]
Darran Lofthouse resolved WFLY-5740.
------------------------------------
Assignee: Darran Lofthouse (was: Pedro Igor)
Resolution: Won't Fix
Marking as 'Won't Fix' as this is in relation to PicketBox which is
deprecated.
ContextPolicy checks purely based on names, ignores Principal types
-------------------------------------------------------------------
Key: WFLY-5740
URL:
https://issues.jboss.org/browse/WFLY-5740
Project: WildFly
Issue Type: Bug
Components: Security
Affects Versions: 10.0.0.CR4
Reporter: Arjan t
Assignee: Darran Lofthouse
Priority: Major
In {{org.jboss.security.jacc.ContextPolicy}} the {{implies}} method only looks at the
names of each {{Principal}} from the passed in {{ProtectionDomain}}, without checking if
they're actually a role.
The collection of these names is then used to check against role based permissions.
If a user now has a name "expert" and there's also a role called
"expert", access will be granted purely based on the user (caller) name. This is
of course not correct.
See the following code:
{code:java}
// Check principal to role permissions
Principal[] principals = domain.getPrincipals();
int length = principals != null ? principals.length : 0;
ArrayList<String> principalNames = new ArrayList<String>();
for (int n = 0; n < length; n ++) {
Principal p = principals[n];
if( p instanceof Group ) {
Group g = (Group) p;
Enumeration<? extends Principal> iter = g.members();
while(iter.hasMoreElements()) {
p = iter.nextElement();
// *** ONLY NAME IS USED. TYPE IS IGNORED
String name = p.getName();
principalNames.add(name);
}
}
else {
String name = p.getName();
// *** ONLY NAME IS USED. TYPE IS IGNORED
principalNames.add(name);
}
}
principalNames.add(ANY_AUTHENTICATED_USER_ROLE);
for (int n = 0; implied == false && n < principalNames.size(); n ++) {
String name = principalNames.get(n);
// *** "name", WHICH CAN BE ANYTHING, USED FOR ROLE NAME HERE
Permissions perms = rolePermissions.get(name);
if( perms == null )
continue;
implied = perms.implies(permission);
}
{code}