Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Won't Do
Priority: Major
Fix Version/s: 3.0.0.Alpha14
Affects Version/s: 2.2.0.Final
Component/s: JMX, Security
Labels:
None

Steps to Reproduce:
Hide

Copy the attached standalone.xml to $WFLY_HOME/standalone/configuration/

Add user admin:

$ ./bin/add-user.sh -u admin -p p@ssw0rd

Start WildFly 10.1.0.Final:

$ ./bin/standalone.sh

Run the attached reproducer wildfly-jmx-auth:

$ mvn clean test

You'll see the test fails showing
javax.management.JMRuntimeException: WFLYJMX0037: Unauthorized access

in the server log
Show
Copy the attached standalone.xml to $WFLY_HOME/standalone/configuration/ Add user admin : $ ./bin/add-user.sh -u admin -p p@ssw0rd Start WildFly 10.1.0.Final: $ ./bin/standalone.sh Run the attached reproducer wildfly-jmx-auth : $ mvn clean test You'll see the test fails showing javax.management.JMRuntimeException: WFLYJMX0037: Unauthorized access in the server log

Description

After RBAC is enabled, even a user ("admin") with SuperUser role fails to get authorized access to JMX with the following code:

        MBeanServer mBeanServer = ...
        Subject subject = new Subject();
        // Login
        new LoginContext("test-domain", subject, callbacks -> { ... }).login();
        // Access to JMX
        Subject.doAs(subject, (PrivilegedAction<Object>) () -> {
            mBeanServer.getAttribute(new ObjectName("java.lang:type=Memory"), "HeapMemoryUsage"));
            return null;
        });

RBAC and role-mapping are enabled in standalone.xml like this:

        <access-control provider="rbac">
            <role-mapping>
                <role name="SuperUser">
                    <include>
                        <user name="$local"/>
                        <user name="admin"/>
                    </include>
                </role>
            </role-mapping>
        </access-control>
        [...]
        <subsystem xmlns="urn:jboss:domain:security:1.2">
            <security-domains>
                [...]
                <security-domain name="test-domain" cache-type="default">
                    <authentication>
                        <login-module code="RealmDirect" flag="required">
                            <module-option name="realm" value="ManagementRealm"/>
                        </login-module>
                    </authentication>
                </security-domain>

The code gets this error in the server log:

javax.management.JMRuntimeException: WFLYJMX0037: Unauthorized access
	at org.jboss.as.jmx.PluggableMBeanServerImpl.authorizeMBeanOperation(PluggableMBeanServerImpl.java:1203)
	at org.jboss.as.jmx.PluggableMBeanServerImpl.authorizeMBeanOperation(PluggableMBeanServerImpl.java:1190)
	at org.jboss.as.jmx.PluggableMBeanServerImpl.getAttribute(PluggableMBeanServerImpl.java:387)
	at com.redhat.issues.wildfly.JmxServlet.readMBeanAttribute(JmxServlet.java:87)
	at com.redhat.issues.wildfly.JmxServlet.lambda$process$0(JmxServlet.java:53)
	at java.security.AccessController.doPrivileged(Native Method)
	at javax.security.auth.Subject.doAs(Subject.java:360)
	at com.redhat.issues.wildfly.JmxServlet.process(JmxServlet.java:52)
	at com.redhat.issues.wildfly.JmxServlet.doGet(JmxServlet.java:44)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:687)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

standalone.xml
21 kB
2016/11/29 9:06 PM
wildfly-jmx-auth.zip
8 kB
2016/11/29 9:09 PM

Issue Links

causes

ENTESB-6281 Unable to connect to Jolokia on Fuse on EAP if RBAC is enabled

Closed

links to

Hawtio cannot run on WildFly when RBAC is enabled #2224

Activity

People

Assignee:: Darran Lofthouse

Reporter:: Tadayoshi Sato

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 2016/11/29 9:06 PM

Updated:: 2021/10/24 5:58 AM

Resolved:: 2016/11/30 3:45 AM