Red Hat Bugzilla – Bug 1021630
Upgrade to Remoting JMX 1.1.2 to relax check disabling local authentication.
Last modified: 2013-12-15 11:21:06 EST
Description of problem:
Remoting JMX was enhanced to disable local authentication if a username and password is supplied or is a callback handler is supplied, the check involving the callback handler is too much as end users may want to supply the callback handler for use only if other authentication mechanisms fail.
Instead a configuration option will be added to cover the case where a CallbackHandler is supplied if the user wants to disable local authentication.
Darran Lofthouse <email@example.com> updated the status of jira REMJMX-74 to Coding In Progress
Darran Lofthouse <firstname.lastname@example.org> updated the status of jira REMJMX-74 to Resolved
Rob Stryker <email@example.com> made a comment on jira REMJMX-74
In JBossTools usecase, we do not have the callback handler classes on our classpath, and so we can't provide a classpath. We're also pulling credentials from some data that may not have been initialized by the user yet, so for us, we'd really prefer a flag or environment property such as PREFER_LOCAL_AUTHENTICATION which works for all cases, even if some credentials have been set.
Is this possible?
I admit I did just find a way to work around my issue (by not setting the credentials if they're null) but I still think a flag to always prefer local auth is a valid choice...
Darran Lofthouse <firstname.lastname@example.org> made a comment on jira REMJMX-74
Hello Rob unfortunately your comment is a little late due to time constraints we need this fixed and tagged yesterday ;-)
The change you have made is correct, you do not have any credentials to use so you should not be setting them - I would recommend however you do revisit looking at supplying a callback handler at some point as that gives you an opportunity to prompt for a username and password if and only if it is actually required.
One final point you may want to consider, the main reason we made this change was so that once access control was enabled and users had an option in the client to force authentication to disable local authentication - I have now added an option 'org.jboss.remoting-jmx.excluded-sasl-mechanisms' which if set on the environment with the value 'JBOSS-LOCAL-USER' will disable local authentication.
Reproduced and verified on 6.2.0.CR1.
Presence of a callback handler no longer disables local authentication.