Uploaded image for project: 'WildFly Core'
  1. WildFly Core
  2. WFCORE-2164

User identity is always set to anonymous for legacy security-realm authentication when identity is configured in management

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Won't Do
    • Icon: Critical Critical
    • 3.0.0.Alpha18
    • None
    • Security
    • None
    • Hide

      1) Add the same ManagementRealm as is included in standalone.xml to standalone-elytron.xml.

      <security-realm name="ManagementRealm">
    <authentication>
        <local default-user="$local" skip-group-loading="true"/>
        <properties path="mgmt-users.properties" relative-to="jboss.server.config.dir"/>
    </authentication>
    <authorization map-groups-to-roles="false">
        <properties path="mgmt-groups.properties" relative-to="jboss.server.config.dir"/>
    </authorization>
</security-realm>

      2) Use add-user script to add user admin
      3) Reconfigure standalone-elytron.xml to use the same http-interface configuration as standalone.xml:

      <http-interface security-realm="ManagementRealm">
    <http-upgrade enabled="true"/>
    <socket-binding http="management-http"/>
</http-interface>

      4) Start server and try to login with created admin user to management console -> you will be logged as anonymous
      5) Stop server and remove following line from configuration:

      <identity security-domain="ManagementDomain"/>

      6) Start server and try to login with created admin user to management console -> you will be logged as admin

      Show
      1) Add the same ManagementRealm as is included in standalone.xml to standalone-elytron.xml. <security-realm name= "ManagementRealm" > <authentication> <local default -user= "$local" skip-group-loading= " true " /> <properties path= "mgmt-users.properties" relative-to= "jboss.server.config.dir" /> </authentication> <authorization map-groups-to-roles= " false " > <properties path= "mgmt-groups.properties" relative-to= "jboss.server.config.dir" /> </authorization> </security-realm> 2) Use add-user script to add user admin 3) Reconfigure standalone-elytron.xml to use the same http-interface configuration as standalone.xml: <http- interface security-realm= "ManagementRealm" > <http-upgrade enabled= " true " /> <socket-binding http= "management-http" /> </http- interface > 4) Start server and try to login with created admin user to management console -> you will be logged as anonymous 5) Stop server and remove following line from configuration: <identity security-domain= "ManagementDomain" /> 6) Start server and try to login with created admin user to management console -> you will be logged as admin

      In case when both identity and legacy security-realm are configured in management then usage of legacy solution for management authentication always results to user identity anonymous. In case when only legacy authentication is used for authentication, then it should not be affected by management identity.

      This issue strongly affects scenario when one of management interfaces will use Elytron and another will use legacy solution. Identity will be always set to anonymous for legacy solution.

            darran.lofthouse@redhat.com Darran Lofthouse
            olukas Ondrej Lukas (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: