Search

5.4. Remove Silent Authentication from the Default Security Realm

download PDF
Summary

The default installation of JBoss EAP 6 contains a method of silent authentication for a local Management CLI user. This allows the local user the ability to access the Management CLI without username or password authentication. This functionality is enabled as a convenience, and to assist local users running Management CLI scripts without requiring authentication. It is considered a useful feature given that access to the local configuration typically also gives the user the ability to add their own user details or otherwise disable security checks.

The convenience of silent authentication for local users can be disabled where greater security control is required. This can be achieved by removing the local element within the security-realm section of the configuration file. This applies to both the standalone.xml for a Standalone Server instance, or host.xml for a Managed Domain. You should only consider the removal of the local element if you understand the impact that it might have on your particular server configuration.
The preferred method of removing silent authentication is by use of the Management CLI, which directly removes the local element visible in the following example.

Example 5.4. Example of the local element in the security-realm

<security-realms>
    <security-realm name="ManagementRealm">
        <authentication>
            <local default-user="$local"/>
            <properties path="mgmt-users.properties" relative-to="jboss.server.config.dir"/>
        </authentication>
    </security-realm>
    <security-realm name="ApplicationRealm">
        <authentication>
            <local default-user="$local" allowed-users="*"/>
            <properties path="application-users.properties" relative-to="jboss.server.config.dir"/>
        </authentication>
        <authorization>
            <properties path="application-roles.properties" relative-to="jboss.server.config.dir"/>
        </authorization>
    </security-realm>
</security-realms>

Prerequisites

  • Start the JBoss EAP 6 instance.
  • Launch the Management CLI.

Procedure 5.1. Remove Silent Authentication from the Default Security Realm

  • Remove silent authentication with the Management CLI

    Remove the local element from the Management Realm and Application Realm as required.
    1. Remove the local element from the Management Realm.
      • For Standalone Servers

        /core-service=management/security-realm=ManagementRealm/authentication=local:remove
      • For Managed Domains

        /host=HOST_NAME/core-service=management/security-realm=ManagementRealm/authentication=local:remove
    2. Remove the local element from the Application Realm.
      • For Standalone Servers

        /core-service=management/security-realm=ApplicationRealm/authentication=local:remove
      • For Managed Domains

        /host=HOST_NAME/core-service=management/security-realm=ApplicationRealm/authentication=local:remove
Result

The silent authentication mode is removed from the ManagementRealm and the ApplicationRealm.

Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.