7.1.0. Beta Bug on CLI Authentication ?

classic Classic list List threaded Threaded
16 messages Options
Reply | Threaded
Open this post in threaded view
|

7.1.0. Beta Bug on CLI Authentication ?

Francesco Marchioni
Hi all !
In the release notes it's mentioned that management interfaces will be secured by default, however in the very first test I did, no authentication was asked. (Although in the configuration there is a ManagementRealm associated with the management interfaces).
Have I hit a bug ?
Regards
Francesco
 

_______________________________________________
jboss-as7-dev mailing list
[hidden email]
https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
Reply | Threaded
Open this post in threaded view
|

Re: 7.1.0. Beta Bug on CLI Authentication ?

Reji Nair

Francesco,

 

I don’t think so (although I haven’t tried it). This is because your mgmt-user.properties file has no users listed.

 

Reji

 

From: [hidden email] [mailto:[hidden email]] On Behalf Of Francesco Marchioni
Sent: Wednesday, November 23, 2011 7:04 AM
To: [hidden email]
Subject: [jboss-as7-dev] 7.1.0. Beta Bug on CLI Authentication ?

 

Hi all !
In the release notes it's mentioned that management interfaces will be secured by default, however in the very first test I did, no authentication was asked. (Although in the configuration there is a ManagementRealm associated with the management interfaces).
Have I hit a bug ?
Regards
Francesco
 


_______________________________________________
jboss-as7-dev mailing list
[hidden email]
https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
Reply | Threaded
Open this post in threaded view
|

Re: 7.1.0. Beta Bug on CLI Authentication ?

Heiko Braun
In reply to this post by Francesco Marchioni


AFAIK the CLI checks if you are on localhost. In that case the authentication is not required.


@Wondering if that works for the console as well?

Ike

On Nov 23, 2011, at 1:03 PM, Francesco Marchioni wrote:

> Hi all !
> In the release notes it's mentioned that management interfaces will be secured by default, however in the very first test I did, no authentication was asked. (Although in the configuration there is a ManagementRealm associated with the management interfaces).
> Have I hit a bug ?
> Regards
> Francesco
>  
> _______________________________________________
> jboss-as7-dev mailing list
> [hidden email]
> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev


_______________________________________________
jboss-as7-dev mailing list
[hidden email]
https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
Reply | Threaded
Open this post in threaded view
|

Re: 7.1.0. Beta Bug on CLI Authentication ?

Darran Lofthouse
On 11/23/2011 12:10 PM, Heiko Braun wrote:
>
>
> AFAIK the CLI checks if you are on localhost. In that case the authentication is not required.

That is correct, I am just writing an article to send round with the
details.

The CLI will have authenticated against the server but as you are local
to the server it will have used a silent authentication mechanism.

> @Wondering if that works for the console as well?

Unfortunately no the console has a different set of issues as the web
browser doesn't have access to the filesystem, I am considering if we
can start the console from a script to pass some form of token but at
the moment the console does retain the need for a username and password.

> Ike
>
> On Nov 23, 2011, at 1:03 PM, Francesco Marchioni wrote:
>
>> Hi all !
>> In the release notes it's mentioned that management interfaces will be secured by default, however in the very first test I did, no authentication was asked. (Although in the configuration there is a ManagementRealm associated with the management interfaces).
>> Have I hit a bug ?
>> Regards
>> Francesco
>>
>> _______________________________________________
>> jboss-as7-dev mailing list
>> [hidden email]
>> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
>
>
> _______________________________________________
> jboss-as7-dev mailing list
> [hidden email]
> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
_______________________________________________
jboss-as7-dev mailing list
[hidden email]
https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
Reply | Threaded
Open this post in threaded view
|

Re: 7.1.0. Beta Bug on CLI Authentication ?

Dimitris Andreadis
Starting the console from a script is not really an option, IMO.

On 23/11/2011 14:17, Darran Lofthouse wrote:

> On 11/23/2011 12:10 PM, Heiko Braun wrote:
>>
>>
>> AFAIK the CLI checks if you are on localhost. In that case the authentication is not required.
>
> That is correct, I am just writing an article to send round with the
> details.
>
> The CLI will have authenticated against the server but as you are local
> to the server it will have used a silent authentication mechanism.
>
>> @Wondering if that works for the console as well?
>
> Unfortunately no the console has a different set of issues as the web
> browser doesn't have access to the filesystem, I am considering if we
> can start the console from a script to pass some form of token but at
> the moment the console does retain the need for a username and password.
>
>> Ike
>>
>> On Nov 23, 2011, at 1:03 PM, Francesco Marchioni wrote:
>>
>>> Hi all !
>>> In the release notes it's mentioned that management interfaces will be secured by default, however in the very first test I did, no authentication was asked. (Although in the configuration there is a ManagementRealm associated with the management interfaces).
>>> Have I hit a bug ?
>>> Regards
>>> Francesco
>>>
>>> _______________________________________________
>>> jboss-as7-dev mailing list
>>> [hidden email]
>>> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
>>
>>
>> _______________________________________________
>> jboss-as7-dev mailing list
>> [hidden email]
>> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
> _______________________________________________
> jboss-as7-dev mailing list
> [hidden email]
> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev

--
xxxxxxxxxxxxxxxxxxxxxxxxxxxx
Dimitris Andreadis
Software Engineering Manager
JBoss Application Server
by Red Hat
xxxxxxxxxxxxxxxxxxxxxxxxxxxx

http://dandreadis.blogspot.com/
_______________________________________________
jboss-as7-dev mailing list
[hidden email]
https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
Reply | Threaded
Open this post in threaded view
|

Re: 7.1.0. Beta Bug on CLI Authentication ?

Darran Lofthouse
On 11/23/2011 12:40 PM, Dimitris Andreadis wrote:
> Starting the console from a script is not really an option, IMO.

In general no - there is no plan to drop direct access using a URL and
no plan to drop existing HTTP authentication.

The starting from a script idea is more for the scenario of how do we
connect to a secured system and authenticate so we can add a user to
that system when there are no users currently defined on that system.

> On 23/11/2011 14:17, Darran Lofthouse wrote:
>> On 11/23/2011 12:10 PM, Heiko Braun wrote:
>>>
>>>
>>> AFAIK the CLI checks if you are on localhost. In that case the authentication is not required.
>>
>> That is correct, I am just writing an article to send round with the
>> details.
>>
>> The CLI will have authenticated against the server but as you are local
>> to the server it will have used a silent authentication mechanism.
>>
>>> @Wondering if that works for the console as well?
>>
>> Unfortunately no the console has a different set of issues as the web
>> browser doesn't have access to the filesystem, I am considering if we
>> can start the console from a script to pass some form of token but at
>> the moment the console does retain the need for a username and password.
>>
>>> Ike
>>>
>>> On Nov 23, 2011, at 1:03 PM, Francesco Marchioni wrote:
>>>
>>>> Hi all !
>>>> In the release notes it's mentioned that management interfaces will be secured by default, however in the very first test I did, no authentication was asked. (Although in the configuration there is a ManagementRealm associated with the management interfaces).
>>>> Have I hit a bug ?
>>>> Regards
>>>> Francesco
>>>>
>>>> _______________________________________________
>>>> jboss-as7-dev mailing list
>>>> [hidden email]
>>>> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
>>>
>>>
>>> _______________________________________________
>>> jboss-as7-dev mailing list
>>> [hidden email]
>>> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
>> _______________________________________________
>> jboss-as7-dev mailing list
>> [hidden email]
>> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
>
_______________________________________________
jboss-as7-dev mailing list
[hidden email]
https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
Reply | Threaded
Open this post in threaded view
|

Re: 7.1.0. Beta Bug on CLI Authentication ?

Dimitris Andreadis
For a once-off, that makes more sense.

On 23/11/2011 14:47, Darran Lofthouse wrote:

> On 11/23/2011 12:40 PM, Dimitris Andreadis wrote:
>> Starting the console from a script is not really an option, IMO.
>
> In general no - there is no plan to drop direct access using a URL and no plan to drop
> existing HTTP authentication.
>
> The starting from a script idea is more for the scenario of how do we connect to a secured
> system and authenticate so we can add a user to that system when there are no users
> currently defined on that system.
>
>> On 23/11/2011 14:17, Darran Lofthouse wrote:
>>> On 11/23/2011 12:10 PM, Heiko Braun wrote:
>>>>
>>>>
>>>> AFAIK the CLI checks if you are on localhost. In that case the authentication is not
>>>> required.
>>>
>>> That is correct, I am just writing an article to send round with the
>>> details.
>>>
>>> The CLI will have authenticated against the server but as you are local
>>> to the server it will have used a silent authentication mechanism.
>>>
>>>> @Wondering if that works for the console as well?
>>>
>>> Unfortunately no the console has a different set of issues as the web
>>> browser doesn't have access to the filesystem, I am considering if we
>>> can start the console from a script to pass some form of token but at
>>> the moment the console does retain the need for a username and password.
>>>
>>>> Ike
>>>>
>>>> On Nov 23, 2011, at 1:03 PM, Francesco Marchioni wrote:
>>>>
>>>>> Hi all !
>>>>> In the release notes it's mentioned that management interfaces will be secured by
>>>>> default, however in the very first test I did, no authentication was asked. (Although
>>>>> in the configuration there is a ManagementRealm associated with the management
>>>>> interfaces).
>>>>> Have I hit a bug ?
>>>>> Regards
>>>>> Francesco
>>>>>
>>>>> _______________________________________________
>>>>> jboss-as7-dev mailing list
>>>>> [hidden email]
>>>>> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
>>>>
>>>>
>>>> _______________________________________________
>>>> jboss-as7-dev mailing list
>>>> [hidden email]
>>>> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
>>> _______________________________________________
>>> jboss-as7-dev mailing list
>>> [hidden email]
>>> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
>>

--
xxxxxxxxxxxxxxxxxxxxxxxxxxxx
Dimitris Andreadis
Software Engineering Manager
JBoss Application Server
by Red Hat
xxxxxxxxxxxxxxxxxxxxxxxxxxxx

http://dandreadis.blogspot.com/
_______________________________________________
jboss-as7-dev mailing list
[hidden email]
https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
Reply | Threaded
Open this post in threaded view
|

Re: 7.1.0. Beta Bug on CLI Authentication ?

Francesco Marchioni
Hi all,
so far I have tested the following options:
>I don’t think so (although I haven’t tried it). This is because your mgmt-user.properties file has no >users listed.
No, even after adding an user (with the add-user.cmd command) still no authentication required by CLI

>>>> @Wondering if that works for the console as well?
Yes the http console issues a BASIC authentication popup.

>>>> AFAIK the CLI checks if you are on localhost. In that case the authentication is not
>>>> required.
I've checked binding server and management interface to another IP address available on my card and still no authentication requested by CLI

The only test I'm missing at the moment is connecting to a remote AS instance.

Regards
Francesco

2011/11/23 Dimitris Andreadis <[hidden email]>
For a once-off, that makes more sense.

On 23/11/2011 14:47, Darran Lofthouse wrote:
> On 11/23/2011 12:40 PM, Dimitris Andreadis wrote:
>> Starting the console from a script is not really an option, IMO.
>
> In general no - there is no plan to drop direct access using a URL and no plan to drop
> existing HTTP authentication.
>
> The starting from a script idea is more for the scenario of how do we connect to a secured
> system and authenticate so we can add a user to that system when there are no users
> currently defined on that system.
>
>> On 23/11/2011 14:17, Darran Lofthouse wrote:
>>> On 11/23/2011 12:10 PM, Heiko Braun wrote:
>>>>
>>>>
>>>> AFAIK the CLI checks if you are on localhost. In that case the authentication is not
>>>> required.
>>>
>>> That is correct, I am just writing an article to send round with the
>>> details.
>>>
>>> The CLI will have authenticated against the server but as you are local
>>> to the server it will have used a silent authentication mechanism.
>>>
>>>> @Wondering if that works for the console as well?
>>>
>>> Unfortunately no the console has a different set of issues as the web
>>> browser doesn't have access to the filesystem, I am considering if we
>>> can start the console from a script to pass some form of token but at
>>> the moment the console does retain the need for a username and password.
>>>
>>>> Ike
>>>>
>>>> On Nov 23, 2011, at 1:03 PM, Francesco Marchioni wrote:
>>>>
>>>>> Hi all !
>>>>> In the release notes it's mentioned that management interfaces will be secured by
>>>>> default, however in the very first test I did, no authentication was asked. (Although
>>>>> in the configuration there is a ManagementRealm associated with the management
>>>>> interfaces).
>>>>> Have I hit a bug ?
>>>>> Regards
>>>>> Francesco
>>>>>
>>>>> _______________________________________________
>>>>> jboss-as7-dev mailing list
>>>>> [hidden email]
>>>>> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
>>>>
>>>>
>>>> _______________________________________________
>>>> jboss-as7-dev mailing list
>>>> [hidden email]
>>>> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
>>> _______________________________________________
>>> jboss-as7-dev mailing list
>>> [hidden email]
>>> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
>>

--
xxxxxxxxxxxxxxxxxxxxxxxxxxxx
Dimitris Andreadis
Software Engineering Manager
JBoss Application Server
by Red Hat
xxxxxxxxxxxxxxxxxxxxxxxxxxxx

http://dandreadis.blogspot.com/
_______________________________________________
jboss-as7-dev mailing list
[hidden email]
https://lists.jboss.org/mailman/listinfo/jboss-as7-dev


_______________________________________________
jboss-as7-dev mailing list
[hidden email]
https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
Reply | Threaded
Open this post in threaded view
|

Re: 7.1.0. Beta Bug on CLI Authentication ?

Jaikiran Pai
As Darran mentioned, it is _intentional_ not to prompt for user/pass for
the CLI from the local instance where the server is installed. The finer
details of how that's done and why that's done will be explained in the
document that Darran is working on.

-Jaikiran
On Wednesday 23 November 2011 07:25 PM, Francesco Marchioni wrote:

> Hi all,
> so far I have tested the following options:
> >I don’t think so (although I haven’t tried it). This is because your
> mgmt-user.properties file has no >users listed.
> No, even after adding an user (with the add-user.cmd command) still no
> authentication required by CLI
>
> >>>> @Wondering if that works for the console as well?
> Yes the http console issues a BASIC authentication popup.
>
> >>>> AFAIK the CLI checks if you are on localhost. In that case the
> authentication is not
> >>>> required.
> I've checked binding server and management interface to another IP
> address available on my card and still no authentication requested by CLI
>
> The only test I'm missing at the moment is connecting to a remote AS
> instance.
>
> Regards
> Francesco
>
> 2011/11/23 Dimitris Andreadis <[hidden email]
> <mailto:[hidden email]>>
>
>     For a once-off, that makes more sense.
>
>     On 23/11/2011 14:47, Darran Lofthouse wrote:
>     > On 11/23/2011 12:40 PM, Dimitris Andreadis wrote:
>     >> Starting the console from a script is not really an option, IMO.
>     >
>     > In general no - there is no plan to drop direct access using a
>     URL and no plan to drop
>     > existing HTTP authentication.
>     >
>     > The starting from a script idea is more for the scenario of how
>     do we connect to a secured
>     > system and authenticate so we can add a user to that system when
>     there are no users
>     > currently defined on that system.
>     >
>     >> On 23/11/2011 14:17, Darran Lofthouse wrote:
>     >>> On 11/23/2011 12:10 PM, Heiko Braun wrote:
>     >>>>
>     >>>>
>     >>>> AFAIK the CLI checks if you are on localhost. In that case
>     the authentication is not
>     >>>> required.
>     >>>
>     >>> That is correct, I am just writing an article to send round
>     with the
>     >>> details.
>     >>>
>     >>> The CLI will have authenticated against the server but as you
>     are local
>     >>> to the server it will have used a silent authentication mechanism.
>     >>>
>     >>>> @Wondering if that works for the console as well?
>     >>>
>     >>> Unfortunately no the console has a different set of issues as
>     the web
>     >>> browser doesn't have access to the filesystem, I am
>     considering if we
>     >>> can start the console from a script to pass some form of token
>     but at
>     >>> the moment the console does retain the need for a username and
>     password.
>     >>>
>     >>>> Ike
>     >>>>
>     >>>> On Nov 23, 2011, at 1:03 PM, Francesco Marchioni wrote:
>     >>>>
>     >>>>> Hi all !
>     >>>>> In the release notes it's mentioned that management
>     interfaces will be secured by
>     >>>>> default, however in the very first test I did, no
>     authentication was asked. (Although
>     >>>>> in the configuration there is a ManagementRealm associated
>     with the management
>     >>>>> interfaces).
>     >>>>> Have I hit a bug ?
>     >>>>> Regards
>     >>>>> Francesco
>     >>>>>
>     >>>>> _______________________________________________
>     >>>>> jboss-as7-dev mailing list
>     >>>>> [hidden email]
>     <mailto:[hidden email]>
>     >>>>> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
>     >>>>
>     >>>>
>     >>>> _______________________________________________
>     >>>> jboss-as7-dev mailing list
>     >>>> [hidden email]
>     <mailto:[hidden email]>
>     >>>> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
>     >>> _______________________________________________
>     >>> jboss-as7-dev mailing list
>     >>> [hidden email]
>     <mailto:[hidden email]>
>     >>> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
>     >>
>
>     --
>     xxxxxxxxxxxxxxxxxxxxxxxxxxxx
>     Dimitris Andreadis
>     Software Engineering Manager
>     JBoss Application Server
>     by Red Hat
>     xxxxxxxxxxxxxxxxxxxxxxxxxxxx
>
>     http://dandreadis.blogspot.com/
>     _______________________________________________
>     jboss-as7-dev mailing list
>     [hidden email] <mailto:[hidden email]>
>     https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
>
>
>
>
> _______________________________________________
> jboss-as7-dev mailing list
> [hidden email]
> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev

_______________________________________________
jboss-as7-dev mailing list
[hidden email]
https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
Reply | Threaded
Open this post in threaded view
|

Re: 7.1.0. Beta Bug on CLI Authentication ?

Darran Lofthouse
In reply to this post by Francesco Marchioni
On 11/23/2011 01:55 PM, Francesco Marchioni wrote:
> Hi all,
> so far I have tested the following options:
>>I don’t think so (although I haven’t tried it). This is because your
> mgmt-user.properties file has no >users listed.
> No, even after adding an user (with the add-user.cmd command) still no
> authentication required by CLI

That is expected if you are local you already have access to the server
configuration so a connection can be negotiated without requiring a
username and password.

>  >>>> @Wondering if that works for the console as well?
> Yes the http console issues a BASIC authentication popup.

The popup is actually a DIGEST popup

>  >>>> AFAIK the CLI checks if you are on localhost. In that case the
> authentication is not
>  >>>> required.
> I've checked binding server and management interface to another IP
> address available on my card and still no authentication requested by CLI

The CLI will detect that the address is not really remote.

> The only test I'm missing at the moment is connecting to a remote AS
> instance.

Yes that is the test you are missing.

>
> Regards
> Francesco
>
> 2011/11/23 Dimitris Andreadis <[hidden email]
> <mailto:[hidden email]>>
>
>     For a once-off, that makes more sense.
>
>     On 23/11/2011 14:47, Darran Lofthouse wrote:
>      > On 11/23/2011 12:40 PM, Dimitris Andreadis wrote:
>      >> Starting the console from a script is not really an option, IMO.
>      >
>      > In general no - there is no plan to drop direct access using a
>     URL and no plan to drop
>      > existing HTTP authentication.
>      >
>      > The starting from a script idea is more for the scenario of how
>     do we connect to a secured
>      > system and authenticate so we can add a user to that system when
>     there are no users
>      > currently defined on that system.
>      >
>      >> On 23/11/2011 14:17, Darran Lofthouse wrote:
>      >>> On 11/23/2011 12:10 PM, Heiko Braun wrote:
>      >>>>
>      >>>>
>      >>>> AFAIK the CLI checks if you are on localhost. In that case the
>     authentication is not
>      >>>> required.
>      >>>
>      >>> That is correct, I am just writing an article to send round
>     with the
>      >>> details.
>      >>>
>      >>> The CLI will have authenticated against the server but as you
>     are local
>      >>> to the server it will have used a silent authentication mechanism.
>      >>>
>      >>>> @Wondering if that works for the console as well?
>      >>>
>      >>> Unfortunately no the console has a different set of issues as
>     the web
>      >>> browser doesn't have access to the filesystem, I am considering
>     if we
>      >>> can start the console from a script to pass some form of token
>     but at
>      >>> the moment the console does retain the need for a username and
>     password.
>      >>>
>      >>>> Ike
>      >>>>
>      >>>> On Nov 23, 2011, at 1:03 PM, Francesco Marchioni wrote:
>      >>>>
>      >>>>> Hi all !
>      >>>>> In the release notes it's mentioned that management
>     interfaces will be secured by
>      >>>>> default, however in the very first test I did, no
>     authentication was asked. (Although
>      >>>>> in the configuration there is a ManagementRealm associated
>     with the management
>      >>>>> interfaces).
>      >>>>> Have I hit a bug ?
>      >>>>> Regards
>      >>>>> Francesco
>      >>>>>
>      >>>>> _______________________________________________
>      >>>>> jboss-as7-dev mailing list
>      >>>>> [hidden email]
>     <mailto:[hidden email]>
>      >>>>> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
>      >>>>
>      >>>>
>      >>>> _______________________________________________
>      >>>> jboss-as7-dev mailing list
>      >>>> [hidden email]
>     <mailto:[hidden email]>
>      >>>> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
>      >>> _______________________________________________
>      >>> jboss-as7-dev mailing list
>      >>> [hidden email]
>     <mailto:[hidden email]>
>      >>> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
>      >>
>
>     --
>     xxxxxxxxxxxxxxxxxxxxxxxxxxxx
>     Dimitris Andreadis
>     Software Engineering Manager
>     JBoss Application Server
>     by Red Hat
>     xxxxxxxxxxxxxxxxxxxxxxxxxxxx
>
>     http://dandreadis.blogspot.com/
>     _______________________________________________
>     jboss-as7-dev mailing list
>     [hidden email] <mailto:[hidden email]>
>     https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
>
>
_______________________________________________
jboss-as7-dev mailing list
[hidden email]
https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
Reply | Threaded
Open this post in threaded view
|

Re: 7.1.0. Beta Bug on CLI Authentication ?

Darran Lofthouse
In reply to this post by Jaikiran Pai
And here it is ;-)

http://community.jboss.org/docs/DOC-17367

On 11/23/2011 02:03 PM, Jaikiran Pai wrote:

> As Darran mentioned, it is _intentional_ not to prompt for user/pass for
> the CLI from the local instance where the server is installed. The finer
> details of how that's done and why that's done will be explained in the
> document that Darran is working on.
>
> -Jaikiran
> On Wednesday 23 November 2011 07:25 PM, Francesco Marchioni wrote:
>> Hi all,
>> so far I have tested the following options:
>>> I don’t think so (although I haven’t tried it). This is because your
>> mgmt-user.properties file has no>users listed.
>> No, even after adding an user (with the add-user.cmd command) still no
>> authentication required by CLI
>>
>>>>>> @Wondering if that works for the console as well?
>> Yes the http console issues a BASIC authentication popup.
>>
>>>>>> AFAIK the CLI checks if you are on localhost. In that case the
>> authentication is not
>>>>>> required.
>> I've checked binding server and management interface to another IP
>> address available on my card and still no authentication requested by CLI
>>
>> The only test I'm missing at the moment is connecting to a remote AS
>> instance.
>>
>> Regards
>> Francesco
>>
>> 2011/11/23 Dimitris Andreadis<[hidden email]
>> <mailto:[hidden email]>>
>>
>>      For a once-off, that makes more sense.
>>
>>      On 23/11/2011 14:47, Darran Lofthouse wrote:
>>      >  On 11/23/2011 12:40 PM, Dimitris Andreadis wrote:
>>      >>  Starting the console from a script is not really an option, IMO.
>>      >
>>      >  In general no - there is no plan to drop direct access using a
>>      URL and no plan to drop
>>      >  existing HTTP authentication.
>>      >
>>      >  The starting from a script idea is more for the scenario of how
>>      do we connect to a secured
>>      >  system and authenticate so we can add a user to that system when
>>      there are no users
>>      >  currently defined on that system.
>>      >
>>      >>  On 23/11/2011 14:17, Darran Lofthouse wrote:
>>      >>>  On 11/23/2011 12:10 PM, Heiko Braun wrote:
>>      >>>>
>>      >>>>
>>      >>>>  AFAIK the CLI checks if you are on localhost. In that case
>>      the authentication is not
>>      >>>>  required.
>>      >>>
>>      >>>  That is correct, I am just writing an article to send round
>>      with the
>>      >>>  details.
>>      >>>
>>      >>>  The CLI will have authenticated against the server but as you
>>      are local
>>      >>>  to the server it will have used a silent authentication mechanism.
>>      >>>
>>      >>>>  @Wondering if that works for the console as well?
>>      >>>
>>      >>>  Unfortunately no the console has a different set of issues as
>>      the web
>>      >>>  browser doesn't have access to the filesystem, I am
>>      considering if we
>>      >>>  can start the console from a script to pass some form of token
>>      but at
>>      >>>  the moment the console does retain the need for a username and
>>      password.
>>      >>>
>>      >>>>  Ike
>>      >>>>
>>      >>>>  On Nov 23, 2011, at 1:03 PM, Francesco Marchioni wrote:
>>      >>>>
>>      >>>>>  Hi all !
>>      >>>>>  In the release notes it's mentioned that management
>>      interfaces will be secured by
>>      >>>>>  default, however in the very first test I did, no
>>      authentication was asked. (Although
>>      >>>>>  in the configuration there is a ManagementRealm associated
>>      with the management
>>      >>>>>  interfaces).
>>      >>>>>  Have I hit a bug ?
>>      >>>>>  Regards
>>      >>>>>  Francesco
>>      >>>>>
>>      >>>>>  _______________________________________________
>>      >>>>>  jboss-as7-dev mailing list
>>      >>>>>  [hidden email]
>>      <mailto:[hidden email]>
>>      >>>>>  https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
>>      >>>>
>>      >>>>
>>      >>>>  _______________________________________________
>>      >>>>  jboss-as7-dev mailing list
>>      >>>>  [hidden email]
>>      <mailto:[hidden email]>
>>      >>>>  https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
>>      >>>  _______________________________________________
>>      >>>  jboss-as7-dev mailing list
>>      >>>  [hidden email]
>>      <mailto:[hidden email]>
>>      >>>  https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
>>      >>
>>
>>      --
>>      xxxxxxxxxxxxxxxxxxxxxxxxxxxx
>>      Dimitris Andreadis
>>      Software Engineering Manager
>>      JBoss Application Server
>>      by Red Hat
>>      xxxxxxxxxxxxxxxxxxxxxxxxxxxx
>>
>>      http://dandreadis.blogspot.com/
>>      _______________________________________________
>>      jboss-as7-dev mailing list
>>      [hidden email]<mailto:[hidden email]>
>>      https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
>>
>>
>>
>>
>> _______________________________________________
>> jboss-as7-dev mailing list
>> [hidden email]
>> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
>
> _______________________________________________
> jboss-as7-dev mailing list
> [hidden email]
> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
_______________________________________________
jboss-as7-dev mailing list
[hidden email]
https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
Reply | Threaded
Open this post in threaded view
|

Re: 7.1.0. Beta Bug on CLI Authentication ?

Jason T. Greene
In reply to this post by Heiko Braun


Sent from my iPhone

On Nov 23, 2011, at 6:11 AM, Heiko Braun <[hidden email]> wrote:

>
>
> AFAIK the CLI checks if you are on localhost. In that case the authentication is not required.

An important clarification is that it's not JUST a local interface check, we verify the client is the same user as the server using a file system based challenge response mechanism.
_______________________________________________
jboss-as7-dev mailing list
[hidden email]
https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
Reply | Threaded
Open this post in threaded view
|

Re: 7.1.0. Beta Bug on CLI Authentication ?

Francesco Marchioni
In reply to this post by Darran Lofthouse
Did it. Correct, from a remote AS instance CLI authentication is prompted.

2011/11/23 Darran Lofthouse <[hidden email]>
On 11/23/2011 01:55 PM, Francesco Marchioni wrote:
Hi all,
so far I have tested the following options:
I don’t think so (although I haven’t tried it). This is because your
mgmt-user.properties file has no >users listed.
No, even after adding an user (with the add-user.cmd command) still no
authentication required by CLI

That is expected if you are local you already have access to the server configuration so a connection can be negotiated without requiring a username and password.


 >>>> @Wondering if that works for the console as well?
Yes the http console issues a BASIC authentication popup.

The popup is actually a DIGEST popup


 >>>> AFAIK the CLI checks if you are on localhost. In that case the
authentication is not
 >>>> required.
I've checked binding server and management interface to another IP
address available on my card and still no authentication requested by CLI

The CLI will detect that the address is not really remote.


The only test I'm missing at the moment is connecting to a remote AS
instance.

Yes that is the test you are missing.


Regards
Francesco

2011/11/23 Dimitris Andreadis <[hidden email]
<mailto:[hidden email]>>


   For a once-off, that makes more sense.

   On 23/11/2011 14:47, Darran Lofthouse wrote:
    > On 11/23/2011 12:40 PM, Dimitris Andreadis wrote:
    >> Starting the console from a script is not really an option, IMO.
    >
    > In general no - there is no plan to drop direct access using a
   URL and no plan to drop
    > existing HTTP authentication.
    >
    > The starting from a script idea is more for the scenario of how
   do we connect to a secured
    > system and authenticate so we can add a user to that system when
   there are no users
    > currently defined on that system.
    >
    >> On 23/11/2011 14:17, Darran Lofthouse wrote:
    >>> On 11/23/2011 12:10 PM, Heiko Braun wrote:
    >>>>
    >>>>
    >>>> AFAIK the CLI checks if you are on localhost. In that case the
   authentication is not
    >>>> required.
    >>>
    >>> That is correct, I am just writing an article to send round
   with the
    >>> details.
    >>>
    >>> The CLI will have authenticated against the server but as you
   are local
    >>> to the server it will have used a silent authentication mechanism.
    >>>
    >>>> @Wondering if that works for the console as well?
    >>>
    >>> Unfortunately no the console has a different set of issues as
   the web
    >>> browser doesn't have access to the filesystem, I am considering
   if we
    >>> can start the console from a script to pass some form of token
   but at
    >>> the moment the console does retain the need for a username and
   password.
    >>>
    >>>> Ike
    >>>>
    >>>> On Nov 23, 2011, at 1:03 PM, Francesco Marchioni wrote:
    >>>>
    >>>>> Hi all !
    >>>>> In the release notes it's mentioned that management
   interfaces will be secured by
    >>>>> default, however in the very first test I did, no
   authentication was asked. (Although
    >>>>> in the configuration there is a ManagementRealm associated
   with the management
    >>>>> interfaces).
    >>>>> Have I hit a bug ?
    >>>>> Regards
    >>>>> Francesco
    >>>>>
    >>>>> _______________________________________________
    >>>>> jboss-as7-dev mailing list
    >>>>> [hidden email]
   <mailto:[hidden email]>

    >>>>> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
    >>>>
    >>>>
    >>>> _______________________________________________
    >>>> jboss-as7-dev mailing list
    >>>> [hidden email]
   <mailto:[hidden email]>

    >>>> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
    >>> _______________________________________________
    >>> jboss-as7-dev mailing list
    >>> [hidden email]
   <mailto:[hidden email]>

    >>> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
    >>

   --
   xxxxxxxxxxxxxxxxxxxxxxxxxxxx
   Dimitris Andreadis
   Software Engineering Manager
   JBoss Application Server
   by Red Hat
   xxxxxxxxxxxxxxxxxxxxxxxxxxxx

   http://dandreadis.blogspot.com/
   _______________________________________________
   jboss-as7-dev mailing list
   [hidden email] <mailto:[hidden email]>
   https://lists.jboss.org/mailman/listinfo/jboss-as7-dev




_______________________________________________
jboss-as7-dev mailing list
[hidden email]
https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
Reply | Threaded
Open this post in threaded view
|

Re: 7.1.0. Beta Bug on CLI Authentication ?

jtgreene
Administrator
In reply to this post by Darran Lofthouse
On 11/23/11 6:17 AM, Darran Lofthouse wrote:

> On 11/23/2011 12:10 PM, Heiko Braun wrote:
>>
>>
>> AFAIK the CLI checks if you are on localhost. In that case the authentication is not required.
>
> That is correct, I am just writing an article to send round with the
> details.
>
> The CLI will have authenticated against the server but as you are local
> to the server it will have used a silent authentication mechanism.
>
>> @Wondering if that works for the console as well?
>
> Unfortunately no the console has a different set of issues as the web
> browser doesn't have access to the filesystem, I am considering if we
> can start the console from a script to pass some form of token but at
> the moment the console does retain the need for a username and password.

We are also considering a first-time token generated and printed to the
terminal/console log. Then the web page would ask that you cut and paste
that value, verify it and allow you to create a user.


--
Jason T. Greene
JBoss AS Lead / EAP Platform Architect
JBoss, a division of Red Hat
_______________________________________________
jboss-as7-dev mailing list
[hidden email]
https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
Reply | Threaded
Open this post in threaded view
|

Re: 7.1.0. Beta Bug on CLI Authentication ?

Max Rydahl Andersen
>>> @Wondering if that works for the console as well?
>>
>> Unfortunately no the console has a different set of issues as the web
>> browser doesn't have access to the filesystem, I am considering if we
>> can start the console from a script to pass some form of token but at
>> the moment the console does retain the need for a username and password.
>
> We are also considering a first-time token generated and printed to the
> terminal/console log. Then the web page would ask that you cut and paste
> that value, verify it and allow you to create a user.

how about printing out a url that would do it ?

i.e. http://localhost:9990/console/?token=22j23lkjr;wlkj4l4jk2lkj4rwrewr

then you can simply just copy/paste or click ?

/max
http://about.me/maxandersen



_______________________________________________
jboss-as7-dev mailing list
[hidden email]
https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
Reply | Threaded
Open this post in threaded view
|

Re: 7.1.0. Beta Bug on CLI Authentication ?

Jim Tyrrell
In reply to this post by jtgreene

We are also considering a first-time token generated and printed to the 
terminal/console log. Then the web page would ask that you cut and paste 
that value, verify it and allow you to create a user.

Jason,

Speaking as a parttime Weblogic user ie I have on my system from time to time to do things, a password that is "magic" to get into the console stinks.  Weblogic require 8-10 characters numbers, uppercase, and a non alphanumeric password.  Lets just say every time I startup weblogic I end up reinstalling it.  I know we have many requirements, but a password at install time, and then needing to be remembered is a huge usability issue, especially for desktop users.  I would love on boot for this password to show in the logs/console, since at desktop time, there is almost no need for this, so maybe a switch that turns it on or off might be available.

Just wanted to make sure you guys had some feedback from a disgruntled part time weblogic user, I am sure you have already thought a lot about this, but wanted my use case in the discussions.

Thank You
Jim Tyrrell
Principal Solutions Architect


_______________________________________________
jboss-as7-dev mailing list
[hidden email]
https://lists.jboss.org/mailman/listinfo/jboss-as7-dev