[infinispan-issues] [JBoss JIRA] (ISPN-4451) Missing ACCESS right

Fri Jun 27 12:03:25 EDT 2014

    [ https://issues.jboss.org/browse/ISPN-4451?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12980011#comment-12980011 ] 

Tristan Tarrant commented on ISPN-4451:
---------------------------------------

Starting a cache (i.e. invoking getCache() on an unstarted cache) is only allowed if the Subject has LIFECYCLE permission. Once a cache has been started, subsequent getCache() invocations don't check permissions. However, invoking any operation on the returned cache requires a permission, so the SecureCache is useless without a valid permission.
We could introduce an ACCESS permission which forbids a getCache() op on a started cache, but I don't see this as critical.

> Missing ACCESS right
> --------------------
>
>                 Key: ISPN-4451
>                 URL: https://issues.jboss.org/browse/ISPN-4451
>             Project: Infinispan
>          Issue Type: Bug
>      Security Level: Public(Everyone can see) 
>          Components: Security
>            Reporter: Vojtech Juranek
>            Assignee: Tristan Tarrant
>
> When security is turned on ({{cacheConfig.security().authorization().enable()}}), any user can obtain/create a cache, even unauthorized users. This should be allowed only for users with right {{ACCESS}}. This right is actually not present in {{AuthorizationPermission}}.

--
This message was sent by Atlassian JIRA
(v6.2.6#6264)