2 Replies Latest reply on Mar 14, 2012 11:53 AM by karink

    AS 7.1.1_final: available authentication types to secure the managment interfaces

    karink
    karink Mar 12, 2012 1:36 PM

      Hi

       

      at the moment I'm trying to find out the best way for us to secure the management interface(s)

       

      According to this documentation https://docs.jboss.org/author/display/AS71/Securing+the+Management+Interfaces

      the following authentication types are currently available

       

      Authentication
      Mechanism
      		HTTP
      Interface
      		Native
      Interface
      LDAP
      		HTTP BASIC
      		Not Supported1
      Users
      		HTTP DIGEST
      		SASL DIGEST
      Properties
      		HTTP DIGEST
      		SASL DIGEST

       

      Looking at the jboss-as-config_1_1.xsd and at the source code there seems to be another authentication type available -> jaas (class org.jboss.as.domain.management.security.JaasCallbackHandler)

      Is this authentication type really available for http interface and native interface (I just don't want to spend time trying it out, when it is not really supported for the moment, and as it is not stated in the documentation mentioned above I assume this is at the moment not supported).

       

      Is there any way to exchange the authentication method for the http/native interface? E.g. for the http interface I would like to enable a custom built authenticator which just verifies a digitally signed header and sets the principal using this one. Studying the source (org.jboss.as.domain.http.server.ManagementHttpServer) I think it is not easily possible to modify that.

       

      Same question for the native interface can we use there for example certificate based authentication or is at the moment really only SASL DIGES/ authentication method available (as stated in the documentation)

       

       

       

      Thanks for your help

      Regards

      Karin

      • 1252 Views
      • Tags:
        • 1. Re: AS 7.1.1_final: available authentication types to secure the managment interfaces
          dlofthouse
          dlofthouse Mar 12, 2012 1:52 PM (in response to karink)

          That list is due an update as we do support LDAP with the Native interface and that currently works with the PLAIN mechanism - also a JAAS domain can be used for username / password authentication and that also uses PLAIN.  Client certificate verification can be enabled for both interfaces but we do not support additional mechanisms at the moment.

          1 of 1 people found this helpful
            • Actions
          • 2. Re: AS 7.1.1_final: available authentication types to secure the managment interfaces
            karink
            karink Mar 14, 2012 11:53 AM (in response to dlofthouse)

            Hi Darran

             

            thanks for your help

             

            So this means at the moment there is no way to configure other combination of authentication method / and user store than those you have mentioned above.

            Right?

             

            I think it would be cool to choose the authentication method (like SAML, Kerberos,...)  for the web management console/native DMR interface and to enable JAAS for checking the user received from the authentication method

             

            Are there any plans to provide this feature.

              • Actions