5 Replies Latest reply on Jul 19, 2018 1:08 PM by seanmanning

    Can't use local authentication with jboss-cli for non-default users.

    seanmanning
    seanmanning Jul 17, 2018 10:51 PM

      I'm trying to test how local authentication works when you specify a username with jboss-cli.sh.  Here is my server's ManagementRealm:

       

      <security-realm name="ManagementRealm">

        <authentication>

          <local default-user="$local" allowed-users="sean"/>

        </authentication>

      </security-realm>

       

      I am able to connect if I just do:

       

      Seans-Mac-Pro:~ sean$ jboss-cli.sh --controller=remote://localhost:9999 --connect

      [domain@localhost:9999 /]

       

       

      However, if I specify the user I get an error message:

       

      Seans-Mac-Pro:~ sean$ jboss-cli.sh --controller=remote://localhost:9999 --connect --user=sean

      Failed to connect to the controller: Unable to authenticate against controller at localhost:9999: Authentication failed: none of the mechanisms presented by the server (JBOSS-LOCAL-USER) are supported

       

      I feel like I read somewhere that if specify the --user parameter to jboss-cli.sh it disables the local authentication but I can't be sure.  However, that is what the error message is alluding to.  Is there another way to specify the user to jboss-cli.sh, like inside the interactive session before calling "connect"?  I can't find a way to do that.  Thanks.

       

      Sean

        • 1. Re: Can't use local authentication with jboss-cli for non-default users.
          andey
          andey Jul 18, 2018 5:18 AM (in response to seanmanning)

          You need to review the client configuration and server side configuration to ensure the client is specifying valid authentication credentials (username/password) and that it matches up with what the server is configured to accept.

           

          If the server is configured to allow the $local it will attempt a file based authentication challenge where if the client can create a file under the $JBOSS_HOME directory then it will be authenticated without checking any further credentials.

           

          This file challenge will only work if the client is running on the same machine as the server and as an operating user that has write access to the $JBOSS_HOME directory.

           

          The file based authentication challenge can be disabled by removing the $local configuration from the authentication section in the JBoss profile xml.


          1# Make sure the remote-outbound-connection 's username is correct and that the valid password for that username , which is base64 encoded in the security-realm, is correct. If you use unix you can base64 with the command below, remember if you use echo to add -n so it does not echo a newline else the encoded password will not match.

           

          echo -n "password" | base64

           

          (ii) for the server side, also try the recommendations in [1] as well.

            • Actions
          • 2. Re: Can't use local authentication with jboss-cli for non-default users.
            seanmanning
            seanmanning Jul 18, 2018 1:06 PM (in response to andey)

            The configuration appears to be correct and I am connecting from the same computer and I have access to the $JBOSS_HOME files.  Indeed, it works when I don't specify a user to jboss-cli.sh.  It's when I do specify a user with the --user=sean option that jboss-cli.sh appears to disable using local authentication.  So I'm looking for a way to authenticate locally with a specified user when connecting with jboss-cli.sh.

              • Actions
            • 3. Re: Can't use local authentication with jboss-cli for non-default users.
              plohia
              plohia Jul 19, 2018 1:32 AM (in response to seanmanning)

              Hi Sean,

               

              Did you try adding the user "sean" using the add-user.sh script.

               

              I did try the below steps :

              1> Configured my host.xml as below ;

              ~~~

              <security-realm name="ManagementRealm">

                              <authentication>

                                  <local default-user="$local" allowed-users="abc"/>

              ~~~

               

              2> Add the user "abc" using add-user.sh script

              ~~

              $ ./add-user.sh abc password@123

              Added user 'abc' to file '$JBOSS_HOME/standalone/configuration/mgmt-users.properties'

              Added user 'abc' to file ''$JBOSS_HOME/domain/configuration/mgmt-users.properties'

              ~~

               

              3>

              $ ./jboss-cli.sh -c --user=abc

              Authenticating against security realm: ManagementRealm

              Password:

               

              Please let me know if this resolves.

               

              -Pranab

                • Actions
              • 4. Re: Can't use local authentication with jboss-cli for non-default users.
                dlofthouse
                dlofthouse Jul 19, 2018 5:27 AM (in response to seanmanning)

                The CLI does disable local authentication once a username is specified, this is taken as an indication that local authentication is not desired.

                 

                Which WildFly version are you using?  I would need to double check but it may be possible to override this with an authentication client configuration from WildFly 11 onwards.

                1 of 1 people found this helpful
                  • Actions
                • 5. Re: Can't use local authentication with jboss-cli for non-default users.
                  seanmanning
                  seanmanning Jul 19, 2018 1:08 PM (in response to dlofthouse)

                  I am using Wildfly 11.

                    • Actions