Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-10208

Authentication through http-interface with Elytron authentication and legacy SSL (without configured authentication) is not possible

    XMLWordPrintable

Details

    • Hide

      1) add user:

      ./add-user.sh -u 'admin' -p 'pass@123'

      2) generate keystore:

      keytool -genkeypair -alias appserver -storetype jks -keyalg RSA -keysize 2048 -keypass password1 -keystore identity.jks -storepass password1 -dname "CN=appserver,OU=Sales,O=Systems Inc,L=Raleigh,ST=NC,C=US" -validity 730 -v

      3) add legacy security realm to standalone-elytron.xml:

      <security-realm name="ManagementRealmHTTPS">
    <server-identities>
        <ssl>
            <keystore path="identity.jks" relative-to="jboss.server.config.dir" keystore-password="password1" alias="appserver"/>
        </ssl>
    </server-identities>
</security-realm>

      4) set up http-interface:

      <http-interface http-authentication-factory="management-http-authentication" security-realm="ManagementRealmHTTPS">
    <http-upgrade enabled="true" sasl-authentication-factory="management-sasl-authentication"/>
    <socket-binding http="management-http" https="management-https"/>
</http-interface>

      5) start server and try to access https://localhost:9993 -> page with The Red Hat JBoss Enterprise Application Platform 7 is running. However you have not yet added any users to be able to access the admin console. is displayed

      Show
      1) add user: ./add-user.sh -u 'admin' -p 'pass@123' 2) generate keystore: keytool -genkeypair -alias appserver -storetype jks -keyalg RSA -keysize 2048 -keypass password1 -keystore identity.jks -storepass password1 -dname "CN=appserver,OU=Sales,O=Systems Inc,L=Raleigh,ST=NC,C=US" -validity 730 -v 3) add legacy security realm to standalone-elytron.xml: <security-realm name= "ManagementRealmHTTPS" > <server-identities> <ssl> <keystore path= "identity.jks" relative-to= "jboss.server.config.dir" keystore-password= "password1" alias= "appserver" /> </ssl> </server-identities> </security-realm> 4) set up http-interface: <http- interface http-authentication-factory= "management-http-authentication" security-realm= "ManagementRealmHTTPS" > <http-upgrade enabled= " true " sasl-authentication-factory= "management-sasl-authentication" /> <socket-binding http= "management-http" https= "management-https" /> </http- interface > 5) start server and try to access https://localhost:9993 -> page with The Red Hat JBoss Enterprise Application Platform 7 is running. However you have not yet added any users to be able to access the admin console. is displayed

    Description

      When http-interface uses http-authentication-factory attribute for authentication and security-realm attribute for SSL, and referenced security-realm does not include authentication, then authentication through http-interface is not possible.

      When Management Console is used, then page with The Red Hat JBoss Enterprise Application Platform 7 is running. However you have not yet added any users to be able to access the admin console. is displayed.

      When https://localhost:9993/management?operation=attribute&name=server-state is accessed then following output is returned:

      {
    "outcome" : "failed",
    "failure-description" : "WFLYDMHTTP0006: The security realm is not ready to process requests, see https://localhost:9993/error",
    "rolled-back" : "true"
}

      When security-realm includes also authentication (which is not used) then authentication through http-interface works as expected.

      We request blocker flag because this issue blocks RFE EAP7-545. This issue is reported in EAP 7.1.0.DR16 because this configuration could not be set on application server due to JBEAP-7428, which was fixed in EAP 7.1.0.DR16.

      Attachments

        Issue Links

          is cloned by

          Bug - A problem that impairs or prevents the functions of the product. WFCORE-2641 Authentication through http-interface with Elytron authentication and legacy SSL (without configured authentication) is not possible

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Resolved
          is incorporated by

          Component Upgrade - A task tracking an update to a bundled component or revision of component upstream of the project. JBEAP-10508 (7.1.0) Upgrade to WildFly Core to 3.0.0.Beta21

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Verified
          is related to

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-10226 Elytron, management interface, legacy authentication is "checked" even if Elytron authentication is configured

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Verified

          Activity

            People

              darran.lofthouse@redhat.com Darran Lofthouse
              olukas Ondrej Lukas (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: