Bug 1021630 - Upgrade to Remoting JMX 1.1.2 to relax check disabling local authentication.
Upgrade to Remoting JMX 1.1.2 to relax check disabling local authentication.
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: JMX (Show other bugs)
Unspecified Unspecified
unspecified Severity unspecified
: ER7
: EAP 6.2.0
Assigned To: Darran Lofthouse
Depends On:
  Show dependency treegraph
Reported: 2013-10-21 12:51 EDT by Darran Lofthouse
Modified: 2013-12-15 11:21 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2013-12-15 11:21:06 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
JBoss Issue Tracker REMJMX-74 Major Resolved REMJMX-65 Overzealous disabling local authentication 2016-04-15 15:27 EDT

  None (edit)
Description Darran Lofthouse 2013-10-21 12:51:57 EDT
Description of problem:

Remoting JMX was enhanced to disable local authentication if a username and password is supplied or is a callback handler is supplied, the check involving the callback handler is too much as end users may want to supply the callback handler for use only if other authentication mechanisms fail.

Instead a configuration option will be added to cover the case where a CallbackHandler is supplied if the user wants to disable local authentication.
Comment 1 JBoss JIRA Server 2013-10-21 12:54:16 EDT
Darran Lofthouse <darran.lofthouse@jboss.com> updated the status of jira REMJMX-74 to Coding In Progress
Comment 3 JBoss JIRA Server 2013-10-21 14:42:42 EDT
Darran Lofthouse <darran.lofthouse@jboss.com> updated the status of jira REMJMX-74 to Resolved
Comment 4 JBoss JIRA Server 2013-10-22 04:40:31 EDT
Rob Stryker <rob.stryker@jboss.com> made a comment on jira REMJMX-74

Hi Darren:

In JBossTools usecase, we do not have the callback handler classes on our classpath, and so we can't provide a classpath. We're also pulling credentials from some data that may not have been initialized by the user yet, so for us, we'd really prefer a flag or environment property such as PREFER_LOCAL_AUTHENTICATION which works for all cases, even if some credentials have been set. 

Is this possible? 

I admit I did just find a way to work around my issue (by not setting the credentials if they're null) but I still think a flag to always prefer local auth is a valid choice...
Comment 5 JBoss JIRA Server 2013-10-22 05:08:22 EDT
Darran Lofthouse <darran.lofthouse@jboss.com> made a comment on jira REMJMX-74

Hello Rob unfortunately your comment is a little late due to time constraints we need this fixed and tagged yesterday ;-)  

The change you have made is correct, you do not have any credentials to use so you should not be setting them - I would recommend however you do revisit looking at supplying a callback handler at some point as that gives you an opportunity to prompt for a username and password if and only if it is actually required.

One final point you may want to consider, the main reason we made this change was so that once access control was enabled and users had an option in the client to force authentication to disable local authentication - I have now added an option 'org.jboss.remoting-jmx.excluded-sasl-mechanisms' which if set on the environment with the value 'JBOSS-LOCAL-USER' will disable local authentication.
Comment 7 Jan Martiska 2013-11-14 08:10:15 EST
Reproduced and verified on 6.2.0.CR1.
Presence of a callback handler no longer disables local authentication.

Note You need to log in before you can comment on or make changes to this bug.