=server-state
"running"
{code}
was:
Regression against DR15.
Authentication by legacy security realm is taken in account even if just Elytron authentication should be used. I don't say legacy authentication is used in priority before Elytron (that works as expected). Just that legacy authentication is somehow "initialized". In this case check "There are no user in mngmt-user.properties file" is performed
Reproducer:
* Configure Elytron authentication for management interface
{code}
/subsystem=elytron/filesystem-realm=exampleFsRealm:add(path=fs-realm-users,relative-to=jboss.server.config.dir)
/subsystem=elytron/filesystem-realm=exampleFsRealm/identity=user1:add()
/subsystem=elytron/filesystem-realm=exampleFsRealm/identity=user1:set-password( clear={password="password123"})
/subsystem=elytron/simple-role-decoder=from-roles-attribute:add(attribute=Roles)
/subsystem=elytron/security-domain=exampleFsSD:add(realms=[{realm=exampleFsRealm,role-decoder=from-roles-attribute}],default-realm=exampleFsRealm,permission-mapper=default-permission-mapper)
/subsystem=elytron/http-authentication-factory=example-fs-http-auth:add(http-server-mechanism-factory=global,security-domain=exampleFsSD,mechanism-configurations=[{mechanism-name=BASIC,mechanism-realm-configurations=[{realm-name=exampleApplicationDomain}]}])
/core-service=management/management-interface=http-interface:write-attribute(name=http-authentication-factory, value=example-fs-http-auth)
{code}
* impossible to acces management interface
{code}
curl --user user1:password123 http://localhost.localdomain:9990/management?operation=attribute\&name=server-state
{
"outcome" : "failed",
"failure-description" : "WFLYDMHTTP0006: The security realm is not ready to process requests, see http://localhost.localdomain:9990/error",
"rolled-back" : "true"
}
{code}
Acces is granted once
* security realm is undefined from management interface
{code}
/core-service=management/management-interface=http-interface:undefine-attribute(name=security-realm)
{code}
* User is added into ManagementRealm
{code}
./add-user.sh -u admin -p admin -r ManagementRealm
{code}
{code}
curl --user user1:password123 http://localhost.localdomain:9990/management?operation=attribute\&name=server-state
"running"
{code}
> Elytron, management interface, legacy authentication is "checked" even if Elytron authentication is configured
> ---------------------------------------------------------------------------------------------------------------
>
> Key: WFCORE-2646
> URL: https://issues.jboss.org/browse/WFCORE-2646
> Project: WildFly Core
> Issue Type: Bug
> Components: Domain Management, Security
> Reporter: Martin Choma
> Assignee: Darran Lofthouse
> Priority: Blocker
>
> Regression against DR15.
> Authentication by legacy security realm is taken in account even if just Elytron authentication should be used. I don't say legacy authentication is used in priority before Elytron (that works as expected). Just that legacy authentication is somehow "initialized". In this case check "There are no user in mngmt-user.properties file" is performed
> Reproducer:
> * Configure Elytron authentication for management interface
> {code}
> /subsystem=elytron/filesystem-realm=exampleFsRealm:add(path=fs-realm-users,relative-to=jboss.server.config.dir)
> /subsystem=elytron/filesystem-realm=exampleFsRealm/identity=user1:add()
> /subsystem=elytron/filesystem-realm=exampleFsRealm/identity=user1:set-password( clear={password="password123"})
> /subsystem=elytron/simple-role-decoder=from-roles-attribute:add(attribute=Roles)
> /subsystem=elytron/security-domain=exampleFsSD:add(realms=[{realm=exampleFsRealm,role-decoder=from-roles-attribute}],default-realm=exampleFsRealm,permission-mapper=default-permission-mapper)
> /subsystem=elytron/http-authentication-factory=example-fs-http-auth:add(http-server-mechanism-factory=global,security-domain=exampleFsSD,mechanism-configurations=[{mechanism-name=BASIC,mechanism-realm-configurations=[{realm-name=exampleApplicationDomain}]}])
> /core-service=management/management-interface=http-interface:write-attribute(name=http-authentication-factory, value=example-fs-http-auth)
> {code}
> * impossible to acces management interface
> {code}
> curl --user user1:password123 http://localhost.localdomain:9990/management?operation=attribute\&name=server-state
> {
> "outcome" : "failed",
> "failure-description" : "WFLYDMHTTP0006: The security realm is not ready to process requests, see http://localhost.localdomain:9990/error",
> "rolled-back" : "true"
> }
> {code}
> Access is granted once
> * security realm is undefined from management interface
> {code}
> /core-service=management/management-interface=http-interface:undefine-attribute(name=security-realm)
> {code}
> * Or user is added into ManagementRealm
> {code}
> ./add-user.sh -u admin -p admin -r ManagementRealm
> {code}
> {code}
> curl --user user1:password123 http://localhost.localdomain:9990/management?operation=attribute\&name=server-state
> "running"
> {code}
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
More information about the jboss-jira
mailing list