-
1. Re: Local user authentication
jaikiran May 30, 2013 5:39 AM (in response to td121136)See the section named "Local Clients" here https://community.jboss.org/wiki/AS710Beta1-SecurityEnabledByDefault
-
2. Re: Local user authentication
td121136 May 30, 2013 5:49 AM (in response to jaikiran)Yup, i already read that post. In the post there is a sentence "...providing the local user running the server access using tools such as the CLI, the Maven plug-in, JBoss Tools etc..." in the Local Client section.
Is that means the same person started the server, or any local users (same host) who have access to those tools? I'm confuse, just want to be sure on this.
-
3. Re: Local user authentication
dlofthouse May 30, 2013 5:54 AM (in response to td121136)All users with access to {jboss.home}/standalone/tmp/auth or {jboss.home}/domain/tmp/auth depending on which mode you are running will be able to access the server using the local authentication mechanism.
If you have multiple users sharing the same account used to start JBoss then they potentially have the ability to override any configuration you choose to set.
However you do not mention which version you are running, check the security realm definition for the ManagementRealm - if there is a <local /> element in there you can remove it to switch off the authentication.
-
4. Re: Local user authentication
td121136 May 30, 2013 6:18 AM (in response to dlofthouse)Sorry, i'm using JBoss version 7.1.1.Final standalone mode, i already checked in the "jboss-as-config_1_2.xsd" schema, there doesn't seems like any <local> element i can make use. The default standalone.xml doesn't have the <local> tag as well.
-
5. Re: Local user authentication
dlofthouse May 30, 2013 6:23 AM (in response to td121136)In that case I think there are two real options: -
- Build a later tag of AS7 or WildFly that does include the configuration option.
- Change the ownership of the 'auth' folders mentioned above to a different user, maybe even root to disable the mechanism.
-
6. Re: Local user authentication
td121136 May 30, 2013 9:44 PM (in response to dlofthouse)I will test with the 2nd option because right now it is impossible for me to do such major upgrade. thanks Darran for your suggestion.
-
7. Re: Local user authentication
td121136 May 31, 2013 2:21 AM (in response to td121136)I had tested few scenarios as below:
Scenario #1 (Start JBoss as User A, auth ownership belongs to User A)
1) Start JBoss using User A.
2) Start JConsole using User A, able to see and access the JMX MBeanServer process.
3) Start JBoss CLI using User A, able to connect without username and password authentication.
4) Start JConsole using ROOT, able to see and access the JMX MBeanServer process.
5) Start JBoss CLI using ROOT, able to access it without username and password authentication.
For scenario above, does it means ROOT user can always access JConsole & JBoss CLI eventhough it is not the one startup the server?
Scenario #2 (Start JBoss as User A, change auth ownership: "chmod root:root auth")
1) Start JBoss using User A.
2) Start JConsole using User A, able to see and access the JMX MBeanServer process.
3) Start JBoss CLI using User A, connection required username and password authentication.
4) Start JConsole using ROOT, able to see and access the JMX MBeanServer process.
5) Start JBoss CLI using ROOT, connection required username and password authentication.
For above scenario, since the auth ownership change to ROOT user, user A not suppose to direct access the JConsole right?
The ROOT user owned the auth this time, but how come username and password still required for JBoss CLI access?
Scenario #3 (Start JBoss as ROOT user, Change auth ownership back to User A)
1) Start JBoss using ROOT user.
2) Start JConsole using ROOT user, able to see and access the JMX MBeanServer process.
3) Start JBoss CLI using ROOT user, able to access it without username and password authentication.
4) Start JConsole using User A, can't see and access the JMX MBeanServer process.
5) Start JBoss CLI using User A, able to access it without username and password authentication.
I really confused about how's the local mechanism work, hope can have a full documentation on it.