[wildfly-dev] Enhancing the HTTP Management Interface Configuration - WFLY-2635
Jason Greene
jason.greene at redhat.com
Thu May 1 17:45:51 EDT 2014
We also should look at automating SSL setup, although maybe thats a different topic.
On May 1, 2014, at 1:05 PM, Darran Lofthouse <darran.lofthouse at jboss.com> wrote:
> I am just about to work on the outstanding task to enhance the
> configuration to the HTTP management interface and add some additional
> capabilities to it so this mail is really a FYI for those interested as
> numerous teams have interest in this area.
>
> The parent Jira issue is here: -
> https://issues.jboss.org/browse/WFLY-2635
>
> At the moment there are not many configuration options for the HTTP
> interface and we make a lot of decisions ourselves as to how it is
> assembled, we now need some additional flexibility.
>
> For the admin console there is a desire to enable alternative
> distribution mechanisms so that the console can be served up from
> elsewhere. There are no plans to remove the admin console from the
> WildFly distribution but users may want to switch to a different
> version. For this reason I plan to add configuration for the /console
> context to make it possible to either disable the bundles console or to
> respond to requests for the console with a redirect.
>
> When we first authentication approaches for the HTTP management
> operations we decided to use standard HTTP authentication mechanisms so
> that clients could be written in many languages without imposing a
> requirement other than the support of standard mechanisms. This in turn
> has some problems with web browsers calling the management interface so
> cross origin resource sharing has been completely disabled to protect
> against malicious cross site scripting attacks. My intention is that
> this /management context will remain as a legacy context (not
> deprecated) so that clients written to use it can still do so - we may
> choose to have it switched off by default but enabling this context will
> be a config item.
>
> The next step will be the introduction of a new management context with
> a new name, at this stage I am only looking at configuration but this
> new context will be updated to support new authentication mechanisms
> which will be used directly by the console instead of by the web
> browser. By moving credential handling from the web browser to the
> console itself we will be able to relax our cross resource sharing
> restrictions for this context maybe with configuration of allowed
> origins. This will also allow us to remove the current 'Logout' hack
> that we have in the console and HTTP interface as the console will be
> able to control exactly how long credentials are cached for. This will
> also have a useful side effect of allowing a user to open the admin
> console multiple times with each instance authenticated as a different user.
>
> At that point it will be possible for the console to be used with
> alternative distribution approaches and also will provide a path where
> additional SSO mechanisms can be used as these also have a requirement
> on CORS.
>
> I will send round some design ideas / config examples next week but if
> there are any additional demands on the HTTP management interface in
> addition to a path to enabling alternative distribution approaches and
> the enablement of SSO not is the time to speak up ;-)
>
> Regards,
> Darran Lofthouse.
>
> _______________________________________________
> wildfly-dev mailing list
> wildfly-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/wildfly-dev
--
Jason T. Greene
WildFly Lead / JBoss EAP Platform Architect
JBoss, a division of Red Hat
More information about the wildfly-dev
mailing list