7:44 a.m.
Radoslav Husar created AS7-4310:
-----------------------------------
Summary: Re-review: EJB client should not have silet auth enabled by default
Key: AS7-4310
URL: https://issues.jboss.org/browse/AS7-4310
Project: Application Server 7
Issue Type: Bug
Components: EJB, Security
Affects Versions: 7.1.1.Final
Reporter: Radoslav Husar
Assignee: Darran Lofthouse
Fix For: 7.1.2.Final
EJB client running on local node can bypass auth by using silet auth. This behaviour
should be reviewed whether to be disabled by default.
See comments
https://issues.jboss.org/browse/AS7-4309?focusedCommentId=12679945&pa...
https://issues.jboss.org/browse/AS7-4309?focusedCommentId=12679955&pa...
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
9:23 a.m.
[
https://issues.jboss.org/browse/AS7-4310?page=com.atlassian.jira.plugin.s...
]
Darran Lofthouse commented on AS7-4310:
---------------------------------------
AS7-4487 is enhancing the server side configuration of the local mechanism.
The main issue of the local mechanism has been that any authentication attempt making use
of it would not have added the roles the user was expecting. We are now changing this so
that when the local mechanism is used any username can be specified by the client and the
roles will be automatically loaded for that user so even though there will still not be a
username password check the authorization check will still be in the context of the user
selected.
Server side local authentication can now simply be disabled by removing the <local
/> element from the realm.
Re-review: EJB client should not have silet auth enabled by default
-------------------------------------------------------------------
Key: AS7-4310
URL: https://issues.jboss.org/browse/AS7-4310
Project: Application Server 7
Issue Type: Bug
Components: EJB, Security
Affects Versions: 7.1.1.Final
Reporter: Radoslav Husar
Assignee: Darran Lofthouse
Fix For: 7.1.2.Final-redhat1
EJB client running on local node can bypass auth by using silet auth. This behaviour
should be reviewed whether to be disabled by default.
See comments
https://issues.jboss.org/browse/AS7-4309?focusedCommentId=12679945&pa...
https://issues.jboss.org/browse/AS7-4309?focusedCommentId=12679955&pa...
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
4:42 a.m.
[
https://issues.jboss.org/browse/AS7-4310?page=com.atlassian.jira.plugin.s...
]
jaikiran pai reassigned AS7-4310:
---------------------------------
Assignee: jaikiran pai (was: Darran Lofthouse)
Re-review: EJB client should not have silet auth enabled by default
-------------------------------------------------------------------
Key: AS7-4310
URL: https://issues.jboss.org/browse/AS7-4310
Project: Application Server 7
Issue Type: Bug
Components: EJB, Security
Affects Versions: 7.1.1.Final
Reporter: Radoslav Husar
Assignee: jaikiran pai
Fix For: 7.1.2.Final-redhat1
EJB client running on local node can bypass auth by using silet auth. This behaviour
should be reviewed whether to be disabled by default.
See comments
https://issues.jboss.org/browse/AS7-4309?focusedCommentId=12679945&pa...
https://issues.jboss.org/browse/AS7-4309?focusedCommentId=12679955&pa...
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
4:44 a.m.
[
https://issues.jboss.org/browse/AS7-4310?page=com.atlassian.jira.plugin.s...
]
jaikiran pai commented on AS7-4310:
-----------------------------------
Assigning this to myself, since with the changes that went into
https://github.com/jbossas/jboss-as/pull/2044, this now becomes more of a EJB client
implementation changes task. Darran has mailed me the details on what was
changed/implemented in that pull request. I'll review the changes and do the necessary
EJB client updates.
Re-review: EJB client should not have silet auth enabled by default
-------------------------------------------------------------------
Key: AS7-4310
URL: https://issues.jboss.org/browse/AS7-4310
Project: Application Server 7
Issue Type: Bug
Components: EJB, Security
Affects Versions: 7.1.1.Final
Reporter: Radoslav Husar
Assignee: jaikiran pai
Fix For: 7.1.2.Final-redhat1
EJB client running on local node can bypass auth by using silet auth. This behaviour
should be reviewed whether to be disabled by default.
See comments
https://issues.jboss.org/browse/AS7-4309?focusedCommentId=12679945&pa...
https://issues.jboss.org/browse/AS7-4309?focusedCommentId=12679955&pa...
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
2:34 a.m.
[
https://issues.jboss.org/browse/AS7-4310?page=com.atlassian.jira.plugin.s...
]
jaikiran pai commented on AS7-4310:
-----------------------------------
A pull request for this change in EJBCLIENT project has been sent as part of EJBCLIENT-36
JIRA. Once that's merged and released, I'll work with Pete/Sande to get the
quickstart example updated.
Re-review: EJB client should not have silet auth enabled by default
-------------------------------------------------------------------
Key: AS7-4310
URL: https://issues.jboss.org/browse/AS7-4310
Project: Application Server 7
Issue Type: Bug
Components: EJB, Security
Affects Versions: 7.1.1.Final
Reporter: Radoslav Husar
Assignee: jaikiran pai
Fix For: 7.1.2.Final-redhat1
EJB client running on local node can bypass auth by using silet auth. This behaviour
should be reviewed whether to be disabled by default.
See comments
https://issues.jboss.org/browse/AS7-4309?focusedCommentId=12679945&pa...
https://issues.jboss.org/browse/AS7-4309?focusedCommentId=12679955&pa...
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
3:32 a.m.
[
https://issues.jboss.org/browse/AS7-4310?page=com.atlassian.jira.plugin.s...
]
Darran Lofthouse commented on AS7-4310:
---------------------------------------
Jaikiran - do we still have anything to talk about for this one? Feel free to ping if we
do.
Re-review: EJB client should not have silet auth enabled by default
-------------------------------------------------------------------
Key: AS7-4310
URL: https://issues.jboss.org/browse/AS7-4310
Project: Application Server 7
Issue Type: Bug
Components: EJB, Security
Affects Versions: 7.1.1.Final
Reporter: Radoslav Husar
Assignee: jaikiran pai
Fix For: 7.1.2.Final (EAP)
EJB client running on local node can bypass auth by using silet auth. This behaviour
should be reviewed whether to be disabled by default.
See comments
https://issues.jboss.org/browse/AS7-4309?focusedCommentId=12679945&pa...
https://issues.jboss.org/browse/AS7-4309?focusedCommentId=12679955&pa...
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
12:55 p.m.
[
https://issues.jboss.org/browse/AS7-4310?page=com.atlassian.jira.plugin.s...
]
jaikiran pai commented on AS7-4310:
-----------------------------------
EJB client 1.0.9 version contains a fix where if the user configuration passes a username
or a callbackhandler class, then the jboss.sasl.local-user.quiet-auth SASL_PROPERTY will
_not_ be added by the EJB client library. However, if the username or callbackhandler
class aren't explicitly specified and if the user doesn't specify a value for
jboss.sasl.local-user.quiet-auth property, then EJB client library *implicitly adds* the
jboss.sasl.local-user.quiet-auth to connection creation options to allow the JBoss Local
Auth mechanism to silently use the default-user configured on the server side.
Re-review: EJB client should not have silet auth enabled by default
-------------------------------------------------------------------
Key: AS7-4310
URL: https://issues.jboss.org/browse/AS7-4310
Project: Application Server 7
Issue Type: Bug
Components: EJB, Security
Affects Versions: 7.1.1.Final
Reporter: Radoslav Husar
Assignee: jaikiran pai
Fix For: 7.1.2.Final (EAP)
EJB client running on local node can bypass auth by using silet auth. This behaviour
should be reviewed whether to be disabled by default.
See comments
https://issues.jboss.org/browse/AS7-4309?focusedCommentId=12679945&pa...
https://issues.jboss.org/browse/AS7-4309?focusedCommentId=12679955&pa...
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
4571
days inactive
4608
days old
6 comments
3 participants
participants (3)
-
Darran Lofthouse (JIRA) -
jaikiran pai (JIRA)
-
Radoslav Husar (JIRA)