1 of 1 people found this helpful
I assume you are running that from same machine. By default ManagementRealm allow local access. If you remove <local default-user="$local" skip-group-loading="true"/> from standalone.xml access will be checked against property file mgmt-users.properties.
Thanks Martin for the clue and once i removed "<local default-user="$local" skip-group-loading="true"/>" tag, authentication was requires. It worked.
2 of 2 people found this helpful
One point to keep in mind, there the <local /> element is present within the security realm definition authentication still occurs.
In the case of local authentication the server writes a small token to a file within the servers directory hierarchy, the client then reads this token and sends it back to the server to prove that it could read the file.
Remote clients do not have access to the filesystem so would never be able to authenticate using the local mechanism.
Also local clients on the same machine that do not have access to the directory structure of the application server would not be able to read the token that is written so also would not be able to use the mechanism.
For all clients that can not use the local authentication mechanism they then fallback to username / password based authentication.