1 Reply Latest reply on Apr 30, 2013 6:31 AM by Darran Lofthouse

    Securing management native interface

    Andrei Serea Newbie

      I'm trying for a couple of days now to secure the native management interface but with no luck.

      The setup is the default jboss as 7.1.1:

       

      The management tag

          <management>

              <security-realms>

                  <security-realm name="ManagementRealm">

                      <authentication>

                          <properties path="mgmt-users.properties" relative-to="jboss.server.config.dir"/>

                      </authentication>

                  </security-realm>

                  <security-realm name="ApplicationRealm">

                      <authentication>

                          <properties path="application-users.properties" relative-to="jboss.server.config.dir"/>

                      </authentication>

                  </security-realm>

              </security-realms>

              <management-interfaces>

                  <native-interface security-realm="ManagementRealm">

                      <socket-binding native="management-native"/>

                  </native-interface>

                  <http-interface security-realm="ManagementRealm">

                      <socket-binding http="management-http"/>

                  </http-interface>

              </management-interfaces>

          </management>

       

       

      The socket bindings:

              <socket-binding name="management-native" interface="management" port="${jboss.management.native.port:9999}"/>

              <socket-binding name="management-http" interface="management" port="${jboss.management.http.port:9990}"/>

              <socket-binding name="management-https" interface="management" port="${jboss.management.https.port:9443}"/>

       

       

      As you can see, everything is default.

       

      My mgmt-users.properties contains 2 users.

       

      The funny thing is that the http interface prompts for password but the native interface (when connecting through cli) doesn;t.

       

      Any ideas?

        • 1. Re: Securing management native interface
          Darran Lofthouse Master

          The CLI is authenticating use the local authentication mechanism i.e. the server is challenging it with a file written to disk and the CLI is proving that it can read the file and sending the response to the server.  As the user running the CLI has access to the configuration files there is no need to prompt for a username and password.

           

          Try running the CLI on a remote host and you should see the prompt.