Description of problem: AuditProvider in security-domain mentions "[Success]" as follow:- 11:37:26,835 TRACE [org.jboss.security.audit] (HttpManagementService-threads - 3) [Success]Source=org.jboss.as.security.service.SimpleSecurityManager;Action=authentication;principal=admin; even if a username/password is wrong. Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. Change ManagementRealm:- <security-realm name="ManagementRealm"> <authentication> <local default-user="$local"/> <jaas name="jaasSecurityDomain"/> </authentication> 2. add the log category:- <logger category="org.jboss.security.audit"> <level name="TRACE"/> </logger> 3. add the security-domain:- <security-domain name="jaasSecurityDomain" cache-type="default"> <authentication> <login-module code="Simple" flag="required"/> </authentication> <audit/> </security-domain> then, web console requires authentication against security-domain instead of mgmt-users.properties file. 4. start EAP then access web console with a wrong username/password, for example, admin/wrongpass. Actual results: Expected results: Additional info:
The following code change would work:- [hokuda@localhost SRC]$ git diff diff --git a/jboss-as-security-7.3.0.Final-redhat-14-sources/org/jboss/as/security/service/SimpleSecurityManager.java b/jboss-as-se index e00a70c..eae0abc 100644 --- a/jboss-as-security-7.3.0.Final-redhat-14-sources/org/jboss/as/security/service/SimpleSecurityManager.java +++ b/jboss-as-security-7.3.0.Final-redhat-14-sources/org/jboss/as/security/service/SimpleSecurityManager.java @@ -507,7 +507,7 @@ public class SimpleSecurityManager implements ServerSecurityManager { * @param userPrincipal */ private void audit(String level, AuditManager auditManager, Principal userPrincipal) { - AuditEvent auditEvent = new AuditEvent(AuditLevel.SUCCESS); + AuditEvent auditEvent = new AuditEvent(level); Map<String, Object> ctxMap = new HashMap<String, Object>(); ctxMap.put("principal", userPrincipal != null ? userPrincipal : "null"); ctxMap.put("Source", getClass().getCanonicalName());
Adding a dev ack on the basis this is already at the MODIFIED state.
Verified in EAP 6.4.0.DR1.1.