[
https://issues.jboss.org/browse/SECURITY-680?page=com.atlassian.jira.plug...
]
Stefan Guilhen commented on SECURITY-680:
-----------------------------------------
Hi Tom, I'll take a look into it today.
AbstractServerLoginModule.commit() always adds the identity Principal
to the CallerPrincipal group
--------------------------------------------------------------------------------------------------
Key: SECURITY-680
URL:
https://issues.jboss.org/browse/SECURITY-680
Project: PicketBox (JBoss Security and Identity Management)
Issue Type: Bug
Security Level: Public(Everyone can see)
Components: JBossSX
Affects Versions: PicketBox_v4_0_9.Final
Environment: JBoss EAP 6.0
Reporter: Tom Fonteyne
Assignee: Stefan Guilhen
Since EAP6, AbstractServerLoginModule.commit() contains the following piece of code just
before getRoleSets() is called:
// add the CallerPrincipal group
Group callerGroup = getCallerPrincipalGroup(principals);
if (callerGroup == null)
{
callerGroup = new SimpleGroup(SecurityConstants.CALLER_PRINCIPAL_GROUP);
callerGroup.addMember(identity);
principals.add(callerGroup);
}
Since getRoleSets() should also return the CallerPrincipal group (as specified in the
documentation), the identity is often added to the CallerPrincipal.
As a result, the Principal used when authenticating is sometimes not the desired
CallerPrincipal element but the identity (which one is determined by the backing HashMap
of SimpleGroup). This can lead to security problems.
From the Javadoc of getRoleSets():
"A second common group is "CallerPrincipal" that provides the application
identity of the user rather than the security domain identity."
JBoss EAP 6 however creates this CallerPrincipal group itself with the identity
SimplePrincipal as its sole member. This group is then merged with the CallerPrincipal
group returned by getRoleSets(), causing the two members.
One solution could be to move the above piece of code to the end of the commit() method.
This way, if getRoleSets() returns the CallerPrincipal group, this will remain unmodified,
and if it does not then a new CallerPrincipal group will be created.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see:
http://www.atlassian.com/software/jira