11 Replies Latest reply: Nov 29, 2011 7:55 AM by Darran Lofthouse RSS

In jboss-as-7.1.0.Beta1 CLI gets connected without asking for username and password

Rayan Hacker Newbie

I have noticed that in the new version of JBoss AS7 (i.e. jboss-as-7.1.0.Beta1) the CLI does not prompt for username and password when I try to connect to a running JBoss server which I believe is a BUG!!!

 

Steps to reproduce

  1. Un-commnet admin from the file "<domian or standalone>/configuration/mgmt-users.properties"
  2. Start your JBoss server (i.e. ./domain.sh or ./standalone.sh)
  3. Now run this command   ./jboss-admin.sh --connect

 

You would notice that you have been connected to the running JBoss server and that too without any prompt for username and password.

 

However in the configuration files (i.e. domin.xml, host.xml and standalone.xml) of jboss-as-7.1.0.Beta1 the default security realm is already activated for native-interface and for http-interface. Where as the http-interface works just fine with we try to open a console it prompts for username and password.

  • 1. Re: In jboss-as-7.1.0.Beta1 CLI gets connected without asking for username and password
    Riccardo Pasquini Novice

    try a search here https://issues.jboss.org/browse/AS7

     

    i can reproduce the issue both in domain and standalone...

  • 3. Re: In jboss-as-7.1.0.Beta1 CLI gets connected without asking for username and password
    Radoslav Husar Master

    Hi Rayan,

     

    AFAIK this is not a bug, this is intentional. If you are logging in from localhost and your management ports are listening on localhost (on the same machine), you already do have full access to the machine, thus there is very little benefit in adding security when logging from localhost. Try connecting from a remote host and you will see that you will be promted for password as you expect. You can probably close the issue or make it into documentation one.

     

    HTH,

    Rado

  • 4. Re: In jboss-as-7.1.0.Beta1 CLI gets connected without asking for username and password
    jaikiran pai Master

    This isn't a bug and is intentional. See "Local Clients" section in the wiki documentation http://community.jboss.org/wiki/AS710Beta1-SecurityEnabledByDefault

  • 5. Re: In jboss-as-7.1.0.Beta1 CLI gets connected without asking for username and password
    Darran Lofthouse Master

    We are getting a few users wondering what is happening with the silent authentication so I have created the following issue to look at if we can add a message to the CLI: -

     

    https://issues.jboss.org/browse/AS7-2812

  • 6. Re: In jboss-as-7.1.0.Beta1 CLI gets connected without asking for username and password
    Rayan Hacker Newbie

    Thanks guys for all your help...

     

    However When I am trying to connect from remote host using a *.cli file I am not able to connect. What is the correct way to do so?

     

    ./jboss-admin.sh --file=test.cli

     

    test.cli

    connect controller=100.100.100.100

    -user admin -password admin

     

    OR

     

    test.cli

    connect controller=100.100.100.100

    admin  admin

     

    Where: 100.100.100.100 is the IP on which my JBoss node is running on

  • 7. Re: In jboss-as-7.1.0.Beta1 CLI gets connected without asking for username and password
    Darran Lofthouse Master

    You would first need to add a user to the remote server.

     

    Beta1 now contains an add-user.sh or add-user.bat to guide you through this.

     

    A user of admin with password admin would not be accepted however so you would need to pick something slightly harder to guess.

  • 8. Re: In jboss-as-7.1.0.Beta1 CLI gets connected without asking for username and password
    Rayan Hacker Newbie

    I have tried with the follwoing password as well after using the add-user.sh and non of them worked

     

    test.cli

    connect controller=100.100.100.100

    --user admin --password admin123

     

    $ ./jboss-admin.sh --file=test.cli

    The controller is not available at controller=100.100.100.100

    '--user' is not a valid operation name.

    The command is not available in the current context (e.g. required subsystems or connection to the controller might be unavailable).

     

    OR

     

    test.cli

    connect controller=100.100.100.100

    -user admin -password admin123

     

    $ ./jboss-admin.sh --file=test.cli

    The controller is not available at controller=100.100.100.100

    '-user' is not a valid operation name.

    The command is not available in the current context (e.g. required subsystems or connection to the controller might be unavailable).

     

    OR

     

    test.cli

    connect controller=100.100.100.100

    user admin password admin123

     

    ./jboss-admin.sh --file=test.cli

    The controller is not available at controller=100.100.100.100

    Unexpected command 'user admin password admin123'. Type 'help' for the list of supported commands.

    The command is not available in the current context (e.g. required subsystems or connection to the controller might be unavailable).

     

    OR

     

    test.cli

    connect controller=100.100.100.100

    admin admin123

     

    ./jboss-admin.sh --file=test.cli

    The controller is not available at controller=100.100.100.100

    Unexpected command 'user admin password admin123'. Type 'help' for the list of supported commands.

    The command is not available in the current context (e.g. required subsystems or connection to the controller might be unavailable).

     

     

    Where as with same password using the below command it works fine  (i.e. without *.cli file)

     

    $ ./jboss-admin.sh --connect controller=100.100.100.100

    Authenticating against security realm: ManagementRealm

    Username: admin

    Password:

    [standalone@100.100.100.100:9999 /]



  • 9. Re: In jboss-as-7.1.0.Beta1 CLI gets connected without asking for username and password
    Darran Lofthouse Master

    Sorry mis-read your initial post - you can not specify the username and password in the cli file, the --user and --password arguments need to passed to the jboss-admin.sh call

  • 10. Re: In jboss-as-7.1.0.Beta1 CLI gets connected without asking for username and password
    Rayan Hacker Newbie

    Darran thank you for helping me on this issue.

     

    I had to fix my test.cli file, the correct way to connect with the remote host is without using the "controller=" and directly giving the IP

     

    test.cli

    connect 100.100.100.100

    ls

     

    $ ./jboss-admin.sh --file=test.cli

    Authenticating against security realm: ManagementRealm

    Username: admin

    Password:

    core-service                  deployment                    extension                     interface                     path                          socket-binding-group

    subsystem                     system-property               launch-type=STANDALONE        name=localhost.localdomain    namespaces=[]                 process-type=Server

    profile-name=undefined        release-codename=Tesla        release-version=7.1.0.Beta1   schema-locations=[]           server-state=running

     

     

    Now when I try to set the user and password (clear text) in last-lin of jboss-admin.sh and use the above test.cli it work fine

     

    jboss-admin.sh

    eval \"$JAVA\" $JAVA_OPTS -jar \"$JBOSS_HOME/jboss-modules.jar\" -logmodule "org.jboss.logmanager" -mp \"$JBOSS_HOME/modules\" org.jboss.as.cli '--user=admin --password=admin123 "$@"'

     

    $ ./jboss-admin.sh --file=test.cli

    core-service

    deployment

    extension

    interface

    path

    socket-binding-group

    subsystem

    system-property

    launch-type=STANDALONE

    name=localhost.localdomain

    namespaces=[]

    process-type=Server

    profile-name=undefined

    release-codename=Tesla

    release-version=7.1.0.Beta1

    schema-locations=[]

    server-state=running

     

     

    However when I try to use the encrypted password of the remote server in jboss-admin.sh as shwon below it does not work

     

    eval \"$JAVA\" $JAVA_OPTS -jar \"$JBOSS_HOME/jboss-modules.jar\" -logmodule "org.jboss.logmanager" -mp \"$JBOSS_HOME/modules\" org.jboss.as.cli '--user=admin --password=6649f2d0da3c330e7793f094b8bdde0f "$@"'

     

    ]$ ./jboss-admin.sh --file=test.cli

    Unable to authenticate against controller at 100.100.100.100:9999

    The command is not available in the current context (e.g. required subsystems or connection to the controller might be unavailable).

     

    Is there a way to use the encrypted password ?

  • 11. Re: In jboss-as-7.1.0.Beta1 CLI gets connected without asking for username and password
    Darran Lofthouse Master

    Just to clarify, the password on the remote server is not an encrypted password but a pre-hashed password to make to useable with that realm only.

     

    It is not possible to use the pre-hashed form on the clients as this undermines the hashing on the server side - once both sides are using the same value it is no longer a pre-hashed password but just a long ranomly generated hex plain text password.  If you want passwords of that form I would suggest just generating a random password in the first place so neither side is in an easily guessable form.