11 Replies Latest reply on Nov 29, 2011 7:55 AM by dlofthouse

    In jboss-as-7.1.0.Beta1 CLI gets connected without asking for username and password

    rhacker

      I have noticed that in the new version of JBoss AS7 (i.e. jboss-as-7.1.0.Beta1) the CLI does not prompt for username and password when I try to connect to a running JBoss server which I believe is a BUG!!!

       

      Steps to reproduce

      1. Un-commnet admin from the file "<domian or standalone>/configuration/mgmt-users.properties"
      2. Start your JBoss server (i.e. ./domain.sh or ./standalone.sh)
      3. Now run this command   ./jboss-admin.sh --connect

       

      You would notice that you have been connected to the running JBoss server and that too without any prompt for username and password.

       

      However in the configuration files (i.e. domin.xml, host.xml and standalone.xml) of jboss-as-7.1.0.Beta1 the default security realm is already activated for native-interface and for http-interface. Where as the http-interface works just fine with we try to open a console it prompts for username and password.

        • 1. Re: In jboss-as-7.1.0.Beta1 CLI gets connected without asking for username and password
          morphy

          try a search here https://issues.jboss.org/browse/AS7

           

          i can reproduce the issue both in domain and standalone...

          • 2. Re: In jboss-as-7.1.0.Beta1 CLI gets connected without asking for username and password
            rhacker

            Just created a bug on this issue

             

            https://issues.jboss.org/browse/AS7-2799

            • 3. Re: In jboss-as-7.1.0.Beta1 CLI gets connected without asking for username and password
              rhusar

              Hi Rayan,

               

              AFAIK this is not a bug, this is intentional. If you are logging in from localhost and your management ports are listening on localhost (on the same machine), you already do have full access to the machine, thus there is very little benefit in adding security when logging from localhost. Try connecting from a remote host and you will see that you will be promted for password as you expect. You can probably close the issue or make it into documentation one.

               

              HTH,

              Rado

              1 of 1 people found this helpful
              • 4. Re: In jboss-as-7.1.0.Beta1 CLI gets connected without asking for username and password
                jaikiran

                This isn't a bug and is intentional. See "Local Clients" section in the wiki documentation http://community.jboss.org/wiki/AS710Beta1-SecurityEnabledByDefault

                1 of 1 people found this helpful
                • 5. Re: In jboss-as-7.1.0.Beta1 CLI gets connected without asking for username and password
                  dlofthouse

                  We are getting a few users wondering what is happening with the silent authentication so I have created the following issue to look at if we can add a message to the CLI: -

                   

                  https://issues.jboss.org/browse/AS7-2812

                  • 6. Re: In jboss-as-7.1.0.Beta1 CLI gets connected without asking for username and password
                    rhacker

                    Thanks guys for all your help...

                     

                    However When I am trying to connect from remote host using a *.cli file I am not able to connect. What is the correct way to do so?

                     

                    ./jboss-admin.sh --file=test.cli

                     

                    test.cli

                    connect controller=100.100.100.100

                    -user admin -password admin

                     

                    OR

                     

                    test.cli

                    connect controller=100.100.100.100

                    admin  admin

                     

                    Where: 100.100.100.100 is the IP on which my JBoss node is running on

                    • 7. Re: In jboss-as-7.1.0.Beta1 CLI gets connected without asking for username and password
                      dlofthouse

                      You would first need to add a user to the remote server.

                       

                      Beta1 now contains an add-user.sh or add-user.bat to guide you through this.

                       

                      A user of admin with password admin would not be accepted however so you would need to pick something slightly harder to guess.

                      • 8. Re: In jboss-as-7.1.0.Beta1 CLI gets connected without asking for username and password
                        rhacker

                        I have tried with the follwoing password as well after using the add-user.sh and non of them worked

                         

                        test.cli

                        connect controller=100.100.100.100

                        --user admin --password admin123

                         

                        $ ./jboss-admin.sh --file=test.cli

                        The controller is not available at controller=100.100.100.100

                        '--user' is not a valid operation name.

                        The command is not available in the current context (e.g. required subsystems or connection to the controller might be unavailable).

                         

                        OR

                         

                        test.cli

                        connect controller=100.100.100.100

                        -user admin -password admin123

                         

                        $ ./jboss-admin.sh --file=test.cli

                        The controller is not available at controller=100.100.100.100

                        '-user' is not a valid operation name.

                        The command is not available in the current context (e.g. required subsystems or connection to the controller might be unavailable).

                         

                        OR

                         

                        test.cli

                        connect controller=100.100.100.100

                        user admin password admin123

                         

                        ./jboss-admin.sh --file=test.cli

                        The controller is not available at controller=100.100.100.100

                        Unexpected command 'user admin password admin123'. Type 'help' for the list of supported commands.

                        The command is not available in the current context (e.g. required subsystems or connection to the controller might be unavailable).

                         

                        OR

                         

                        test.cli

                        connect controller=100.100.100.100

                        admin admin123

                         

                        ./jboss-admin.sh --file=test.cli

                        The controller is not available at controller=100.100.100.100

                        Unexpected command 'user admin password admin123'. Type 'help' for the list of supported commands.

                        The command is not available in the current context (e.g. required subsystems or connection to the controller might be unavailable).

                         

                         

                        Where as with same password using the below command it works fine  (i.e. without *.cli file)

                         

                        $ ./jboss-admin.sh --connect controller=100.100.100.100

                        Authenticating against security realm: ManagementRealm

                        Username: admin

                        Password:

                        [standalone@100.100.100.100:9999 /]



                        • 9. Re: In jboss-as-7.1.0.Beta1 CLI gets connected without asking for username and password
                          dlofthouse

                          Sorry mis-read your initial post - you can not specify the username and password in the cli file, the --user and --password arguments need to passed to the jboss-admin.sh call

                          • 10. Re: In jboss-as-7.1.0.Beta1 CLI gets connected without asking for username and password
                            rhacker

                            Darran thank you for helping me on this issue.

                             

                            I had to fix my test.cli file, the correct way to connect with the remote host is without using the "controller=" and directly giving the IP

                             

                            test.cli

                            connect 100.100.100.100

                            ls

                             

                            $ ./jboss-admin.sh --file=test.cli

                            Authenticating against security realm: ManagementRealm

                            Username: admin

                            Password:

                            core-service                  deployment                    extension                     interface                     path                          socket-binding-group

                            subsystem                     system-property               launch-type=STANDALONE        name=localhost.localdomain    namespaces=[]                 process-type=Server

                            profile-name=undefined        release-codename=Tesla        release-version=7.1.0.Beta1   schema-locations=[]           server-state=running

                             

                             

                            Now when I try to set the user and password (clear text) in last-lin of jboss-admin.sh and use the above test.cli it work fine

                             

                            jboss-admin.sh

                            eval \"$JAVA\" $JAVA_OPTS -jar \"$JBOSS_HOME/jboss-modules.jar\" -logmodule "org.jboss.logmanager" -mp \"$JBOSS_HOME/modules\" org.jboss.as.cli '--user=admin --password=admin123 "$@"'

                             

                            $ ./jboss-admin.sh --file=test.cli

                            core-service

                            deployment

                            extension

                            interface

                            path

                            socket-binding-group

                            subsystem

                            system-property

                            launch-type=STANDALONE

                            name=localhost.localdomain

                            namespaces=[]

                            process-type=Server

                            profile-name=undefined

                            release-codename=Tesla

                            release-version=7.1.0.Beta1

                            schema-locations=[]

                            server-state=running

                             

                             

                            However when I try to use the encrypted password of the remote server in jboss-admin.sh as shwon below it does not work

                             

                            eval \"$JAVA\" $JAVA_OPTS -jar \"$JBOSS_HOME/jboss-modules.jar\" -logmodule "org.jboss.logmanager" -mp \"$JBOSS_HOME/modules\" org.jboss.as.cli '--user=admin --password=6649f2d0da3c330e7793f094b8bdde0f "$@"'

                             

                            ]$ ./jboss-admin.sh --file=test.cli

                            Unable to authenticate against controller at 100.100.100.100:9999

                            The command is not available in the current context (e.g. required subsystems or connection to the controller might be unavailable).

                             

                            Is there a way to use the encrypted password ?

                            • 11. Re: In jboss-as-7.1.0.Beta1 CLI gets connected without asking for username and password
                              dlofthouse

                              Just to clarify, the password on the remote server is not an encrypted password but a pre-hashed password to make to useable with that realm only.

                               

                              It is not possible to use the pre-hashed form on the clients as this undermines the hashing on the server side - once both sides are using the same value it is no longer a pre-hashed password but just a long ranomly generated hex plain text password.  If you want passwords of that form I would suggest just generating a random password in the first place so neither side is in an easily guessable form.