[AS7-4487] Add an option to specify <local /> on the realm and allow …

…the default and allowed users to be specified.
schakko · Apr 18, 2012 · f32924b · f32924b
1 parent baf3b5e
commit f32924b
Show file tree

Hide file tree

Showing 28 changed files with 539 additions and 81 deletions.
diff --git a/build/src/main/resources/configuration/standalone/template.xml b/build/src/main/resources/configuration/standalone/template.xml
@@ -10,11 +10,13 @@
         <security-realms>
             <security-realm name="ManagementRealm">
                 <authentication>
+                    <local default-user="$local" />
                     <properties path="mgmt-users.properties" relative-to="jboss.server.config.dir"/>
                 </authentication>
             </security-realm>
             <security-realm name="ApplicationRealm">
                 <authentication>
+                    <local default-user="$local" allowed-users="*" />
                     <properties path="application-users.properties" relative-to="jboss.server.config.dir"/>
                 </authentication>
                 <authorization>

diff --git a/build/src/main/resources/docs/examples/configs/standalone-minimalistic.xml b/build/src/main/resources/docs/examples/configs/standalone-minimalistic.xml
@@ -5,6 +5,7 @@
         <security-realms>
             <security-realm name="ManagementRealm">
                 <authentication>
+                    <local default-user="$local"/>
                     <properties path="mgmt-users.properties" relative-to="jboss.server.config.dir"/>
                 </authentication>
             </security-realm>

diff --git a/build/src/main/resources/docs/schema/jboss-as-config_1_3.xsd b/build/src/main/resources/docs/schema/jboss-as-config_1_3.xsd
@@ -370,7 +370,37 @@
 	    </xs:complexContent>                            
     </xs:complexType>
 
-
+    <xs:complexType name="localType">
+        <xs:annotation>
+            <xs:documentation>
+                This type definition is used to control the local authentication mechanism.
+            </xs:documentation>
+        </xs:annotation>
+        <xs:attribute name="default-user" type="xs:string" use="optional">
+            <xs:annotation>
+                <xs:documentation>
+                    When using the local mechanism it is optional for the client side to send an
+                    authentication user name - this attribute specifies the user name to be assumed
+                    if the remote client does not send one.
+                </xs:documentation>
+            </xs:annotation>            
+        </xs:attribute>
+        <xs:attribute name="allowed-users" type="xs:string" use="optional">
+            <xs:annotation>
+                <xs:documentation>
+                    A comma separated list of users that can be specified by the client when connecting 
+                    using the local authentication mechanism.
+
+                    If a default user has been specified then that user is automatically added to the 
+                    allowed list.  If both default-user and allowed-users are ommitted despite the mechanism
+                    being enabled no incomming connection attemps using the mechanism will succeed.
+
+                    If any user name should be accepted the value should be set to "*".
+                </xs:documentation>
+            </xs:annotation>
+        </xs:attribute>
+    </xs:complexType>
+
     <xs:complexType name="authenticationType">
         <xs:annotation>
             <xs:documentation>
@@ -392,6 +422,14 @@
                     </xs:documentation>
                 </xs:annotation>
             </xs:element>
+            <xs:element name="local" type="localType" minOccurs="0">
+                <xs:annotation>
+                    <xs:documentation>
+                        Configuration to enable the local authentication mechanism, if this element
+                        is ommitted then local authentication will be disabled.
+                    </xs:documentation>
+                </xs:annotation>
+            </xs:element>
             <xs:choice minOccurs="0">
                 <xs:element name="jaas" type="jaasAuthenticationType" minOccurs="0" />
                 <xs:element name="ldap" type="ldapAuthenticationType" minOccurs="0" />

diff --git a/build/src/main/resources/domain/configuration/host-master.xml b/build/src/main/resources/domain/configuration/host-master.xml
@@ -10,11 +10,13 @@
         <security-realms>
             <security-realm name="ManagementRealm">
                 <authentication>
+                    <local default-user="$local" />
                     <properties path="mgmt-users.properties" relative-to="jboss.domain.config.dir"/>
                 </authentication>
             </security-realm>
             <security-realm name="ApplicationRealm">
                 <authentication>
+                     <local default-user="$local" allowed-users="*" />
                      <properties path="application-users.properties" relative-to="jboss.domain.config.dir" />
                 </authentication>
                 <authorization>

diff --git a/build/src/main/resources/domain/configuration/host-slave.xml b/build/src/main/resources/domain/configuration/host-slave.xml
@@ -11,11 +11,13 @@
                 </server-identities>
 
                 <authentication>
+                    <local default-user="$local" />
                     <properties path="mgmt-users.properties" relative-to="jboss.domain.config.dir"/>
                 </authentication>
             </security-realm>
             <security-realm name="ApplicationRealm">
                 <authentication>
+                    <local default-user="$local" allowed-users="*" />
                     <properties path="application-users.properties" relative-to="jboss.domain.config.dir" />
                 </authentication>
                 <authorization>

diff --git a/build/src/main/resources/domain/configuration/host.xml b/build/src/main/resources/domain/configuration/host.xml
@@ -6,11 +6,13 @@
         <security-realms>
             <security-realm name="ManagementRealm">
                 <authentication>
+                    <local default-user="$local" />
                     <properties path="mgmt-users.properties" relative-to="jboss.domain.config.dir"/>
                 </authentication>
             </security-realm>
             <security-realm name="ApplicationRealm">
                 <authentication>
+                    <local default-user="$local" allowed-users="*" />
                     <properties path="application-users.properties" relative-to="jboss.domain.config.dir" />
                 </authentication>
                 <authorization>

diff --git a/config-assembly/src/test/resources/org/jboss/as/config/assembly/domain-template.xml b/config-assembly/src/test/resources/org/jboss/as/config/assembly/domain-template.xml
@@ -10,6 +10,7 @@
         <security-realms>
             <security-realm name="ManagementRealm">
                 <authentication>
+                    <local default-user="$local"/>
                     <properties path="mgmt-users.properties" relative-to="jboss.server.config.dir"/>
                 </authentication>
             </security-realm>

diff --git a/config-assembly/src/test/resources/org/jboss/as/config/assembly/standalone-template.xml b/config-assembly/src/test/resources/org/jboss/as/config/assembly/standalone-template.xml
@@ -10,6 +10,7 @@
         <security-realms>
             <security-realm name="ManagementRealm">
                 <authentication>
+                    <local default-user="$local"/>
                     <properties path="mgmt-users.properties" relative-to="jboss.server.config.dir"/>
                 </authentication>
             </security-realm>

diff --git a/controller/src/main/java/org/jboss/as/controller/parsing/Attribute.java b/controller/src/main/java/org/jboss/as/controller/parsing/Attribute.java
@@ -38,17 +38,19 @@ public enum Attribute {
     NO_NAMESPACE_SCHEMA_LOCATION("noNamespaceSchemaLocation"),
     SCHEMA_LOCATION("schemaLocation"),
 
-    // domain 1.0 attributes in alpha order
+    // domain attributes in alpha order
     ALIAS("alias"),
-    AUTO_START("auto-start"),
+    ALLOWED_USERS("allowed-users"),
     ATTRIBUTE("attribute"),
+    AUTO_START("auto-start"),
     BASE_DN("base-dn"),
     BOOT_TIME("boot-time"),
     CODE("code"),
     CONNECTION("connection"),
     CONNECTOR("connector"),
     CONSOLE_ENABLED("console-enabled"),
     DEFAULT_INTERFACE("default-interface"),
+    DEFAULT_USER("default-user"),
     DEBUG_ENABLED("debug-enabled"),
     DEBUG_OPTIONS("debug-options"),
     DESTINATION_ADDRESS("destination-address"),

diff --git a/...c/main/resources/org/jboss/as/controller/descriptions/common/LocalDescriptions.properties b/...c/main/resources/org/jboss/as/controller/descriptions/common/LocalDescriptions.properties
@@ -52,6 +52,11 @@ core.management.security-realm.authentication.ldap.recursive=Whether the search
 core.management.security-realm.authentication.ldap.user-dn=The name of the attribute which is the user's distinguished name.
 core.management.security-realm.authentication.ldap.username-attribute=The name of the attribute to search for the user. This filter will then perform a simple search where the username entered by the user matches the attribute specified here.
 core.management.security-realm.authentication.ldap.advanced-filter=The fully defined filter to be used to search for the user based on their entered user ID. The filter should contain a variable in the form {0} - this will be replaced with the username supplied by the user.
+core.management.security-realm.authentication.local=Configuration of the local authentication mechanism.
+core.management.security-realm.authentication.local.add=Adds a configuration to use the JBOSS-LOCAL-USER mechanism for authentication.
+core.management.security-realm.authentication.local.remove=Removes a configuration to use JBOSS-LOCAL-USER for authentication.
+core.management.security-realm.authentication.local.default-user=The name of the default user to assume if no user specified by the remote client.
+core.management.security-realm.authentication.local.allowed-users=The comma separated list of users that will be accepted using the JBOSS-LOCAL-USER mechanism or '*' to accept all. If specified the default-user is always assumed allowed.
 core.management.security-realm.authentication.properties=Configuration to use a list users stored within a properties file as the user repository. The entries within the properties file are username={credentials} with each user being specified on it's own line.
 core.management.security-realm.authentication.properties.add=Adds a configuration to use a list users stored within a properties file as the user repository.
 core.management.security-realm.authentication.properties.remove=Removes a configuration to use a list users stored within a properties file as the user repository.

diff --git a/domain-management/src/main/java/org/jboss/as/domain/management/DomainManagementMessages.java b/domain-management/src/main/java/org/jboss/as/domain/management/DomainManagementMessages.java
@@ -534,6 +534,15 @@ public interface DomainManagementMessages {
     @Message(value = "Updated user '%s' with roles %s to file '%s'")
     String updatedRoles(String username, String roles, String fileName);
 
+    /**
+     * IOException to indicate the user attempting to use local authentication has been rejected.
+     *
+     * @param userName - The user attempting local authentication.
+     * @return an {@link IOException} for the failure.
+     */
+    @Message(id = 15255, value = "The user '%s' is not allowed in a local authentication.")
+    IOException invalidLocalUser(final String userName);
+
     /*
     * Logging IDs 15200 to 15299 are reserved for domain management, the file DomainManagementLogger also contains messages in
     * this range commencing 15200.

diff --git a/...in-management/src/main/java/org/jboss/as/domain/management/ModelDescriptionConstants.java b/...in-management/src/main/java/org/jboss/as/domain/management/ModelDescriptionConstants.java
@@ -30,11 +30,15 @@
 public class ModelDescriptionConstants {
 
     public static final String ALIAS = "alias";
+    public static final String ALLOWED_USERS = "allowed-users";
+    public static final String AUTHENTICATION = "authentication";
+    public static final String DEFAULT_USER = "default-user";
     public static final String IDENTITY = "identity";
     public static final String KEY_PASSWORD = "key-password";
     public static final String KEYSTORE_PASSWORD = "keystore-password";
     public static final String KEYSTORE_PATH = "keystore-path";
     public static final String KEYSTORE_RELATIVE_TO = "keystore-relative-to";
+    public static final String LOCAL = "local";
     public static final String PASSWORD = "password";
     public static final String PATH = "path";
     public static final String REALM = "realm";

diff --git a/domain-management/src/main/java/org/jboss/as/domain/management/SecurityRealm.java b/domain-management/src/main/java/org/jboss/as/domain/management/SecurityRealm.java
@@ -24,6 +24,7 @@
 import javax.net.ssl.SSLContext;
 
 import org.jboss.as.domain.management.security.DomainCallbackHandler;
+import org.jboss.as.domain.management.security.LocalCallbackHandler;
 import org.jboss.as.domain.management.security.SubjectSupplemental;
 
 /**
@@ -38,6 +39,11 @@ public interface SecurityRealm {
      */
     String getName();
 
+    /**
+     * @return The LocalCallbackHandler if defined, null if not.
+     */
+    LocalCallbackHandler getLocalCallbackHandler();
+
     /**
      * @return The CallbackHandler for the realm
      */