Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-3691

AuditProvider mentions "[Success]" even if username/password is invalid

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Major
    • 9.0.0.Alpha1
    • 8.1.0.Final
    • Security
    • None
    • Hide

      1. Change ManagementRealm:-

                  <security-realm name="ManagementRealm">
                <authentication>
                    <local default-user="$local"/>
                    <jaas name="jaasSecurityDomain"/>
                </authentication>

      2. add the log category:-

                  <logger category="org.jboss.security.audit">
                <level name="TRACE"/>
            </logger>

      3. add the security-domain:-

                      <security-domain name="jaasSecurityDomain" cache-type="default">
                    <authentication>
                        <login-module code="Simple" flag="required"/>
                    </authentication>
                    <audit/>
                </security-domain>

      then, web console requires authentication against security-domain instead of mgmt-users.properties file.

      4. start EAP then access web console with a wrong username/password, for example, admin/wrongpass.

      Show
      1. Change ManagementRealm:- <security-realm name= "ManagementRealm" > <authentication> <local default-user= "$local" /> <jaas name= "jaasSecurityDomain" /> </authentication> 2. add the log category:- <logger category= "org.jboss.security.audit" > <level name= "TRACE" /> </logger> 3. add the security-domain:- <security-domain name= "jaasSecurityDomain" cache-type= "default" > <authentication> <login-module code= "Simple" flag= "required" /> </authentication> <audit/> </security-domain> then, web console requires authentication against security-domain instead of mgmt-users.properties file. 4. start EAP then access web console with a wrong username/password, for example, admin/wrongpass.

    Description

      Description of problem:
      AuditProvider in security-domain mentions "[Success]" as follow:-

      11:37:26,835 TRACE [org.jboss.security.audit] (HttpManagementService-threads - 3) [Success]Source=org.jboss.as.security.service.SimpleSecurityManager;Action=authentication;principal=admin;

      even if a username/password is wrong.

      Attachments

        Activity

          People

            josef.cacek@gmail.com Josef Cacek (Inactive)
            josef.cacek@gmail.com Josef Cacek (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: