Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

[AS7-5031] In the case that a security realm is defined with only the…

… local authentication mechanism reject all HTTP access to the management API.
  • Loading branch information...
commit 217d60e53e56c08b351c5a5ad803f17414952b40 1 parent fad9306
@darranl darranl authored bstansberry committed
View
12 ...in-http/interface/src/main/java/org/jboss/as/domain/http/server/ManagementHttpServer.java
@@ -42,6 +42,7 @@
import org.jboss.as.domain.http.server.security.BasicAuthenticator;
import org.jboss.as.domain.http.server.security.ClientCertAuthenticator;
import org.jboss.as.domain.http.server.security.DigestAuthenticator;
+import org.jboss.as.domain.http.server.security.FourZeroThreeAuthenticator;
import org.jboss.as.domain.management.AuthenticationMechanism;
import org.jboss.as.domain.management.SecurityRealm;
import org.jboss.com.sun.net.httpserver.Authenticator;
@@ -140,6 +141,17 @@ public static ManagementHttpServer create(InetSocketAddress bindAddress, InetSoc
} else {
certAuthMode = CertAuth.NONE;
}
+
+ // By this point if an authenticator could have been defined it would have been.
+ if (auth == null) {
+ if (authenticationMechanisms.size() > 0) {
+ // An authentication mechanism not supported for HTTP has been requested, disable access.
+ auth = new FourZeroThreeAuthenticator();
+ } else {
+ // The existence of the realm could have enabled SSL without mandating authentication.
+ auth = new AnonymousAuthenticator();
+ }
+ }
} else {
auth = new AnonymousAuthenticator();
certAuthMode = CertAuth.NONE;
View
42 ...ce/src/main/java/org/jboss/as/domain/http/server/security/FourZeroThreeAuthenticator.java
@@ -0,0 +1,42 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2012, Red Hat, Inc., and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+
+package org.jboss.as.domain.http.server.security;
+
+import static org.jboss.as.domain.http.server.Constants.FORBIDDEN;
+import org.jboss.com.sun.net.httpserver.Authenticator;
+import org.jboss.com.sun.net.httpserver.HttpExchange;
+
+/**
+ * A special authenticator that prevents all access. This is used where the management http interface is associated with an
+ * authentication capable security realm but not http compatible mechanisms are identified.
+ *
+ * @author <a href="mailto:darran.lofthouse@jboss.com">Darran Lofthouse</a>
+ */
+public class FourZeroThreeAuthenticator extends Authenticator {
+
+ @Override
+ public Result authenticate(HttpExchange exchange) {
+ return new Authenticator.Failure(FORBIDDEN);
+ }
+
+}
Please sign in to comment.
Something went wrong with that request. Please try again.