Uploaded image for project: 'WildFly Core'
  1. WildFly Core
  2. WFCORE-2641

Authentication through http-interface with Elytron authentication and legacy SSL (without configured authentication) is not possible

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Blocker Blocker
    • 3.0.0.Beta26
    • 3.0.0.Beta13
    • Management, Security
    • None
    • Hide

      1) add user:

      ./add-user.sh -u 'admin' -p 'pass@123'

      2) generate keystore:

      keytool -genkeypair -alias appserver -storetype jks -keyalg RSA -keysize 2048 -keypass password1 -keystore identity.jks -storepass password1 -dname "CN=appserver,OU=Sales,O=Systems Inc,L=Raleigh,ST=NC,C=US" -validity 730 -v

      3) add legacy security realm to standalone-elytron.xml:

      <security-realm name="ManagementRealmHTTPS">
    <server-identities>
        <ssl>
            <keystore path="identity.jks" relative-to="jboss.server.config.dir" keystore-password="password1" alias="appserver"/>
        </ssl>
    </server-identities>
</security-realm>

      4) set up http-interface:

      <http-interface http-authentication-factory="management-http-authentication" security-realm="ManagementRealmHTTPS">
    <http-upgrade enabled="true" sasl-authentication-factory="management-sasl-authentication"/>
    <socket-binding http="management-http" https="management-https"/>
</http-interface>

      5) start server and try to access https://localhost:9993 -> page with The Red Hat JBoss Enterprise Application Platform 7 is running. However you have not yet added any users to be able to access the admin console. is displayed

      Show
      1) add user: ./add-user.sh -u 'admin' -p 'pass@123' 2) generate keystore: keytool -genkeypair -alias appserver -storetype jks -keyalg RSA -keysize 2048 -keypass password1 -keystore identity.jks -storepass password1 -dname "CN=appserver,OU=Sales,O=Systems Inc,L=Raleigh,ST=NC,C=US" -validity 730 -v 3) add legacy security realm to standalone-elytron.xml: <security-realm name= "ManagementRealmHTTPS" > <server-identities> <ssl> <keystore path= "identity.jks" relative-to= "jboss.server.config.dir" keystore-password= "password1" alias= "appserver" /> </ssl> </server-identities> </security-realm> 4) set up http-interface: <http- interface http-authentication-factory= "management-http-authentication" security-realm= "ManagementRealmHTTPS" > <http-upgrade enabled= " true " sasl-authentication-factory= "management-sasl-authentication" /> <socket-binding http= "management-http" https= "management-https" /> </http- interface > 5) start server and try to access https://localhost:9993 -> page with The Red Hat JBoss Enterprise Application Platform 7 is running. However you have not yet added any users to be able to access the admin console. is displayed

      When http-interface uses http-authentication-factory attribute for authentication and security-realm attribute for SSL, and referenced security-realm does not include authentication, then authentication through http-interface is not possible.

      When Management Console is used, then page with The Red Hat JBoss Enterprise Application Platform 7 is running. However you have not yet added any users to be able to access the admin console. is displayed.

      When https://localhost:9993/management?operation=attribute&name=server-state is accessed then following output is returned:

      {
    "outcome" : "failed",
    "failure-description" : "WFLYDMHTTP0006: The security realm is not ready to process requests, see https://localhost:9993/error",
    "rolled-back" : "true"
}

      When security-realm includes also authentication (which is not used) then authentication through http-interface works as expected.

              darran.lofthouse@redhat.com Darran Lofthouse
              olukas Ondrej Lukas (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: