[infinispan-issues] [JBoss JIRA] (ISPN-4306) HR client auth over kerberos has wrong AccessControlContext
RH Bugzilla Integration (JIRA)
issues at jboss.org
Mon Jan 26 09:05:53 EST 2015
[ https://issues.jboss.org/browse/ISPN-4306?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13034991#comment-13034991 ]
RH Bugzilla Integration commented on ISPN-4306:
-----------------------------------------------
Dave Stahl <dstahl at redhat.com> changed the Status of [bug 1099813|https://bugzilla.redhat.com/show_bug.cgi?id=1099813] from VERIFIED to CLOSED
> HR client auth over kerberos has wrong AccessControlContext
> -----------------------------------------------------------
>
> Key: ISPN-4306
> URL: https://issues.jboss.org/browse/ISPN-4306
> Project: Infinispan
> Issue Type: Bug
> Components: Test Suite - Server
> Reporter: Vojtech Juranek
> Assignee: Tristan Tarrant
> Fix For: 7.0.0.Beta1
>
>
> When HotRod client authneticate to HR server via kerberos, HR server obtains wrong {{AccessControlContext}}, which doesn't contain appropriate subject (to be more clear it's in [AuthorizationManagerImpl.checkPermission()|https://github.com/infinispan/infinispan/blob/master/core/src/main/java/org/infinispan/security/impl/AuthorizationManagerImpl.java#L49]). Returned subject is {{null}} and moreover this default {{AccessControlContext}} allows to do anything, so effectively the HR client can do anything, no matter what the permissions are.
> Need to mention that in this case java {{SecurityManager}} is turned off, but as the same setup works with e.g. MD5 auth, we should keep some consistency and it shouldn't work in any case (and {{SecurityManager}} to be turned on should be a hard requirement to ISPN auth works) or it should work also in case of krb auth.
--
This message was sent by Atlassian JIRA
(v6.3.11#6341)
More information about the infinispan-issues
mailing list