RBAC, There are missing access-constraint for attributes which referencing elytron capabilities. ------------------------------------------------------------------------------------------------ Key: WFLY-8749 URL: https://issues.jboss.org/browse/WFLY-8749 Project: WildFly Issue Type: Bug Components: Security Reporter: Hynek Švábek Priority: Blocker This is potentially security vulnerability therefore it is BLOCKER. According to RFE EAP7-548 there must be set access-constraint where are referenced elytron capabilities. I found 6 places where is access-constraint missing. {code} /subsystem=undertow:read-resource-description(recursive=true) {code} There is *http-invoker*, attr *http-authentication-factory* with *org.wildfly.security.http-authentication-factory* capability. {code} /subsystem=datasources:read-resource-description(recursive=true) {code} There is *xa-data-source*, attr *recovery-authentication-context* with *org.wildfly.security.authentication-context* capability. {code} /subsystem=ejb3:read-resource-description(recursive=true) {code} There is *identity*, attr *outflow-security-domains* with *org.wildfly.security.security-domain* capability. {code} /core-service=management/management-interface=http-interface:read-resource-description(recursive=true) {code} There is *sasl-authentication-factory* with *org.wildfly.security.sasl-authentication-factory* capability. {code} /deployment=test:read-resource-description(recursive=true) {code} There is *xa-data-source*, attr *recovery-authentication-context* with *org.wildfly.security.authentication-context* capability and *there is same problem in subdeployment resource too*.