Bug 1021630

Summary: Upgrade to Remoting JMX 1.1.2 to relax check disabling local authentication.
Product: [JBoss] JBoss Enterprise Application Platform 6 Reporter: Darran Lofthouse <darran.lofthouse>
Component: JMXAssignee: Darran Lofthouse <darran.lofthouse>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.2.0CC: brian.stansberry, hrupp, jmartisk, myarboro, pslavice
Target Milestone: ER7   
Target Release: EAP 6.2.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-12-15 16:21:06 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Darran Lofthouse 2013-10-21 16:51:57 UTC 
Description of problem:

Remoting JMX was enhanced to disable local authentication if a username and password is supplied or is a callback handler is supplied, the check involving the callback handler is too much as end users may want to supply the callback handler for use only if other authentication mechanisms fail.

Instead a configuration option will be added to cover the case where a CallbackHandler is supplied if the user wants to disable local authentication.
Comment 1 JBoss JIRA Server 2013-10-21 16:54:16 UTC 
Darran Lofthouse <darran.lofthouse> updated the status of jira REMJMX-74 to Coding In Progress
Comment 3 JBoss JIRA Server 2013-10-21 18:42:42 UTC 
Darran Lofthouse <darran.lofthouse> updated the status of jira REMJMX-74 to Resolved
Comment 4 JBoss JIRA Server 2013-10-22 08:40:31 UTC 
Rob Stryker <rob.stryker> made a comment on jira REMJMX-74

Hi Darren:

In JBossTools usecase, we do not have the callback handler classes on our classpath, and so we can't provide a classpath. We're also pulling credentials from some data that may not have been initialized by the user yet, so for us, we'd really prefer a flag or environment property such as PREFER_LOCAL_AUTHENTICATION which works for all cases, even if some credentials have been set. 

Is this possible? 

I admit I did just find a way to work around my issue (by not setting the credentials if they're null) but I still think a flag to always prefer local auth is a valid choice...
Comment 5 JBoss JIRA Server 2013-10-22 09:08:22 UTC 
Darran Lofthouse <darran.lofthouse> made a comment on jira REMJMX-74

Hello Rob unfortunately your comment is a little late due to time constraints we need this fixed and tagged yesterday ;-)  

The change you have made is correct, you do not have any credentials to use so you should not be setting them - I would recommend however you do revisit looking at supplying a callback handler at some point as that gives you an opportunity to prompt for a username and password if and only if it is actually required.

One final point you may want to consider, the main reason we made this change was so that once access control was enabled and users had an option in the client to force authentication to disable local authentication - I have now added an option 'org.jboss.remoting-jmx.excluded-sasl-mechanisms' which if set on the environment with the value 'JBOSS-LOCAL-USER' will disable local authentication.
Comment 7 Jan Martiska 2013-11-14 13:10:15 UTC 
Reproduced and verified on 6.2.0.CR1.
Presence of a callback handler no longer disables local authentication.