Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-3691

AuditProvider mentions "[Success]" even if username/password is invalid

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major Major
    • 9.0.0.Alpha1
    • 8.1.0.Final
    • Security
    • None
    • Hide

      1. Change ManagementRealm:-

                  <security-realm name="ManagementRealm">
                      <authentication>
                          <local default-user="$local"/>
                          <jaas name="jaasSecurityDomain"/>
                      </authentication>
      

      2. add the log category:-

                  <logger category="org.jboss.security.audit">
                      <level name="TRACE"/>
                  </logger>
      

      3. add the security-domain:-

                      <security-domain name="jaasSecurityDomain" cache-type="default">
                          <authentication>
                              <login-module code="Simple" flag="required"/>
                          </authentication>
                          <audit/>
                      </security-domain>
      

      then, web console requires authentication against security-domain instead of mgmt-users.properties file.

      4. start EAP then access web console with a wrong username/password, for example, admin/wrongpass.

      Show
      1. Change ManagementRealm:- <security-realm name= "ManagementRealm" > <authentication> <local default-user= "$local" /> <jaas name= "jaasSecurityDomain" /> </authentication> 2. add the log category:- <logger category= "org.jboss.security.audit" > <level name= "TRACE" /> </logger> 3. add the security-domain:- <security-domain name= "jaasSecurityDomain" cache-type= "default" > <authentication> <login-module code= "Simple" flag= "required" /> </authentication> <audit/> </security-domain> then, web console requires authentication against security-domain instead of mgmt-users.properties file. 4. start EAP then access web console with a wrong username/password, for example, admin/wrongpass.

      Description of problem:
      AuditProvider in security-domain mentions "[Success]" as follow:-

      11:37:26,835 TRACE [org.jboss.security.audit] (HttpManagementService-threads - 3) [Success]Source=org.jboss.as.security.service.SimpleSecurityManager;Action=authentication;principal=admin;

      even if a username/password is wrong.

              josef.cacek@gmail.com Josef Cacek (Inactive)
              josef.cacek@gmail.com Josef Cacek (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: