11.8.6. Remove Silent Authentication from the Default Security Realm

Summary

The default installation of JBoss EAP 6 contains a method of silent authentication for a local Management CLI user. This allows the local user the ability to access the Management CLI without username or password authentication. This functionality is enabled as a convenience, and to assist local users running Management CLI scripts without requiring authentication. It is considered a useful feature given that access to the local configuration typically also gives the user the ability to add their own user details or otherwise disable security checks.

The convenience of silent authentication for local users can be disabled where greater security control is required. This can be achieved by removing the local element within the security-realm section of the configuration file. This applies to both the standalone.xml for a Standalone Server instance, or host.xml for a Managed Domain. You should only consider the removal of the local element if you understand the impact that it might have on your particular server configuration.

The preferred method of removing silent authentication is by use of the Management CLI, which directly removes the local element visible in the following example.

Example 11.15. Example of the local element in the security-realm

<security-realms>
    <security-realm name="ManagementRealm">
        <authentication>
            <local default-user="$local"/>
            <properties path="mgmt-users.properties" relative-to="jboss.server.config.dir"/>
        </authentication>
    </security-realm>
    <security-realm name="ApplicationRealm">
        <authentication>
            <local default-user="$local" allowed-users="*"/>
            <properties path="application-users.properties" relative-to="jboss.server.config.dir"/>
        </authentication>
        <authorization>
            <properties path="application-roles.properties" relative-to="jboss.server.config.dir"/>
        </authorization>
    </security-realm>
</security-realms>

Prerequisites

Procedure 11.7. Remove Silent Authentication from the Default Security Realm

Remove silent authentication with the Management CLI

Remove the local element from the Management Realm and Application Realm as required.

Remove the local element from the Management Realm.

For Standalone Servers

/core-service=management/security-realm=ManagementRealm/authentication=local:remove

For Managed Domains

/host=HOST_NAME/core-service=management/security-realm=ManagementRealm/authentication=local:remove

Remove the local element from the Application Realm.

For Standalone Servers

/core-service=management/security-realm=ApplicationRealm/authentication=local:remove

For Managed Domains

/host=HOST_NAME/core-service=management/security-realm=ApplicationRealm/authentication=local:remove

Result

The silent authentication mode is removed from the ManagementRealm and the ApplicationRealm.

Report a bug

Where did the comment section go?

Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.

Log in to Your Red Hat Account

Red Hat Account

Customer Portal

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

JBoss Development and Management

JBoss Integration and Automation

Mobile

Services

Tools

Red Hat Product Security Center

Security Updates

Resources

Customer Portal Community

Customer Events

Stories

11.8.6. Remove Silent Authentication from the Default Security Realm

Where did the comment section go?