]
Darran Lofthouse reassigned ELY-623:
------------------------------------
Assignee: Darran Lofthouse
Checking for anonymous principal by name is insufficient
--------------------------------------------------------
Key: ELY-623
URL:
https://issues.jboss.org/browse/ELY-623
Project: WildFly Elytron
Issue Type: Bug
Reporter: David Lloyd
Assignee: Darran Lofthouse
In {{src/main/java/org/wildfly/security/auth/server/SecurityIdentity.java}}:
{noformat}
+ if (AnonymousPrincipal.getInstance().getName().equals(name)) {
+ if (! context.authorizeAnonymous(false)) {
+ throw log.runAsAuthorizationFailed(getPrincipal(), new
AnonymousPrincipal(), null);
+ }
+ } else {
+ if (! (context.importIdentity(this) && context.authorize(name,
authorize))) {
+ throw log.runAsAuthorizationFailed(getPrincipal(), new
NamePrincipal(name), null);
+ }
}
{noformat}
Only a type check is sufficient to determine if a principal is anonymous. In this fix,
the string name "anonymous" takes on a special meaning for the first time, which
should not be the case.