1021630 – Upgrade to Remoting JMX 1.1.2 to relax check disabling local authentication.

Bug 1021630 - Upgrade to Remoting JMX 1.1.2 to relax check disabling local authentication.

Summary: Upgrade to Remoting JMX 1.1.2 to relax check disabling local authentication.

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	JBoss Enterprise Application Platform 6
Classification:	JBoss
Component:	JMX
Sub Component:
Version:	6.2.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	ER7
Target Release:	EAP 6.2.0
Assignee:	Darran Lofthouse
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-10-21 16:51 UTC by Darran Lofthouse
Modified:	2013-12-15 16:21 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2013-12-15 16:21:06 UTC
Type:	Bug
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	REMJMX-74	0	Major	Resolved	REMJMX-65 Overzealous disabling local authentication	2016-04-15 19:27:52 UTC

Description Darran Lofthouse 2013-10-21 16:51:57 UTC

Description of problem:

Remoting JMX was enhanced to disable local authentication if a username and password is supplied or is a callback handler is supplied, the check involving the callback handler is too much as end users may want to supply the callback handler for use only if other authentication mechanisms fail.

Instead a configuration option will be added to cover the case where a CallbackHandler is supplied if the user wants to disable local authentication.

Comment 1 JBoss JIRA Server 2013-10-21 16:54:16 UTC

Darran Lofthouse <darran.lofthouse> updated the status of jira REMJMX-74 to Coding In Progress

Comment 3 JBoss JIRA Server 2013-10-21 18:42:42 UTC

Darran Lofthouse <darran.lofthouse> updated the status of jira REMJMX-74 to Resolved

Comment 4 JBoss JIRA Server 2013-10-22 08:40:31 UTC

Rob Stryker <rob.stryker> made a comment on jira REMJMX-74

Hi Darren:

In JBossTools usecase, we do not have the callback handler classes on our classpath, and so we can't provide a classpath. We're also pulling credentials from some data that may not have been initialized by the user yet, so for us, we'd really prefer a flag or environment property such as PREFER_LOCAL_AUTHENTICATION which works for all cases, even if some credentials have been set. 

Is this possible? 

I admit I did just find a way to work around my issue (by not setting the credentials if they're null) but I still think a flag to always prefer local auth is a valid choice...

Comment 5 JBoss JIRA Server 2013-10-22 09:08:22 UTC

Darran Lofthouse <darran.lofthouse> made a comment on jira REMJMX-74

Hello Rob unfortunately your comment is a little late due to time constraints we need this fixed and tagged yesterday ;-)  

The change you have made is correct, you do not have any credentials to use so you should not be setting them - I would recommend however you do revisit looking at supplying a callback handler at some point as that gives you an opportunity to prompt for a username and password if and only if it is actually required.

One final point you may want to consider, the main reason we made this change was so that once access control was enabled and users had an option in the client to force authentication to disable local authentication - I have now added an option 'org.jboss.remoting-jmx.excluded-sasl-mechanisms' which if set on the environment with the value 'JBOSS-LOCAL-USER' will disable local authentication.

Comment 7 Jan Martiska 2013-11-14 13:10:15 UTC

Reproduced and verified on 6.2.0.CR1.
Presence of a callback handler no longer disables local authentication.

Note You need to log in before you can comment on or make changes to this bug.