diff --git a/cli/src/main/java/org/jboss/as/cli/impl/aesh/cmd/security/SecurityCommand.java b/cli/src/main/java/org/jboss/as/cli/impl/aesh/cmd/security/SecurityCommand.java index c77180955de..9295dffd32d 100644 --- a/cli/src/main/java/org/jboss/as/cli/impl/aesh/cmd/security/SecurityCommand.java +++ b/cli/src/main/java/org/jboss/as/cli/impl/aesh/cmd/security/SecurityCommand.java @@ -120,6 +120,7 @@ public interface FailureConsumer { public static final String OPT_SERVER_NAME = "server-name"; public static final String OPT_NO_OVERRIDE_SECURITY_REALM = "no-override-security-realm"; public static final String OPT_SECURITY_DOMAIN = "security-domain"; + public static final String OPT_REFERENCED_SECURITY_DOMAIN = "referenced-security-domain"; private final CommandContext ctx; private final AtomicReference embeddedServerRef; @@ -141,8 +142,8 @@ public List getCommands() { commands.add(new ManagementEnableSASLCommand()); commands.add(new ManagementEnableHTTPCommand()); commands.add(new ManagementReorderSASLCommand()); - commands.add(new HTTPServerEnableAuthCommand()); - commands.add(new HTTPServerDisableAuthCommand()); + commands.add(new HTTPServerEnableAuthCommand(ctx)); + commands.add(new HTTPServerDisableAuthCommand(ctx)); return commands; } @@ -207,8 +208,7 @@ protected List getItems(CLICompleterInvocation completerInvocation) { try { return ElytronUtil.getMechanisms(completerInvocation.getCommandContext(), - cmd.getFactorySpec(), - cmd.getTargetedFactory(completerInvocation.getCommandContext())); + cmd.getFactorySpec()); } catch (Exception ex) { return Collections.emptyList(); } @@ -274,6 +274,14 @@ protected List getItems(CLICompleterInvocation completerInvocation) { } } + public static class ReferencedSecurityDomainCompleter extends AbstractCompleter { + + @Override + protected List getItems(CLICompleterInvocation completerInvocation) { + return ElytronUtil.getSecurityDomainNames(completerInvocation.getCommandContext().getModelControllerClient()); + } + } + public static class MechanismsCompleter extends AbstractCommaCompleter { @Override diff --git a/cli/src/main/java/org/jboss/as/cli/impl/aesh/cmd/security/auth/AbstractDisableAuthenticationCommand.java b/cli/src/main/java/org/jboss/as/cli/impl/aesh/cmd/security/auth/AbstractDisableAuthenticationCommand.java index 298b7dd13e9..74cd2d8a529 100644 --- a/cli/src/main/java/org/jboss/as/cli/impl/aesh/cmd/security/auth/AbstractDisableAuthenticationCommand.java +++ b/cli/src/main/java/org/jboss/as/cli/impl/aesh/cmd/security/auth/AbstractDisableAuthenticationCommand.java @@ -26,7 +26,6 @@ import org.jboss.as.cli.CommandContext; import org.jboss.as.cli.CommandFormatException; import org.jboss.as.cli.impl.aesh.cmd.security.SecurityCommand; -import static org.jboss.as.cli.impl.aesh.cmd.security.SecurityCommand.OPT_MECHANISM; import org.jboss.as.cli.impl.aesh.cmd.security.model.ElytronUtil; import org.jboss.dmr.ModelNode; import org.wildfly.core.cli.command.DMRCommand; @@ -40,9 +39,6 @@ */ @CommandDefinition(name = "abstract-auth-disable", description = "") public abstract class AbstractDisableAuthenticationCommand implements Command, DMRCommand { - @Option(name = OPT_MECHANISM, - completer = SecurityCommand.OptionCompleters.MechanismDisableCompleter.class) - String mechanism; @Option(name = OPT_NO_RELOAD, hasValue = false) boolean noReload; @@ -63,6 +59,8 @@ public AuthFactorySpec getFactorySpec() { protected abstract String getSecuredEndpoint(CommandContext ctx); + protected abstract String getMechanism(); + @Override public CommandResult execute(CLICommandInvocation commandInvocation) throws CommandException, InterruptedException { CommandContext ctx = commandInvocation.getCommandContext(); @@ -75,7 +73,7 @@ public CommandResult execute(CLICommandInvocation commandInvocation) throws Comm SecurityCommand.execute(ctx, request, SecurityCommand.DEFAULT_FAILURE_CONSUMER, noReload); commandInvocation.getCommandContext().printLine("Command success."); - if (mechanism == null) { + if (getMechanism() == null) { commandInvocation.getCommandContext().printLine(factorySpec.getName() + " authentication disabled for " + getSecuredEndpoint(commandInvocation.getCommandContext())); } else { @@ -102,11 +100,11 @@ public ModelNode buildSecurityRequest(CommandContext context) throws Exception { if (mn == null) { throw new CommandException("Invalid factory " + authFactory); } - if (mechanism == null) { + if (getMechanism() == null) { return disableFactory(context); } Set set = new HashSet<>(); - set.add(mechanism); + set.add(getMechanism()); return ElytronUtil.removeMechanisms(context, mn, authFactory, factorySpec, set); } diff --git a/cli/src/main/java/org/jboss/as/cli/impl/aesh/cmd/security/auth/AbstractEnableAuthenticationCommand.java b/cli/src/main/java/org/jboss/as/cli/impl/aesh/cmd/security/auth/AbstractEnableAuthenticationCommand.java index 119abc56613..80fc6e11cb6 100644 --- a/cli/src/main/java/org/jboss/as/cli/impl/aesh/cmd/security/auth/AbstractEnableAuthenticationCommand.java +++ b/cli/src/main/java/org/jboss/as/cli/impl/aesh/cmd/security/auth/AbstractEnableAuthenticationCommand.java @@ -36,7 +36,6 @@ import org.jboss.as.cli.impl.aesh.cmd.RelativeFile; import org.jboss.as.cli.impl.aesh.cmd.RelativeFilePathConverter; import static org.jboss.as.cli.impl.aesh.cmd.security.SecurityCommand.OPT_GROUP_PROPERTIES_FILE; -import static org.jboss.as.cli.impl.aesh.cmd.security.SecurityCommand.OPT_MECHANISM; import static org.jboss.as.cli.impl.aesh.cmd.security.SecurityCommand.OPT_NEW_AUTH_FACTORY_NAME; import static org.jboss.as.cli.impl.aesh.cmd.security.SecurityCommand.OPT_NEW_SECURITY_DOMAIN_NAME; import static org.jboss.as.cli.impl.aesh.cmd.security.SecurityCommand.OPT_NO_RELOAD; @@ -72,10 +71,6 @@ @CommandDefinition(name = "abstract-auth-enable", description = "") public abstract class AbstractEnableAuthenticationCommand implements Command, DMRCommand { - @Option(name = OPT_MECHANISM, - completer = SecurityCommand.OptionCompleters.MechanismCompleter.class) - String mechanism; - @Option(name = OPT_FILE_SYSTEM_REALM_NAME, activator = OptionActivators.FilesystemRealmActivator.class, completer = SecurityCommand.OptionCompleters.FileSystemRealmCompleter.class) String fileSystemRealmName; @@ -138,6 +133,8 @@ public AuthFactorySpec getFactorySpec() { return factorySpec; } + protected abstract String getMechanism(); + protected abstract void secure(CommandContext ctx, AuthSecurityBuilder builder) throws Exception; protected abstract String getOOTBFactory(CommandContext ctx) throws Exception; @@ -146,14 +143,6 @@ public AuthFactorySpec getFactorySpec() { protected abstract String getEnabledFactory(CommandContext ctx) throws Exception; - public String getTargetedFactory(CommandContext ctx) throws Exception { - String factory = getEnabledFactory(ctx); - if (factory == null) { - factory = getOOTBFactory(ctx); - } - return factory; - } - @Override public CommandResult execute(CLICommandInvocation commandInvocation) throws CommandException, InterruptedException { CommandContext ctx = commandInvocation.getCommandContext(); @@ -168,10 +157,14 @@ public CommandResult execute(CLICommandInvocation commandInvocation) throws Comm commandInvocation.getCommandContext().printLine("Command success."); commandInvocation.getCommandContext().printLine("Authentication configured for " + getSecuredEndpoint(commandInvocation.getCommandContext())); - commandInvocation.getCommandContext().printLine(factorySpec.getName() - + " authentication-factory=" + builder.getAuthFactory().getName()); - commandInvocation.getCommandContext().printLine("security-domain=" - + builder.getAuthFactory().getSecurityDomain().getName()); + if (builder.getReferencedSecurityDomain() != null) { + commandInvocation.getCommandContext().printLine("security domain=" + builder.getReferencedSecurityDomain()); + } else { + commandInvocation.getCommandContext().printLine(factorySpec.getName() + + " authentication-factory=" + builder.getAuthFactory().getName()); + commandInvocation.getCommandContext().printLine("security-domain=" + + builder.getAuthFactory().getSecurityDomain().getName()); + } } else { commandInvocation.getCommandContext(). printLine("Authentication is already enabled for " + getSecuredEndpoint(commandInvocation.getCommandContext())); @@ -189,7 +182,7 @@ public ModelNode buildRequest(CommandContext context) throws CommandFormatExcept } } - private AuthSecurityBuilder buildSecurityRequest(CommandContext context) throws Exception { + protected AuthSecurityBuilder buildSecurityRequest(CommandContext context) throws Exception { AuthSecurityBuilder builder = buildSecurityBuilder(context); //OOTB if (builder == null) { @@ -304,29 +297,28 @@ protected static MechanismConfiguration buildUserPasswordConfiguration(RelativeF private AuthMechanism buildAuthMechanism(CommandContext context) throws Exception { AuthMechanism mec = null; - if (mechanism == null) { + if (getMechanism() == null) { return null; } List available = ElytronUtil.getAvailableMechanisms(context, - getFactorySpec(), - getTargetedFactory(context)); - if (!available.contains(mechanism)) { - throw new CommandException("Unavialable mechanism " + mechanism); + getFactorySpec()); + if (!available.contains(getMechanism())) { + throw new CommandException("Unavailable mechanism " + getMechanism()); } - if (ElytronUtil.getMechanismsWithRealm().contains(mechanism)) { + if (ElytronUtil.getMechanismsWithRealm().contains(getMechanism())) { MechanismConfiguration config = buildUserPasswordConfiguration(userPropertiesFile, fileSystemRealmName, userRoleDecoder, exposedRealm, groupPropertiesFile, propertiesRealmName, relativeTo); - mec = new AuthMechanism(mechanism, config); - } else if (ElytronUtil.getMechanismsWithTrustStore().contains(mechanism)) { + mec = new AuthMechanism(getMechanism(), config); + } else if (ElytronUtil.getMechanismsWithTrustStore().contains(getMechanism())) { MechanismConfiguration config = buildExternalConfiguration(context, keyStoreName, keyStoreRealmName, roles); - mec = new AuthMechanism(mechanism, config); - } else if (ElytronUtil.getMechanismsLocalUser().contains(mechanism)) { + mec = new AuthMechanism(getMechanism(), config); + } else if (ElytronUtil.getMechanismsLocalUser().contains(getMechanism())) { MechanismConfiguration config = buildLocalUserConfiguration(context, superUser); - mec = new AuthMechanism(mechanism, config); + mec = new AuthMechanism(getMechanism(), config); } else { - mec = new AuthMechanism(mechanism, new EmptyConfiguration()); + mec = new AuthMechanism(getMechanism(), new EmptyConfiguration()); } return mec; } diff --git a/cli/src/main/java/org/jboss/as/cli/impl/aesh/cmd/security/auth/AbstractMgmtDisableAuthenticationCommand.java b/cli/src/main/java/org/jboss/as/cli/impl/aesh/cmd/security/auth/AbstractMgmtDisableAuthenticationCommand.java new file mode 100644 index 00000000000..52ea1097fd6 --- /dev/null +++ b/cli/src/main/java/org/jboss/as/cli/impl/aesh/cmd/security/auth/AbstractMgmtDisableAuthenticationCommand.java @@ -0,0 +1,44 @@ +/* +Copyright 2018 Red Hat, Inc. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. + */ +package org.jboss.as.cli.impl.aesh.cmd.security.auth; + +import org.aesh.command.CommandDefinition; +import org.aesh.command.option.Option; +import org.jboss.as.cli.impl.aesh.cmd.security.SecurityCommand; +import static org.jboss.as.cli.impl.aesh.cmd.security.SecurityCommand.OPT_MECHANISM; +import org.jboss.as.cli.impl.aesh.cmd.security.model.AuthFactorySpec; + +/** + * + * @author jdenise@redhat.com + */ +@CommandDefinition(name = "abstract-management-auth-disable", description = "") +public abstract class AbstractMgmtDisableAuthenticationCommand extends AbstractDisableAuthenticationCommand { + + @Option(name = OPT_MECHANISM, + completer = SecurityCommand.OptionCompleters.MechanismDisableCompleter.class) + String mechanism; + + public AbstractMgmtDisableAuthenticationCommand(AuthFactorySpec factorySpec) { + super(factorySpec); + } + + @Override + protected String getMechanism() { + return mechanism; + } + +} diff --git a/cli/src/main/java/org/jboss/as/cli/impl/aesh/cmd/security/auth/AbstractMgmtEnableAuthenticationCommand.java b/cli/src/main/java/org/jboss/as/cli/impl/aesh/cmd/security/auth/AbstractMgmtEnableAuthenticationCommand.java new file mode 100644 index 00000000000..07e78be5ef3 --- /dev/null +++ b/cli/src/main/java/org/jboss/as/cli/impl/aesh/cmd/security/auth/AbstractMgmtEnableAuthenticationCommand.java @@ -0,0 +1,44 @@ +/* +Copyright 2018 Red Hat, Inc. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. + */ +package org.jboss.as.cli.impl.aesh.cmd.security.auth; + +import org.aesh.command.CommandDefinition; +import org.aesh.command.option.Option; +import org.jboss.as.cli.impl.aesh.cmd.security.SecurityCommand; +import static org.jboss.as.cli.impl.aesh.cmd.security.SecurityCommand.OPT_MECHANISM; +import org.jboss.as.cli.impl.aesh.cmd.security.model.AuthFactorySpec; + +/** + * + * @author jdenise@redhat.com + */ +@CommandDefinition(name = "abstract-management-auth-enable", description = "") +public abstract class AbstractMgmtEnableAuthenticationCommand extends AbstractEnableAuthenticationCommand { + + @Option(name = OPT_MECHANISM, + completer = SecurityCommand.OptionCompleters.MechanismCompleter.class) + String mechanism; + + public AbstractMgmtEnableAuthenticationCommand(AuthFactorySpec factorySpec) { + super(factorySpec); + } + + @Override + protected String getMechanism() { + return mechanism; + } + +} diff --git a/cli/src/main/java/org/jboss/as/cli/impl/aesh/cmd/security/auth/HTTPServerDisableAuthCommand.java b/cli/src/main/java/org/jboss/as/cli/impl/aesh/cmd/security/auth/HTTPServerDisableAuthCommand.java index 563a3f0dc4a..0214c6fff9e 100644 --- a/cli/src/main/java/org/jboss/as/cli/impl/aesh/cmd/security/auth/HTTPServerDisableAuthCommand.java +++ b/cli/src/main/java/org/jboss/as/cli/impl/aesh/cmd/security/auth/HTTPServerDisableAuthCommand.java @@ -15,38 +15,118 @@ */ package org.jboss.as.cli.impl.aesh.cmd.security.auth; +import java.io.IOException; +import java.util.Collections; +import java.util.List; import org.jboss.as.cli.impl.aesh.cmd.security.model.AuthFactorySpec; import org.aesh.command.CommandDefinition; +import org.aesh.command.impl.internal.ParsedCommand; +import org.aesh.command.impl.internal.ParsedOption; import org.aesh.command.option.Option; import org.jboss.as.cli.CommandContext; import org.jboss.as.cli.impl.aesh.cmd.security.HttpServerCommandActivator; +import static org.jboss.as.cli.impl.aesh.cmd.security.SecurityCommand.OPT_MECHANISM; import static org.jboss.as.cli.impl.aesh.cmd.security.SecurityCommand.OPT_SECURITY_DOMAIN; import org.jboss.as.cli.impl.aesh.cmd.security.SecurityCommand.OptionCompleters; +import org.jboss.as.cli.impl.aesh.cmd.security.SecurityCommand.OptionCompleters.MechanismDisableCompleter; import org.jboss.as.cli.impl.aesh.cmd.security.model.HTTPServer; +import org.jboss.as.cli.operation.OperationFormatException; import org.jboss.dmr.ModelNode; +import org.wildfly.core.cli.command.aesh.CLICompleterInvocation; +import org.wildfly.core.cli.command.aesh.activator.AbstractDependOptionActivator; /** - * Disable authentication applied to an http-server security-domain. + * Disable authentication applied to an http-server security-domain. Complexity + * comes from the fact that an undertow application-security-domain can + * references a factory or a security domain. * * @author jdenise@redhat.com */ @CommandDefinition(name = "disable-http-auth-http-server", description = "", activator = HttpServerCommandActivator.class) public class HTTPServerDisableAuthCommand extends AbstractDisableAuthenticationCommand { + public static class MechanismCompleter extends MechanismDisableCompleter { + + @Override + protected List getItems(CLICompleterInvocation completerInvocation) { + HTTPServerDisableAuthCommand cmd = (HTTPServerDisableAuthCommand) completerInvocation.getCommand(); + try { + if (!HTTPServer.hasAuthFactory(cmd.ctx, cmd.securityDomain)) { + return Collections.emptyList(); + } + return super.getItems(completerInvocation); + } catch (Exception ex) { + return Collections.emptyList(); + } + } + } + + public static class MechanismActivator extends AbstractDependOptionActivator { + + public MechanismActivator() { + super(false, OPT_SECURITY_DOMAIN); + } + + @Override + public boolean isActivated(ParsedCommand processedCommand) { + if (!super.isActivated(processedCommand)) { + return false; + } + HTTPServerDisableAuthCommand cmd = (HTTPServerDisableAuthCommand) processedCommand.command(); + ParsedOption opt = processedCommand.findLongOptionNoActivatorCheck(OPT_SECURITY_DOMAIN); + if (opt != null && opt.value() != null) { + try { + return HTTPServer.hasAuthFactory(cmd.ctx, opt.value()); + } catch (IOException | OperationFormatException ex) { + return false; + } + } + return false; + } + } + @Option(name = OPT_SECURITY_DOMAIN, required = true, completer = OptionCompleters.SecurityDomainCompleter.class) String securityDomain; - public HTTPServerDisableAuthCommand() { + @Option(name = OPT_MECHANISM, + completer = MechanismCompleter.class, activator = MechanismActivator.class) + String factoryMechanism; + + private final CommandContext ctx; + + public HTTPServerDisableAuthCommand(CommandContext ctx) { super(AuthFactorySpec.HTTP); + this.ctx = ctx; + } + + @Override + protected String getMechanism() { + return factoryMechanism; + } + + @Override + public ModelNode buildSecurityRequest(CommandContext context) throws Exception { + if (HTTPServer.hasAuthFactory(ctx, securityDomain)) { + return super.buildSecurityRequest(context); + } else { + return disableFactory(context); + } } @Override public String getEnabledFactory(CommandContext ctx) throws Exception { - return HTTPServer.getSecurityDomainFactoryName(securityDomain, ctx); + // Special case for undertow security domain, can be a security-domain or a factory + if (HTTPServer.hasAuthFactory(ctx, securityDomain)) { + return HTTPServer.getSecurityDomainFactoryName(securityDomain, ctx); + } else { + return HTTPServer.getReferencedSecurityDomainName(securityDomain, ctx); + } } @Override protected ModelNode disableFactory(CommandContext context) throws Exception { + // In the undertow case, the undertow application-security-domain is simply removed. + // Whatever the fact that the domain references a factory or a domain. return HTTPServer.disableHTTPAuthentication(securityDomain, context); } diff --git a/cli/src/main/java/org/jboss/as/cli/impl/aesh/cmd/security/auth/HTTPServerEnableAuthCommand.java b/cli/src/main/java/org/jboss/as/cli/impl/aesh/cmd/security/auth/HTTPServerEnableAuthCommand.java index 9c98cf68644..379385b3a0f 100644 --- a/cli/src/main/java/org/jboss/as/cli/impl/aesh/cmd/security/auth/HTTPServerEnableAuthCommand.java +++ b/cli/src/main/java/org/jboss/as/cli/impl/aesh/cmd/security/auth/HTTPServerEnableAuthCommand.java @@ -16,17 +16,30 @@ package org.jboss.as.cli.impl.aesh.cmd.security.auth; import java.io.IOException; +import java.util.Collections; +import java.util.HashSet; +import java.util.List; +import java.util.Set; import org.aesh.command.CommandDefinition; +import org.aesh.command.CommandException; +import org.aesh.command.impl.internal.ParsedCommand; import org.aesh.command.option.Option; import org.jboss.as.cli.CommandContext; import org.jboss.as.cli.impl.aesh.cmd.security.HttpServerCommandActivator; +import static org.jboss.as.cli.impl.aesh.cmd.security.SecurityCommand.OPT_MECHANISM; +import static org.jboss.as.cli.impl.aesh.cmd.security.SecurityCommand.OPT_REFERENCED_SECURITY_DOMAIN; import static org.jboss.as.cli.impl.aesh.cmd.security.SecurityCommand.OPT_SECURITY_DOMAIN; import org.jboss.as.cli.impl.aesh.cmd.security.SecurityCommand.OptionCompleters; +import org.jboss.as.cli.impl.aesh.cmd.security.SecurityCommand.OptionCompleters.MechanismCompleter; +import org.jboss.as.cli.impl.aesh.cmd.security.SecurityCommand.OptionCompleters.ReferencedSecurityDomainCompleter; +import org.jboss.as.cli.impl.aesh.cmd.security.model.ApplicationSecurityDomain; import org.jboss.as.cli.impl.aesh.cmd.security.model.AuthFactorySpec; import org.jboss.as.cli.impl.aesh.cmd.security.model.AuthSecurityBuilder; import org.jboss.as.cli.impl.aesh.cmd.security.model.ElytronUtil; import org.jboss.as.cli.impl.aesh.cmd.security.model.HTTPServer; import org.jboss.as.cli.operation.OperationFormatException; +import org.wildfly.core.cli.command.aesh.CLICompleterInvocation; +import org.wildfly.core.cli.command.aesh.activator.AbstractDependRejectOptionActivator; /** * Enable authentication for a given http-server security domain. @@ -36,20 +49,162 @@ @CommandDefinition(name = "enable-http-auth-http-server", description = "", activator = HttpServerCommandActivator.class) public class HTTPServerEnableAuthCommand extends AbstractEnableAuthenticationCommand { + public static class FactoryMechanismCompleter extends MechanismCompleter { + + @Override + protected List getItems(CLICompleterInvocation completerInvocation) { + HTTPServerEnableAuthCommand cmd = (HTTPServerEnableAuthCommand) completerInvocation.getCommand(); + try { + if (cmd.securityDomain != null) { + ApplicationSecurityDomain secDomain = HTTPServer.getSecurityDomain(cmd.ctx, cmd.securityDomain); + if (secDomain != null + && secDomain.getFactory() == null) { + return Collections.emptyList(); + } + return super.getItems(completerInvocation); + } else { + return Collections.emptyList(); + } + } catch (Exception ex) { + return Collections.emptyList(); + } + } + } + + public static class ReferencedSecurityDomainActivator extends AbstractDependRejectOptionActivator { + + private static final Set EXPECTED = new HashSet<>(); + private static final Set REJECTED = new HashSet<>(); + + static { + REJECTED.add(OPT_MECHANISM); + EXPECTED.add(OPT_SECURITY_DOMAIN); + } + + public ReferencedSecurityDomainActivator() { + super(false, EXPECTED, REJECTED); + } + + @Override + public boolean isActivated(ParsedCommand pc) { + HTTPServerEnableAuthCommand cmd = (HTTPServerEnableAuthCommand) pc.command(); + try { + if (!HTTPServer.isReferencedSecurityDomainSupported(cmd.ctx)) { + return false; + } + if (cmd.securityDomain != null) { + ApplicationSecurityDomain secDomain = HTTPServer.getSecurityDomain(cmd.ctx, cmd.securityDomain); + if (secDomain != null && secDomain.getSecurityDomain() == null) { + return false; + } + } + return super.isActivated(pc); + } catch (OperationFormatException | IOException ex) { + return false; + } + } + } + + public static class MechanismActivator extends AbstractDependRejectOptionActivator { + + private static final Set EXPECTED = new HashSet<>(); + private static final Set REJECTED = new HashSet<>(); + + static { + REJECTED.add(OPT_REFERENCED_SECURITY_DOMAIN); + EXPECTED.add(OPT_SECURITY_DOMAIN); + } + + public MechanismActivator() { + super(false, EXPECTED, REJECTED); + } + + @Override + public boolean isActivated(ParsedCommand processedCommand) { + if (!super.isActivated(processedCommand)) { + return false; + } + HTTPServerEnableAuthCommand cmd = (HTTPServerEnableAuthCommand) processedCommand.command(); + try { + if (cmd.securityDomain != null) { + ApplicationSecurityDomain secDomain = HTTPServer.getSecurityDomain(cmd.ctx, cmd.securityDomain); + if (secDomain != null + && secDomain.getFactory() == null) { + return false; + } + } + } catch (IOException | OperationFormatException ex) { + return false; + } + return super.isActivated(processedCommand); + } + } + @Option(name = OPT_SECURITY_DOMAIN, required = true, completer = OptionCompleters.SecurityDomainCompleter.class) String securityDomain; - public HTTPServerEnableAuthCommand() { + @Option(name = OPT_MECHANISM, + completer = FactoryMechanismCompleter.class, activator = MechanismActivator.class) + String factoryMechanism; + + @Option(name = OPT_REFERENCED_SECURITY_DOMAIN, completer = ReferencedSecurityDomainCompleter.class, + activator = ReferencedSecurityDomainActivator.class) + String referencedSecurityDomain; + + private final CommandContext ctx; + + public HTTPServerEnableAuthCommand(CommandContext ctx) { super(AuthFactorySpec.HTTP); + this.ctx = ctx; + } + + @Override + protected String getMechanism() { + return factoryMechanism; } @Override protected void secure(CommandContext ctx, AuthSecurityBuilder builder) throws Exception { - if (getEnabledFactory(ctx) == null) { + ApplicationSecurityDomain secDomain = HTTPServer.getSecurityDomain(ctx, securityDomain); + if (secDomain != null) { + if (secDomain.getSecurityDomain() != null) { + if (!secDomain.getSecurityDomain().equals(builder.getReferencedSecurityDomain())) { + // re-write the existing security domain + HTTPServer.writeReferencedSecurityDomain(builder, securityDomain, ctx); + } + } + } else { + // add a new security domain resource HTTPServer.enableHTTPAuthentication(builder, securityDomain, ctx); } } + @Override + protected AuthSecurityBuilder buildSecurityRequest(CommandContext context) throws Exception { + // No support for security-domain, fallback on legacy http authentication factory. + if (!HTTPServer.isReferencedSecurityDomainSupported(context)) { + return super.buildSecurityRequest(context); + } + AuthSecurityBuilder builder = null; + if (getMechanism() == null) { + if (referencedSecurityDomain == null) { + referencedSecurityDomain = getOOTBSecurityDomain(context); + } + if (!ElytronUtil.securityDomainExists(context, referencedSecurityDomain)) { + throw new CommandException("Can't enable HTTP Authentication, security domain " + + referencedSecurityDomain + " doesn't exist"); + } + builder = new AuthSecurityBuilder(referencedSecurityDomain); + } else { + if (referencedSecurityDomain != null) { + throw new CommandException("Can't mix mechanism and referenced security domain"); + } + return super.buildSecurityRequest(context); + } + secure(context, builder); + return builder; + } + @Override protected String getEnabledFactory(CommandContext ctx) throws IOException, OperationFormatException { return HTTPServer.getSecurityDomainFactoryName(securityDomain, ctx); @@ -60,6 +215,10 @@ protected String getOOTBFactory(CommandContext ctx) throws Exception { return ElytronUtil.OOTB_APPLICATION_HTTP_FACTORY; } + protected String getOOTBSecurityDomain(CommandContext ctx) throws Exception { + return ElytronUtil.OOTB_APPLICATION_DOMAIN; + } + @Override protected String getSecuredEndpoint(CommandContext ctx) { return "security domain " + securityDomain; diff --git a/cli/src/main/java/org/jboss/as/cli/impl/aesh/cmd/security/auth/ManagementDisableHTTPCommand.java b/cli/src/main/java/org/jboss/as/cli/impl/aesh/cmd/security/auth/ManagementDisableHTTPCommand.java index a21aec6a687..f2e9bab0bf1 100644 --- a/cli/src/main/java/org/jboss/as/cli/impl/aesh/cmd/security/auth/ManagementDisableHTTPCommand.java +++ b/cli/src/main/java/org/jboss/as/cli/impl/aesh/cmd/security/auth/ManagementDisableHTTPCommand.java @@ -29,7 +29,7 @@ * @author jdenise@redhat.com */ @CommandDefinition(name = "disable-http-auth-management", description = "", activator = SecurityCommandActivator.class) -public class ManagementDisableHTTPCommand extends AbstractDisableAuthenticationCommand { +public class ManagementDisableHTTPCommand extends AbstractMgmtDisableAuthenticationCommand { public ManagementDisableHTTPCommand() { super(AuthFactorySpec.HTTP); diff --git a/cli/src/main/java/org/jboss/as/cli/impl/aesh/cmd/security/auth/ManagementDisableSASLCommand.java b/cli/src/main/java/org/jboss/as/cli/impl/aesh/cmd/security/auth/ManagementDisableSASLCommand.java index 7bca6c6c42d..8ab152d0fe8 100644 --- a/cli/src/main/java/org/jboss/as/cli/impl/aesh/cmd/security/auth/ManagementDisableSASLCommand.java +++ b/cli/src/main/java/org/jboss/as/cli/impl/aesh/cmd/security/auth/ManagementDisableSASLCommand.java @@ -32,7 +32,7 @@ * @author jdenise@redhat.com */ @CommandDefinition(name = "disable-sasl-management", description = "", activator = SecurityCommandActivator.class) -public class ManagementDisableSASLCommand extends AbstractDisableAuthenticationCommand { +public class ManagementDisableSASLCommand extends AbstractMgmtDisableAuthenticationCommand { @Option(name = OPT_MANAGEMENT_INTERFACE, hasValue = true, completer = OptionCompleters.ManagementInterfaceCompleter.class) diff --git a/cli/src/main/java/org/jboss/as/cli/impl/aesh/cmd/security/auth/ManagementEnableHTTPCommand.java b/cli/src/main/java/org/jboss/as/cli/impl/aesh/cmd/security/auth/ManagementEnableHTTPCommand.java index 640b2475c6b..016065464e1 100644 --- a/cli/src/main/java/org/jboss/as/cli/impl/aesh/cmd/security/auth/ManagementEnableHTTPCommand.java +++ b/cli/src/main/java/org/jboss/as/cli/impl/aesh/cmd/security/auth/ManagementEnableHTTPCommand.java @@ -32,7 +32,7 @@ * @author jdenise@redhat.com */ @CommandDefinition(name = "enable-http-auth-management", description = "", activator = SecurityCommandActivator.class) -public class ManagementEnableHTTPCommand extends AbstractEnableAuthenticationCommand { +public class ManagementEnableHTTPCommand extends AbstractMgmtEnableAuthenticationCommand { public ManagementEnableHTTPCommand() { super(AuthFactorySpec.HTTP); diff --git a/cli/src/main/java/org/jboss/as/cli/impl/aesh/cmd/security/auth/ManagementEnableSASLCommand.java b/cli/src/main/java/org/jboss/as/cli/impl/aesh/cmd/security/auth/ManagementEnableSASLCommand.java index b05ccef4d4f..350717ddc05 100644 --- a/cli/src/main/java/org/jboss/as/cli/impl/aesh/cmd/security/auth/ManagementEnableSASLCommand.java +++ b/cli/src/main/java/org/jboss/as/cli/impl/aesh/cmd/security/auth/ManagementEnableSASLCommand.java @@ -35,7 +35,7 @@ * @author jdenise@redhat.com */ @CommandDefinition(name = "enable-sasl-management", description = "", activator = SecurityCommandActivator.class) -public class ManagementEnableSASLCommand extends AbstractEnableAuthenticationCommand { +public class ManagementEnableSASLCommand extends AbstractMgmtEnableAuthenticationCommand { @Option(name = OPT_MANAGEMENT_INTERFACE, activator = OptionActivators.DependsOnMechanism.class, completer = OptionCompleters.ManagementInterfaceCompleter.class) diff --git a/cli/src/main/java/org/jboss/as/cli/impl/aesh/cmd/security/model/ApplicationSecurityDomain.java b/cli/src/main/java/org/jboss/as/cli/impl/aesh/cmd/security/model/ApplicationSecurityDomain.java new file mode 100644 index 00000000000..79680f84549 --- /dev/null +++ b/cli/src/main/java/org/jboss/as/cli/impl/aesh/cmd/security/model/ApplicationSecurityDomain.java @@ -0,0 +1,54 @@ +/* +Copyright 2018 Red Hat, Inc. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. + */ +package org.jboss.as.cli.impl.aesh.cmd.security.model; + +/** + * + * @author jdenise@redhat.com + */ +public class ApplicationSecurityDomain { + private final String name; + private final String factory; + private final String secDomain; + + ApplicationSecurityDomain(String name, String factory, String secDomain) { + this.name = name; + this.factory = factory; + this.secDomain = secDomain; + } + + /** + * @return the name + */ + public String getName() { + return name; + } + + /** + * @return the factory + */ + public String getFactory() { + return factory; + } + + /** + * @return the secDomain + */ + public String getSecurityDomain() { + return secDomain; + } + +} diff --git a/cli/src/main/java/org/jboss/as/cli/impl/aesh/cmd/security/model/AuthSecurityBuilder.java b/cli/src/main/java/org/jboss/as/cli/impl/aesh/cmd/security/model/AuthSecurityBuilder.java index e2894855d6d..cf54aff769c 100644 --- a/cli/src/main/java/org/jboss/as/cli/impl/aesh/cmd/security/model/AuthSecurityBuilder.java +++ b/cli/src/main/java/org/jboss/as/cli/impl/aesh/cmd/security/model/AuthSecurityBuilder.java @@ -42,6 +42,7 @@ public class AuthSecurityBuilder { private final AuthFactory ootbFactory; private final List order; private final AuthFactorySpec spec; + private final String securityDomain; public AuthSecurityBuilder(AuthMechanism mechanism, AuthFactorySpec spec) throws CommandException { Objects.requireNonNull(mechanism); @@ -49,6 +50,7 @@ public AuthSecurityBuilder(AuthMechanism mechanism, AuthFactorySpec spec) throws this.mechanism = mechanism; ootbFactory = null; order = null; + securityDomain = null; this.spec = spec; init(); } @@ -58,10 +60,21 @@ public AuthSecurityBuilder(AuthFactory ootbFactory) throws CommandException { mechanism = null; this.ootbFactory = ootbFactory; order = null; + securityDomain = null; spec = ootbFactory.getSpec(); init(); } + public AuthSecurityBuilder(String securityDomain) throws CommandException { + Objects.requireNonNull(securityDomain); + this.securityDomain = securityDomain; + order = null; + mechanism = null; + ootbFactory = null; + spec = null; + init(); + } + public AuthSecurityBuilder(List order) { Objects.requireNonNull(order); this.order = order; @@ -69,6 +82,7 @@ public AuthSecurityBuilder(List order) { this.ootbFactory = null; init(); spec = AuthFactorySpec.SASL; + securityDomain = null; } private void init() { @@ -88,6 +102,10 @@ public AuthFactory getAuthFactory() { return ootbFactory == null ? authFactory : ootbFactory; } + public String getReferencedSecurityDomain() { + return securityDomain; + } + public AuthSecurityBuilder setNewRealmName(String newRealmName) { this.newRealmName = newRealmName; return this; @@ -114,7 +132,7 @@ public boolean isFactoryAlreadySet() { public void buildRequest(CommandContext ctx) throws Exception { // rely on existing resources, no request. - if (ootbFactory != null) { + if (ootbFactory != null || securityDomain != null) { return; } diff --git a/cli/src/main/java/org/jboss/as/cli/impl/aesh/cmd/security/model/ElytronUtil.java b/cli/src/main/java/org/jboss/as/cli/impl/aesh/cmd/security/model/ElytronUtil.java index 77d843deca1..a32d8010166 100644 --- a/cli/src/main/java/org/jboss/as/cli/impl/aesh/cmd/security/model/ElytronUtil.java +++ b/cli/src/main/java/org/jboss/as/cli/impl/aesh/cmd/security/model/ElytronUtil.java @@ -68,6 +68,7 @@ public abstract class ElytronUtil { public static String OOTB_MANAGEMENT_SASL_FACTORY = "management-sasl-authentication"; public static String OOTB_MANAGEMENT_HTTP_FACTORY = "management-http-authentication"; public static String OOTB_APPLICATION_HTTP_FACTORY = "application-http-authentication"; + public static String OOTB_APPLICATION_DOMAIN = "ApplicationDomain"; public static final String SASL_SERVER_CAPABILITY = "org.wildfly.security.sasl-server-factory"; public static final String HTTP_SERVER_CAPABILITY = "org.wildfly.security.http-server-mechanism-factory"; @@ -423,6 +424,10 @@ public static List getKeyStoreNames(ModelControllerClient client) { return getNames(client, Util.KEY_STORE); } + public static List getSecurityDomainNames(ModelControllerClient client) { + return getNames(client, Util.SECURITY_DOMAIN); + } + public static List getConstantRoleMappers(ModelControllerClient client) { return getNames(client, Util.CONSTANT_ROLE_MAPPER); } @@ -1038,9 +1043,9 @@ private static boolean isMechanismSupported(String name) { return getMechanismsWithRealm().contains(name) || getMechanismsWithTrustStore().contains(name) || getMechanismsLocalUser().contains(name); } - public static List getMechanisms(CommandContext ctx, AuthFactorySpec spec, String factory) throws OperationFormatException, IOException { + public static List getMechanisms(CommandContext ctx, AuthFactorySpec spec) throws OperationFormatException, IOException { List lst = new ArrayList<>(); - for (String m : getAvailableMechanisms(ctx, spec, factory)) { + for (String m : getAvailableMechanisms(ctx, spec)) { if (isMechanismSupported(m)) { lst.add(m); } @@ -1048,23 +1053,9 @@ public static List getMechanisms(CommandContext ctx, AuthFactorySpec spe return lst; } - public static List getAvailableMechanisms(CommandContext ctx, AuthFactorySpec spec, String factory) throws OperationFormatException, IOException { + public static List getAvailableMechanisms(CommandContext ctx, AuthFactorySpec spec) throws OperationFormatException, IOException { List lst = new ArrayList<>(); - final DefaultOperationRequestBuilder builder = new DefaultOperationRequestBuilder(); - final ModelNode request; - builder.setOperationName(Util.READ_ATTRIBUTE); - builder.addNode(Util.SUBSYSTEM, Util.ELYTRON); - builder.addNode(spec.getResourceType(), factory); - builder.getModelNode().get(Util.NAME).set(spec.getServerType()); - request = builder.buildRequest(); - String mechanismFactory = null; - final ModelNode outcome = ctx.getModelControllerClient().execute(request); - if (Util.isSuccess(outcome)) { - mechanismFactory = outcome.get(Util.RESULT).asString(); - } else { - return Collections.emptyList(); - } - ModelNode resource = getServerFactory(mechanismFactory, spec, ctx); + ModelNode resource = getServerFactory(spec.getServerValue(), spec, ctx); if (resource == null) { return null; } diff --git a/cli/src/main/java/org/jboss/as/cli/impl/aesh/cmd/security/model/HTTPServer.java b/cli/src/main/java/org/jboss/as/cli/impl/aesh/cmd/security/model/HTTPServer.java index 69a4abe4c21..aeec3b17ecc 100644 --- a/cli/src/main/java/org/jboss/as/cli/impl/aesh/cmd/security/model/HTTPServer.java +++ b/cli/src/main/java/org/jboss/as/cli/impl/aesh/cmd/security/model/HTTPServer.java @@ -138,12 +138,71 @@ public static boolean isUnderowSupported(CommandContext commandContext) throws I return Util.isSuccess(response); } + public static boolean isReferencedSecurityDomainSupported(CommandContext commandContext) throws IOException, OperationFormatException { + final DefaultOperationRequestBuilder builder = new DefaultOperationRequestBuilder(); + builder.setOperationName(Util.READ_RESOURCE_DESCRIPTION); + builder.addNode(Util.SUBSYSTEM, Util.UNDERTOW); + builder.addNode(Util.APPLICATION_SECURITY_DOMAIN, "?"); + ModelNode response = commandContext.getModelControllerClient().execute(builder.buildRequest()); + if (Util.isSuccess(response)) { + if (response.get(Util.RESULT).hasDefined(Util.ATTRIBUTES)) { + return response.get(Util.RESULT).get(Util.ATTRIBUTES).hasDefined(Util.SECURITY_DOMAIN); + } + } + return false; + } + + public static ApplicationSecurityDomain getSecurityDomain(CommandContext ctx, String name) throws OperationFormatException, IOException { + DefaultOperationRequestBuilder builder = new DefaultOperationRequestBuilder(); + builder.setOperationName(Util.READ_RESOURCE); + builder.addNode(Util.SUBSYSTEM, Util.UNDERTOW); + builder.addNode(Util.APPLICATION_SECURITY_DOMAIN, name); + ModelNode mn = ctx.getModelControllerClient().execute(builder.buildRequest()); + ApplicationSecurityDomain dom = null; + if (Util.isSuccess(mn)) { + ModelNode result = mn.get(Util.RESULT); + String factory = null; + String secDomain = null; + if (result.hasDefined(Util.HTTP_AUTHENTICATION_FACTORY)) { + factory = result.get(Util.HTTP_AUTHENTICATION_FACTORY).asString(); + } + if (result.hasDefined(Util.SECURITY_DOMAIN)) { + secDomain = result.get(Util.SECURITY_DOMAIN).asString(); + } + dom = new ApplicationSecurityDomain(name, factory, secDomain); + } + return dom; + } + + public static void writeReferencedSecurityDomain(AuthSecurityBuilder authBuilder, + String securityDomain, CommandContext ctx) throws OperationFormatException { + final DefaultOperationRequestBuilder builder = new DefaultOperationRequestBuilder(); + builder.setOperationName(Util.WRITE_ATTRIBUTE); + builder.addNode(Util.SUBSYSTEM, Util.UNDERTOW); + builder.addNode(Util.APPLICATION_SECURITY_DOMAIN, securityDomain); + builder.addProperty(Util.NAME, Util.SECURITY_DOMAIN); + builder.addProperty(Util.VALUE, authBuilder.getReferencedSecurityDomain()); + authBuilder.getSteps().add(builder.buildRequest()); + } + + public static boolean hasAuthFactory(CommandContext ctx, String securityDomain) throws OperationFormatException, IOException { + ApplicationSecurityDomain dom = getSecurityDomain(ctx, securityDomain); + if (dom != null) { + return dom.getFactory() != null; + } + return false; + } + public static void enableHTTPAuthentication(AuthSecurityBuilder builder, String securityDomain, CommandContext ctx) throws Exception { final DefaultOperationRequestBuilder reqBuilder = new DefaultOperationRequestBuilder(); reqBuilder.setOperationName(Util.ADD); reqBuilder.addNode(Util.SUBSYSTEM, Util.UNDERTOW); reqBuilder.addNode(Util.APPLICATION_SECURITY_DOMAIN, securityDomain); - reqBuilder.addProperty(Util.HTTP_AUTHENTICATION_FACTORY, builder.getAuthFactory().getName()); + if (builder.getReferencedSecurityDomain() == null) { + reqBuilder.addProperty(Util.HTTP_AUTHENTICATION_FACTORY, builder.getAuthFactory().getName()); + } else { + reqBuilder.addProperty(Util.SECURITY_DOMAIN, builder.getReferencedSecurityDomain()); + } builder.getSteps().add(reqBuilder.buildRequest()); } @@ -156,21 +215,18 @@ public static ModelNode disableHTTPAuthentication(String securityDomain, Command } public static String getSecurityDomainFactoryName(String securityDomain, CommandContext ctx) throws IOException, OperationFormatException { - final DefaultOperationRequestBuilder builder = new DefaultOperationRequestBuilder(); - final ModelNode request; - builder.setOperationName(Util.READ_ATTRIBUTE); - builder.addNode(Util.SUBSYSTEM, Util.UNDERTOW); - builder.addNode(Util.APPLICATION_SECURITY_DOMAIN, securityDomain); - builder.addProperty(Util.NAME, Util.HTTP_AUTHENTICATION_FACTORY); - request = builder.buildRequest(); - - final ModelNode outcome = ctx.getModelControllerClient().execute(request); - if (isSuccess(outcome)) { - if (outcome.hasDefined(Util.RESULT)) { - return outcome.get(Util.RESULT).asString(); - } + ApplicationSecurityDomain dom = getSecurityDomain(ctx, securityDomain); + if (dom != null) { + return dom.getFactory(); } + return null; + } + public static String getReferencedSecurityDomainName(String securityDomain, CommandContext ctx) throws IOException, OperationFormatException { + ApplicationSecurityDomain dom = getSecurityDomain(ctx, securityDomain); + if (dom != null) { + return dom.getSecurityDomain(); + } return null; } diff --git a/cli/src/main/resources/org/jboss/as/cli/impl/aesh/cmd/security/auth/command_resources.properties b/cli/src/main/resources/org/jboss/as/cli/impl/aesh/cmd/security/auth/command_resources.properties index cc1ec59454e..079ee02fd0f 100644 --- a/cli/src/main/resources/org/jboss/as/cli/impl/aesh/cmd/security/auth/command_resources.properties +++ b/cli/src/main/resources/org/jboss/as/cli/impl/aesh/cmd/security/auth/command_resources.properties @@ -12,23 +12,23 @@ # See the License for the specific language governing permissions and # limitations under the License. -security.abstract-auth-disable.option.mechanism.description=\ +security.abstract-management-auth-disable.option.mechanism.description=\ The authentication mechanism to disable. The option completer exposes all enabled mechanisms. -security.abstract-auth-disable.option.mechanism.value=mechanism name +security.abstract-management-auth-disable.option.mechanism.value=mechanism name -security.abstract-auth-disable.option.no-reload.description=\ -Optional, by default the server is reloaded once the configuration changes have been applied. \ -In order to not reload the server, use this option.\n\ -NB: reload is done in start-mode=. - -security.abstract-auth-enable.option.mechanism.description=\ +security.abstract-management-auth-enable.option.mechanism.description=\ The authentication mechanism to enable. The option completer exposes all supported \ mechanisms that the CLI support.\n\ NB: If the mechanism you want to configure is not present in the list, then \ you must use elytron subsystem management operations to configure it. -security.abstract-auth-enable.option.mechanism.value=mechanism name +security.abstract-management-auth-enable.option.mechanism.value=mechanism name + +security.abstract-auth-disable.option.no-reload.description=\ +Optional, by default the server is reloaded once the configuration changes have been applied. \ +In order to not reload the server, use this option.\n\ +NB: reload is done in start-mode=. security.abstract-auth-enable.option.file-system-realm-name.description=\ The elytron file-system-realm name. @@ -132,8 +132,9 @@ In order to not reload the server, use this option.\n\ NB: reload is done in start-mode=. security.disable-http-auth-http-server.description=\ -This command removes the security domain or a mechanism from the active HTTP factory. \ -Without a mechanism, the security domain is removed.\n\ +Without any mechanism specified, this command removes the http-server security domain. \ +If a mechanism is specified, the mechanism is removed from the http authentication factory \ +that this security domain references.\n\ NB: Elytron existing resources are not removed from management model.\n\ TIPS: Use 'echo-dmr security disable-http-auth-http-server ' in order to \ visualize the composite request that would be sent to disable authentication. @@ -144,17 +145,42 @@ Required, the undertow security domain name. security.disable-http-auth-http-server.option.security-domain.value=name security.enable-http-auth-http-server.description=\ -Associate an elytron HTTP Authentication factory to the security domain. \ +Associate an elytron security domain or HTTP Authentication factory to the http-server security domain. \ +If no elytron referenced security domain is provided nor mechanism, then the elytron Out of The Box Application \ +security domain is associated to the http-server security domain.\n\ +NB: If the server the CLI is connected to doesn't support "elytron referenced security \ +domain from http-server security domain", the elytron Out of The Box Application \ +HTTP Authentication factory is associated to the http-server security domain when no mechanism is provided.\n\ In case a factory already exists for the passed security domain, the factory \ -is extended (or updated) with the selected mechanism. If no mechanism is provided, \ -the elytron Out of The Box Application HTTP Authentication factory is associated to \ -the security domain.\n\ +is extended (or updated) with the selected mechanism. NB: This command creates all the non existing resources required to configure \ authentication. This command can be called multiple times to configure the \ referenced HTTP Authentication factory.\n\ TIPS: Use 'echo-dmr security enable-http-auth-http-server ' in order to \ visualize the composite request that would be sent to enable authentication. +security.disable-http-auth-http-server.option.mechanism.description=\ +The authentication mechanism to disable. The option completer exposes all enabled mechanisms.\n\ +NB: Only applies to security-domain that references an HTTP Authentication factory. + +security.disable-http-auth-http-server.option.mechanism.value=mechanism name + +security.enable-http-auth-http-server.option.mechanism.description=\ +The authentication mechanism to enable. The option completer exposes all supported \ + mechanisms that the CLI support.\n\ +NB: If the mechanism you want to configure is not present in the list, then \ +you must use elytron subsystem management operations to configure it.\n\ +NB: This option can't be used when referencing an elytron security domain. + +security.enable-http-auth-http-server.option.mechanism.value=mechanism name + +security.enable-http-auth-http-server.option.referenced-security-domain.description=\ +An existing elytron security domain name. This option is only available if the server \ +the CLI is connected to support "elytron referenced security domain from http-server \ +security domain". + +security.enable-http-auth-http-server.option.referenced-security-domain.value=name + security.enable-http-auth-http-server.option.security-domain.description=\ Required, the undertow security domain name. diff --git a/core-galleon-pack/src/main/resources/feature_groups/elytron-app.xml b/core-galleon-pack/src/main/resources/feature_groups/elytron-app.xml index d5a4bc22ac0..c2330cfb75f 100644 --- a/core-galleon-pack/src/main/resources/feature_groups/elytron-app.xml +++ b/core-galleon-pack/src/main/resources/feature_groups/elytron-app.xml @@ -19,10 +19,4 @@ - - - - - - diff --git a/elytron/src/main/resources/subsystem-templates/elytron.xml b/elytron/src/main/resources/subsystem-templates/elytron.xml index 8ba337dac50..4307cce557d 100644 --- a/elytron/src/main/resources/subsystem-templates/elytron.xml +++ b/elytron/src/main/resources/subsystem-templates/elytron.xml @@ -108,16 +108,6 @@ - - - - - - - - - - @@ -208,14 +198,6 @@ - - - - - - - - diff --git a/testsuite/manualmode/src/test/java/org/jboss/as/test/manualmode/auditlog/AuditLogBootingSyslogTest.java b/testsuite/manualmode/src/test/java/org/jboss/as/test/manualmode/auditlog/AuditLogBootingSyslogTest.java index 47dc7658b86..38b22cc17f9 100644 --- a/testsuite/manualmode/src/test/java/org/jboss/as/test/manualmode/auditlog/AuditLogBootingSyslogTest.java +++ b/testsuite/manualmode/src/test/java/org/jboss/as/test/manualmode/auditlog/AuditLogBootingSyslogTest.java @@ -132,7 +132,7 @@ public void testSyslog() throws Exception { final BlockingQueue queue = BlockedSyslogServerEventHandler.getQueue(); queue.clear(); container.start(); - waitForExpectedQueueSize(18, queue); + waitForExpectedQueueSize(17, queue); queue.clear(); makeOneLog(); waitForExpectedQueueSize(1, queue);