Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-23097

(7.4.z) Elytron local authentication doesn't work if no standalone/tmp/auth dir exists and no legacy security-realm is configured

XMLWordPrintable

    • False
    • False
    • +
    • Hide

      1) Unzip EAP 7.4
      2) cd jboss-eap-7.4
      2) rm -rf standalone/tmp
      3) Copy the attached standalone-se17.xml file to the standalone/configuration dir
      4) bin/standalone.sh -c=standalone-se17.xml
      5) Open another shell in the same dir
      6) bin/jboss-cli.sh -c

      Expected results:

      The CLI automatically authenticates as it is local to the server.

      $ bin/jboss-cli.sh -c
      [standalone@localhost:9990 /]
      

      Actual results:

      The CLI can't authenticate using local authentication so the user is prompted for a login.

      $ bin/jboss-cli.sh -c
      Authenticating against security realm: ManagementRealm
      Username: 
      

      If you kill the CLI process, mkdir -p standalone/tmp/auth and try again to start the CLI it will connect.

      Show
      1) Unzip EAP 7.4 2) cd jboss-eap-7.4 2) rm -rf standalone/tmp 3) Copy the attached standalone-se17.xml file to the standalone/configuration dir 4) bin/standalone.sh -c=standalone-se17.xml 5) Open another shell in the same dir 6) bin/jboss-cli.sh -c Expected results: The CLI automatically authenticates as it is local to the server. $ bin/jboss-cli.sh -c [standalone@localhost:9990 /] Actual results: The CLI can't authenticate using local authentication so the user is prompted for a login. $ bin/jboss-cli.sh -c Authenticating against security realm: ManagementRealm Username: If you kill the CLI process, mkdir -p standalone/tmp/auth and try again to start the CLI it will connect.

      The JBOSS_LOCAL_USER authentication mechanism requires that the ${jboss.server.tmp.dir}/auth directory exists, but the only code in the server that ensures it exists is only invoked if a legacy security-realm is configured.

      This has cropped up in testing work with SE 17 where the configs we are using can't include legacy security and some of the installations under test don't include the tmp/auth dir.

      I mark this as minor as our standard installation zip includes the tmp/auth dir, so this is more a problem if it is removed. So not a big deal from an end user point of view. But it's important to get it fixed for our own testing needs.

      Upstream this was corrected as part of the work removing legacy security altogether, so we just need to port that fix.

              bstansbe@redhat.com Brian Stansberry
              bstansbe@redhat.com Brian Stansberry
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: