Loading...

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Blocker
Fix Version/s: 7.1.0.DR18
Affects Version/s: 7.1.0.DR16
Component/s: Management, Security
Labels:

CDW devel_ack:
CDW docs_ack:
CDW pm_ack:
CDW qa_ack:
CDW release:
Release Note Status:
Not Required
Target Release:

7.1.0.GA
Git Pull Request:
https://github.com/wildfly-security-incubator/wildfly-core/pull/143

SFDC Cases Counter:
SFDC Cases Links:

Regression against DR15.
Authentication by legacy security realm is taken in account even if just Elytron authentication should be used. I don't say legacy authentication is used in priority before Elytron (that works as expected). Just that legacy authentication is somehow "initialized". In this case check "There are no user in mngmt-user.properties file" is performed

Reproducer:

Configure Elytron authentication for management interface

/subsystem=elytron/filesystem-realm=exampleFsRealm:add(path=fs-realm-users,relative-to=jboss.server.config.dir)
/subsystem=elytron/filesystem-realm=exampleFsRealm/identity=user1:add()
/subsystem=elytron/filesystem-realm=exampleFsRealm/identity=user1:set-password( clear={password="password123"})
/subsystem=elytron/simple-role-decoder=from-roles-attribute:add(attribute=Roles)
/subsystem=elytron/security-domain=exampleFsSD:add(realms=[{realm=exampleFsRealm,role-decoder=from-roles-attribute}],default-realm=exampleFsRealm,permission-mapper=default-permission-mapper)
/subsystem=elytron/http-authentication-factory=example-fs-http-auth:add(http-server-mechanism-factory=global,security-domain=exampleFsSD,mechanism-configurations=[{mechanism-name=BASIC,mechanism-realm-configurations=[{realm-name=exampleApplicationDomain}]}])
/core-service=management/management-interface=http-interface:write-attribute(name=http-authentication-factory, value=example-fs-http-auth)

impossible to acces management interface

curl --user user1:password123 http://localhost.localdomain:9990/management?operation=attribute\&name=server-state
{
    "outcome" : "failed",
    "failure-description" : "WFLYDMHTTP0006: The security realm is not ready to process requests, see http://localhost.localdomain:9990/error",
    "rolled-back" : "true"
}

Access is granted once

security realm is undefined from management interface

/core-service=management/management-interface=http-interface:undefine-attribute(name=security-realm)

Or user is added into ManagementRealm

./add-user.sh -u admin -p admin -r ManagementRealm

curl --user user1:password123 http://localhost.localdomain:9990/management?operation=attribute\&name=server-state
"running"

is cloned by

WFCORE-2646 Elytron, management interface, legacy authentication is "checked" even if Elytron authentication is configured

Resolved

is incorporated by

JBEAP-10508 (7.1.0) Upgrade to WildFly Core to 3.0.0.Beta21

Verified

relates to

JBEAP-10208 Authentication through http-interface with Elytron authentication and legacy SSL (without configured authentication) is not possible

Verified

Assignee:: Darran Lofthouse

Reporter:: Martin Choma

Tester:: Ondrej Lukas (Inactive)

QA Contact:: Ondrej Lukas (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Created:: 2017/04/10 2:35 AM

Updated:: 2021/10/24 6:50 AM

Resolved:: 2017/04/28 5:34 PM

Details

Description

Attachments

Issue Links

Activity

People

Dates