[wildfly-dev] Enhancing the HTTP Management Interface Configuration - WFLY-2635
Darran Lofthouse
darran.lofthouse at jboss.com
Thu May 1 14:05:22 EDT 2014
I am just about to work on the outstanding task to enhance the
configuration to the HTTP management interface and add some additional
capabilities to it so this mail is really a FYI for those interested as
numerous teams have interest in this area.
The parent Jira issue is here: -
https://issues.jboss.org/browse/WFLY-2635
At the moment there are not many configuration options for the HTTP
interface and we make a lot of decisions ourselves as to how it is
assembled, we now need some additional flexibility.
For the admin console there is a desire to enable alternative
distribution mechanisms so that the console can be served up from
elsewhere. There are no plans to remove the admin console from the
WildFly distribution but users may want to switch to a different
version. For this reason I plan to add configuration for the /console
context to make it possible to either disable the bundles console or to
respond to requests for the console with a redirect.
When we first authentication approaches for the HTTP management
operations we decided to use standard HTTP authentication mechanisms so
that clients could be written in many languages without imposing a
requirement other than the support of standard mechanisms. This in turn
has some problems with web browsers calling the management interface so
cross origin resource sharing has been completely disabled to protect
against malicious cross site scripting attacks. My intention is that
this /management context will remain as a legacy context (not
deprecated) so that clients written to use it can still do so - we may
choose to have it switched off by default but enabling this context will
be a config item.
The next step will be the introduction of a new management context with
a new name, at this stage I am only looking at configuration but this
new context will be updated to support new authentication mechanisms
which will be used directly by the console instead of by the web
browser. By moving credential handling from the web browser to the
console itself we will be able to relax our cross resource sharing
restrictions for this context maybe with configuration of allowed
origins. This will also allow us to remove the current 'Logout' hack
that we have in the console and HTTP interface as the console will be
able to control exactly how long credentials are cached for. This will
also have a useful side effect of allowing a user to open the admin
console multiple times with each instance authenticated as a different user.
At that point it will be possible for the console to be used with
alternative distribution approaches and also will provide a path where
additional SSO mechanisms can be used as these also have a requirement
on CORS.
I will send round some design ideas / config examples next week but if
there are any additional demands on the HTTP management interface in
addition to a path to enabling alternative distribution approaches and
the enablement of SSO not is the time to speak up ;-)
Regards,
Darran Lofthouse.
More information about the wildfly-dev
mailing list