Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-8784

Changing Elytron default-authentication-context requires server restart

XMLWordPrintable

    • Hide

      1) setup authentication-context:

      /subsystem=elytron/authentication-configuration=auth-config:add(authentication-name=user1,realm=ManagementRealm,allow-sasl-mechanisms=[DIGEST-MD5],credential-reference={clear-text=pass@123})
      /subsystem=elytron/authentication-context=auth-context:add(match-rules=[{match-host=localhost,authentication-configuration=auth-config}])
      

      2) use following http-interface:

      <http-interface http-authentication-factory="management-http-authentication">
          <http-upgrade enabled="true" sasl-authentication-factory="management-sasl-authentication"/>
          <socket-binding http="management-http"/>
      </http-interface>
      

      3) add user:

      ./bin/add-user.sh -u user1 -p pass@123 -r ManagementRealm
      

      4) deploy application for whoami operation (see attachments)

      5) access http://127.0.0.1:8080/AuthnContextApp/directCall. default-authentication-context is not set, so $local is displayed correctly

      6) set default-authentication-context

      /subsystem=elytron:write-attribute(name=default-authentication-context,value=auth-context)
      {"outcome" => "success"}
      

      7) access http://127.0.0.1:8080/AuthnContextApp/directCall again. Result is still $local.

      8) Reload server and access http://127.0.0.1:8080/AuthnContextApp/directCall again. Result is user1.

      Show
      1) setup authentication-context: /subsystem=elytron/authentication-configuration=auth-config:add(authentication-name=user1,realm=ManagementRealm,allow-sasl-mechanisms=[DIGEST-MD5],credential-reference={clear-text=pass@123}) /subsystem=elytron/authentication-context=auth-context:add(match-rules=[{match-host=localhost,authentication-configuration=auth-config}]) 2) use following http-interface: <http- interface http-authentication-factory= "management-http-authentication" > <http-upgrade enabled= " true " sasl-authentication-factory= "management-sasl-authentication" /> <socket-binding http= "management-http" /> </http- interface > 3) add user: ./bin/add-user.sh -u user1 -p pass@123 -r ManagementRealm 4) deploy application for whoami operation (see attachments) 5) access http://127.0.0.1:8080/AuthnContextApp/directCall . default-authentication-context is not set, so $local is displayed correctly 6) set default-authentication-context /subsystem=elytron:write-attribute(name= default -authentication-context,value=auth-context) { "outcome" => "success" } 7) access http://127.0.0.1:8080/AuthnContextApp/directCall again. Result is still $local . 8) Reload server and access http://127.0.0.1:8080/AuthnContextApp/directCall again. Result is user1 .

      In case when Elytron subsystem attribute default-authentication-context is changed (through write-attribute or undefine-attribute operation) then operation succeed and server is NOT set to reload-required state. However changed value is not used until server is reload.

      Before fixing, it must be decided whether change of default-authentication-context should require server reload or not. rhn-support-dlofthouse What should be correct behavior?

            darran.lofthouse@redhat.com Darran Lofthouse
            olukas Ondrej Lukas (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: