[wildfly-dev] Subsystems changing their own configuration model
Darran Lofthouse
darran.lofthouse at jboss.com
Wed Sep 14 05:44:40 EDT 2016
On 14/09/16 10:37, Tristan Tarrant wrote:
> On 14/09/16 11:24, Darran Lofthouse wrote:
>> On 14/09/16 09:54, Tristan Tarrant wrote:
>>> Well, it is a protocol operation which has a management side-effect. The
>>> way we have approached that in other similar situations is to either
>>> require access through a loopback interface or require authentication
>>> and authorization be enabled on the endpoint and an Admin permission on
>>> the subject requesting the operation. Note however that the Hot Rod
>>> endpoint would be using a different security realm compared to the
>>> management one.
>> FYI for WildFly 11 if a call remains in-VM and goes from the application
>> to the management tier we will have a mechanism for the identity to be
>> inflowed to the security domain used for management which will allow
>> management access control to be used.
> That would require the identity to be present in both "security realms"
> (or whatever their equivalent is in WF11) ?
Generally yes - but there is quite a bit more to it. A security domain
can reference multiple security realms, in addition to this there are
ways to structure the new configuration so that identity does not have
direct access to the management tier.
Also the identity will look very different depending on which tier it is
in as each tier will have it's own security domain with it's own
configuration for role and permission mapping.
> Tristan
>
More information about the wildfly-dev
mailing list