WildFly 11 - HTTP Management Interface Configuration

Version 7

    This article is to hold the design for enhancing the HTTP management interface configuration, this is in relation to the following issues: -

     

    [WFLY-2635] HTTP Management Interface Configuration

    [WFLY-3222] Add access logging to managment web server

    [WFLY-3223] Configuration of individual contexts for http management interface.

    [WFLY-1014] Enable CORS

    [WFLY-3383] Enable user agent and address filters.

     

    Contexts

     

    / - root

     

    Redirects from / to /console

     

    /error

     

    Holds some images and error pages.

     

    /console

     

    Serves up the GWT based admin console

     

    /management

     

    Handles the management requests.

     

     

     

    Configuration Items

    access-log

    Could be top level or could be context specific, logging of the HTTP requests.


    CORS

    We currently ban entirely, HTTP authentication mechanisms make this a bigger issue as would HTTP sessions.  Option to relax config.

    host filter

    Filter which hosts are allowed / rejected.

     

    http-upgrade-enabled

    Applies on the root context to enable support for HTTP Upgrade.

     

    redirect-to

    On the '/console' context adds an option to redirect all requests elsewhere - this may be due to the console being delivered using an alternative mechanism.


    request dumping

    Most applicable for management request tracing and related authentication.  Encouraging the use of SSL also makes it harder to use alternative approaches to trace requests.

     

    security-constraints

    Additional security constraints e.g. hash algorithms.

     

    security-realm

    The realm used to secure the '/management' context.

     

    threads

    Configure the thread pools as used by Undertow

     

    transport-guarantee

    Confidentiality or integrity requirements.


    Note: By default we can use the 'Host' header from the request for the redirect but may need a configured address as could be listening on a different address.


    user agent filter

    Filter which user agents are allowed - or could be allowed/rejected


    Existing Configuration

     

    XML

     

                <http-interface security-realm="ManagementRealm" http-upgrade-enabled="true">
                    <socket-binding http="management-http"/>
                </http-interface>
    
    
    
    
    
    
    

     

    Management Model

    "core-service" => {
        "management" => {
            "management-interface" => {
                "http-interface" => {
                    "console-enabled" => true,
                    "http-upgrade-enabled" => true,
                    "interface" => undefined,
                    "port" => undefined,
                    "secure-port" => undefined,
                    "secure-socket-binding" => undefined,
                    "security-realm" => "ManagementRealm",
                    "socket-binding" => "management-http"
                }
            }
        }
    }
    
    
    
    
    

    Proposed Configuration #1

    XML

     

    <http-interface >
        <socket interface="" port="" secure-port="" />
        <socket-binding http="" https="" />
        <access-log />
        <xnio />
        <contexts>
            <root http-upgrade-enabled="true" transport-guarantee="" />
            <console redirect-to="" transport-guarantee="" />
            <additional-console />
            <error />
            <management security-realm="" transport-guarantee="" user-agent-filter="" host-filter="">
                <request-dumper />
            </management>
            <management-new security-realm="" transport-guarantee="" user-agent-filter="" host-filter="">
                <cors />
                <request-dumper />
            </management-new>
        </contexts>
    </http-interface>
    
    

     

    Management

    "core-service" => {
        "management" => {
            "management-interface" => {
                "http-interface" => {
                    "interface" => undefined,
                    "port" => undefined,
                    "secure-port" => undefined,
                    "secure-socket-binding" => undefined,
                    "socket-binding" => "management-http"
                    "access-log" => {
                    }
                    "xnio" => {  // Just a place holder for now.
                    }
                    "context" => {
                        "root" => {
                            "http-upgrade-enabled" => true
                            "transport-guarantee" => "NONE/CONFIDENTIAL/INTEGRITY"
                        }
                        "console" => {
                            "redirect-to" => "http://otherserver/console",
                            "transport-guarantee" => "NONE/CONFIDENTIAL/INTEGRITY"  // Add an inherit option?
                        }
                        "additional-console" => {
                            // ???
                        }
                        "error" => {  // If not defined nothing can redirect to it.
                        }
                        "management" => {
                            /*
                             *  Legacy context, only secured using standard HTTP mechanisms,
                             *  CORS permenantly disabled.
                             */
                            "security-realm" => "ManagementRealm",
                            "transport-guarantee" => "NONE/CONFIDENTIAL/INTEGRITY"
                            "request-dumper" => {}
                            "user-agent-filter" => {}
                            "host-filter" => {}
                        }
                        "management-new" => {
                            "security-realm" => "ManagementRealm",
                            /*
                             *  This may take additional security settings such as SSO config, also finer control of
                             *  authentication supported.
                             */
                            "transport-guarantee" => "NONE/CONFIDENTIAL/INTEGRITY"
                            "cors" => {
                            }
                            "request-dumper" => {}
                            "user-agent-filter" => {}
                            "host-filter" => {}
                        }              
                    }
                }
            }
        }
    }
    
    
    
    

     

    The following attributes are moved or removed: -

    "console-enabled" => true,
    "http-upgrade-enabled" => true,
    "security-realm" => "ManagementRealm",
    
    
    
    • console-enabled - Controlled by the presence of "context" => "console"
    • http-upgrade-enabled - Moved to "context" => "root", also allows a transport guarantee at this level.
    • security-realm - Applies to specific contexts instead of top level.

     

    Security settings could need to be defined to multiple contexts, if applicable may have some form of higher level security-policy that is referenced instead of the realm.  i.e. then we take into account realm capabilities plus policy.  For ongoing security efforts the realm may be replaced with a domain containing a set of realms.