Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-3691

AuditProvider mentions "[Success]" even if username/password is invalid

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Done
    • Affects Version/s: 8.1.0.Final
    • Fix Version/s: 9.0.0.Alpha1
    • Component/s: Security
    • Labels:
      None
    • Steps to Reproduce:
      Hide

      1. Change ManagementRealm:-

                  <security-realm name="ManagementRealm">
                      <authentication>
                          <local default-user="$local"/>
                          <jaas name="jaasSecurityDomain"/>
                      </authentication>
      

      2. add the log category:-

                  <logger category="org.jboss.security.audit">
                      <level name="TRACE"/>
                  </logger>
      

      3. add the security-domain:-

                      <security-domain name="jaasSecurityDomain" cache-type="default">
                          <authentication>
                              <login-module code="Simple" flag="required"/>
                          </authentication>
                          <audit/>
                      </security-domain>
      

      then, web console requires authentication against security-domain instead of mgmt-users.properties file.

      4. start EAP then access web console with a wrong username/password, for example, admin/wrongpass.

      Show
      1. Change ManagementRealm:- <security-realm name= "ManagementRealm" > <authentication> <local default-user= "$local" /> <jaas name= "jaasSecurityDomain" /> </authentication> 2. add the log category:- <logger category= "org.jboss.security.audit" > <level name= "TRACE" /> </logger> 3. add the security-domain:- <security-domain name= "jaasSecurityDomain" cache-type= "default" > <authentication> <login-module code= "Simple" flag= "required" /> </authentication> <audit/> </security-domain> then, web console requires authentication against security-domain instead of mgmt-users.properties file. 4. start EAP then access web console with a wrong username/password, for example, admin/wrongpass.

      Description

      Description of problem:
      AuditProvider in security-domain mentions "[Success]" as follow:-

      11:37:26,835 TRACE [org.jboss.security.audit] (HttpManagementService-threads - 3) [Success]Source=org.jboss.as.security.service.SimpleSecurityManager;Action=authentication;principal=admin;

      even if a username/password is wrong.

        Attachments

          Activity

            People

            Assignee:
            jcacek Josef Cacek (Inactive)
            Reporter:
            jcacek Josef Cacek (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: