at the moment I'm trying to find out the best way for us to secure the management interface(s)
According to this documentation
the following authentication types are currently available
| HTTP |
| Native |
| LDAP || HTTP BASIC || Not Supported1 |
| Users || HTTP DIGEST || SASL DIGEST |
| Properties || HTTP DIGEST ||SASL DIGEST|
Looking at the jboss-as-config_1_1.xsd and at the source code there seems to be another authentication type available -> jaas (class org.jboss.as.domain.management.security.JaasCallbackHandler)
Is this authentication type really available for http interface and native interface (I just don't want to spend time trying it out, when it is not really supported for the moment, and as it is not stated in the documentation mentioned above I assume this is at the moment not supported).
Is there any way to exchange the authentication method for the http/native interface? E.g. for the http interface I would like to enable a custom built authenticator which just verifies a digitally signed header and sets the principal using this one. Studying the source (org.jboss.as.domain.http.server.ManagementHttpServer) I think it is not easily possible to modify that.
Same question for the native interface can we use there for example certificate based authentication or is at the moment really only SASL DIGES/ authentication method available (as stated in the documentation)
Thanks for your help
That list is due an update as we do support LDAP with the Native interface and that currently works with the PLAIN mechanism - also a JAAS domain can be used for username / password authentication and that also uses PLAIN. Client certificate verification can be enabled for both interfaces but we do not support additional mechanisms at the moment.
thanks for your help
So this means at the moment there is no way to configure other combination of authentication method / and user store than those you have mentioned above.
I think it would be cool to choose the authentication method (like SAML, Kerberos,...) for the web management console/native DMR interface and to enable JAAS for checking the user received from the authentication method
Are there any plans to provide this feature.