[AS7-5031] In the case that a security realm is defined with only the…

… local authentication mechanism reject all HTTP access to the management API.
jbossas · Nov 27, 2012 · 217d60e · 217d60e
1 parent fad9306
commit 217d60e
Show file tree

Hide file tree

Showing 2 changed files with 54 additions and 0 deletions.
diff --git a/...in-http/interface/src/main/java/org/jboss/as/domain/http/server/ManagementHttpServer.java b/...in-http/interface/src/main/java/org/jboss/as/domain/http/server/ManagementHttpServer.java
@@ -42,6 +42,7 @@
 import org.jboss.as.domain.http.server.security.BasicAuthenticator;
 import org.jboss.as.domain.http.server.security.ClientCertAuthenticator;
 import org.jboss.as.domain.http.server.security.DigestAuthenticator;
+import org.jboss.as.domain.http.server.security.FourZeroThreeAuthenticator;
 import org.jboss.as.domain.management.AuthenticationMechanism;
 import org.jboss.as.domain.management.SecurityRealm;
 import org.jboss.com.sun.net.httpserver.Authenticator;
@@ -140,6 +141,17 @@ public static ManagementHttpServer create(InetSocketAddress bindAddress, InetSoc
             } else {
                 certAuthMode = CertAuth.NONE;
             }
+
+            // By this point if an authenticator could have been defined it would have been.
+            if (auth == null) {
+                if (authenticationMechanisms.size() > 0) {
+                    // An authentication mechanism not supported for HTTP has been requested, disable access.
+                    auth = new FourZeroThreeAuthenticator();
+                } else {
+                    // The existence of the realm could have enabled SSL without mandating authentication.
+                    auth = new AnonymousAuthenticator();
+                }
+            }
         } else {
             auth = new AnonymousAuthenticator();
             certAuthMode = CertAuth.NONE;

diff --git a/...ce/src/main/java/org/jboss/as/domain/http/server/security/FourZeroThreeAuthenticator.java b/...ce/src/main/java/org/jboss/as/domain/http/server/security/FourZeroThreeAuthenticator.java
@@ -0,0 +1,42 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2012, Red Hat, Inc., and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+
+package org.jboss.as.domain.http.server.security;
+
+import static org.jboss.as.domain.http.server.Constants.FORBIDDEN;
+import org.jboss.com.sun.net.httpserver.Authenticator;
+import org.jboss.com.sun.net.httpserver.HttpExchange;
+
+/**
+ * A special authenticator that prevents all access. This is used where the management http interface is associated with an
+ * authentication capable security realm but not http compatible mechanisms are identified.
+ *
+ * @author <a href="mailto:darran.lofthouse@jboss.com">Darran Lofthouse</a>
+ */
+public class FourZeroThreeAuthenticator extends Authenticator {
+
+    @Override
+    public Result authenticate(HttpExchange exchange) {
+        return new Authenticator.Failure(FORBIDDEN);
+    }
+
+}