Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-10208

Authentication through http-interface with Elytron authentication and legacy SSL (without configured authentication) is not possible

    Details

    • Target Release:
    • Steps to Reproduce:
      Hide

      1) add user:

      ./add-user.sh -u 'admin' -p 'pass@123'
      

      2) generate keystore:

      keytool -genkeypair -alias appserver -storetype jks -keyalg RSA -keysize 2048 -keypass password1 -keystore identity.jks -storepass password1 -dname "CN=appserver,OU=Sales,O=Systems Inc,L=Raleigh,ST=NC,C=US" -validity 730 -v
      

      3) add legacy security realm to standalone-elytron.xml:

      <security-realm name="ManagementRealmHTTPS">
          <server-identities>
              <ssl>
                  <keystore path="identity.jks" relative-to="jboss.server.config.dir" keystore-password="password1" alias="appserver"/>
              </ssl>
          </server-identities>
      </security-realm>
      

      4) set up http-interface:

      <http-interface http-authentication-factory="management-http-authentication" security-realm="ManagementRealmHTTPS">
          <http-upgrade enabled="true" sasl-authentication-factory="management-sasl-authentication"/>
          <socket-binding http="management-http" https="management-https"/>
      </http-interface>
      

      5) start server and try to access https://localhost:9993 -> page with The Red Hat JBoss Enterprise Application Platform 7 is running. However you have not yet added any users to be able to access the admin console. is displayed

      Show
      1) add user: ./add-user.sh -u 'admin' -p 'pass@123' 2) generate keystore: keytool -genkeypair -alias appserver -storetype jks -keyalg RSA -keysize 2048 -keypass password1 -keystore identity.jks -storepass password1 -dname "CN=appserver,OU=Sales,O=Systems Inc,L=Raleigh,ST=NC,C=US" -validity 730 -v 3) add legacy security realm to standalone-elytron.xml: <security-realm name= "ManagementRealmHTTPS" > <server-identities> <ssl> <keystore path= "identity.jks" relative-to= "jboss.server.config.dir" keystore-password= "password1" alias= "appserver" /> </ssl> </server-identities> </security-realm> 4) set up http-interface: <http- interface http-authentication-factory= "management-http-authentication" security-realm= "ManagementRealmHTTPS" > <http-upgrade enabled= " true " sasl-authentication-factory= "management-sasl-authentication" /> <socket-binding http= "management-http" https= "management-https" /> </http- interface > 5) start server and try to access https://localhost:9993 -> page with The Red Hat JBoss Enterprise Application Platform 7 is running. However you have not yet added any users to be able to access the admin console. is displayed

      Description

      When http-interface uses http-authentication-factory attribute for authentication and security-realm attribute for SSL, and referenced security-realm does not include authentication, then authentication through http-interface is not possible.

      When Management Console is used, then page with The Red Hat JBoss Enterprise Application Platform 7 is running. However you have not yet added any users to be able to access the admin console. is displayed.

      When https://localhost:9993/management?operation=attribute&name=server-state is accessed then following output is returned:

      {
          "outcome" : "failed",
          "failure-description" : "WFLYDMHTTP0006: The security realm is not ready to process requests, see https://localhost:9993/error",
          "rolled-back" : "true"
      }
      

      When security-realm includes also authentication (which is not used) then authentication through http-interface works as expected.

      We request blocker flag because this issue blocks RFE EAP7-545. This issue is reported in EAP 7.1.0.DR16 because this configuration could not be set on application server due to JBEAP-7428, which was fixed in EAP 7.1.0.DR16.

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  dlofthouse Darran Lofthouse
                  Reporter:
                  olukas Ondrej Lukas
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  5 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: