[jboss-jira] [JBoss JIRA] (ELY-623) Checking for anonymous principal by name is insufficient

Monday, 29 August 2016

David Lloyd created ELY-623:
-------------------------------

             Summary: Checking for anonymous principal by name is insufficient
                 Key: ELY-623
                 URL: https://issues.jboss.org/browse/ELY-623
             Project: WildFly Elytron
          Issue Type: Bug
            Reporter: David Lloyd

In {{src/main/java/org/wildfly/security/auth/server/SecurityIdentity.java}}:
{noformat}
+            if (AnonymousPrincipal.getInstance().getName().equals(name)) {
+                if (! context.authorizeAnonymous(false)) {
+                    throw log.runAsAuthorizationFailed(getPrincipal(), new
AnonymousPrincipal(), null);
+                }
+            } else {
+                if (! (context.importIdentity(this) && context.authorize(name,
authorize))) {
+                    throw log.runAsAuthorizationFailed(getPrincipal(), new
NamePrincipal(name), null);
+                }
             }
{noformat}

Only a type check is sufficient to determine if a principal is anonymous.  In this fix,
the string name "anonymous" takes on a special meaning for the first time, which
should not be the case.

--
This message was sent by Atlassian JIRA
(v6.4.11#64026)

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

[jboss-jira] [JBoss JIRA] (ELY-623) Checking for anonymous principal by name is insufficient