[jboss-jira] [JBoss JIRA] (WFCORE-2646) Elytron, management interface, legacy authentication is "checked" even if Elytron authentication is configured

Darran Lofthouse (JIRA) issues at jboss.org
Mon Apr 24 11:49:01 EDT 2017 

     [ https://issues.jboss.org/browse/WFCORE-2646?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Darran Lofthouse updated WFCORE-2646:
-------------------------------------
    Fix Version/s: 3.0.0.Beta17


> Elytron, management interface,  legacy authentication is "checked" even if Elytron authentication is configured
> ---------------------------------------------------------------------------------------------------------------
>
>                 Key: WFCORE-2646
>                 URL: https://issues.jboss.org/browse/WFCORE-2646
>             Project: WildFly Core
>          Issue Type: Bug
>          Components: Domain Management, Security
>            Reporter: Martin Choma
>            Assignee: Darran Lofthouse
>            Priority: Blocker
>             Fix For: 3.0.0.Beta17
>
>
> Regression against DR15.
> Authentication by legacy security realm is taken in account even if just Elytron authentication should be used. I don't say legacy authentication is used in priority before Elytron (that works as expected). Just that legacy authentication is somehow "initialized". In this case check "There are no user in mngmt-user.properties file" is performed
> Reproducer:
> * Configure Elytron authentication for management interface
> {code}
> /subsystem=elytron/filesystem-realm=exampleFsRealm:add(path=fs-realm-users,relative-to=jboss.server.config.dir)
> /subsystem=elytron/filesystem-realm=exampleFsRealm/identity=user1:add()
> /subsystem=elytron/filesystem-realm=exampleFsRealm/identity=user1:set-password( clear={password="password123"})
> /subsystem=elytron/simple-role-decoder=from-roles-attribute:add(attribute=Roles)
> /subsystem=elytron/security-domain=exampleFsSD:add(realms=[{realm=exampleFsRealm,role-decoder=from-roles-attribute}],default-realm=exampleFsRealm,permission-mapper=default-permission-mapper)
> /subsystem=elytron/http-authentication-factory=example-fs-http-auth:add(http-server-mechanism-factory=global,security-domain=exampleFsSD,mechanism-configurations=[{mechanism-name=BASIC,mechanism-realm-configurations=[{realm-name=exampleApplicationDomain}]}])
> /core-service=management/management-interface=http-interface:write-attribute(name=http-authentication-factory, value=example-fs-http-auth)
> {code}
> * impossible to acces management interface
> {code}
> curl --user user1:password123 http://localhost.localdomain:9990/management?operation=attribute\&name=server-state
> {
>     "outcome" : "failed",
>     "failure-description" : "WFLYDMHTTP0006: The security realm is not ready to process requests, see http://localhost.localdomain:9990/error",
>     "rolled-back" : "true"
> }
> {code}
> Access is granted once 
> * security realm is undefined from management interface
> {code}
> /core-service=management/management-interface=http-interface:undefine-attribute(name=security-realm)
> {code}
> * Or user is added into ManagementRealm
> {code}
> ./add-user.sh -u admin -p admin -r ManagementRealm
> {code}
> {code}
> curl --user user1:password123 http://localhost.localdomain:9990/management?operation=attribute\&name=server-state
> "running"
> {code}



--
This message was sent by Atlassian JIRA
(v7.2.3#72005)

More information about the jboss-jira mailing list