[jboss-jira] [JBoss JIRA] (AS7-4310) Re-review: EJB client should not have silet auth enabled by default

Darran Lofthouse (JIRA) jira-events at lists.jboss.org
Sat Apr 14 10:23:18 EDT 2012 

    [ https://issues.jboss.org/browse/AS7-4310?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12684221#comment-12684221 ] 

Darran Lofthouse commented on AS7-4310:
---------------------------------------

AS7-4487 is enhancing the server side configuration of the local mechanism.  

The main issue of the local mechanism has been that any authentication attempt making use of it would not have added the roles the user was expecting.  We are now changing this so that when the local mechanism is used any username can be specified by the client and the roles will be automatically loaded for that user so even though there will still not be a username password check the authorization check will still be in the context of the user selected.

Server side local authentication can now simply be disabled by removing the <local /> element from the realm.

                
> Re-review: EJB client should not have silet auth enabled by default
> -------------------------------------------------------------------
>
>                 Key: AS7-4310
>                 URL: https://issues.jboss.org/browse/AS7-4310
>             Project: Application Server 7
>          Issue Type: Bug
>          Components: EJB, Security
>    Affects Versions: 7.1.1.Final
>            Reporter: Radoslav Husar
>            Assignee: Darran Lofthouse
>             Fix For: 7.1.2.Final-redhat1
>
>
> EJB client running on local node can bypass auth by using silet auth. This behaviour should be reviewed whether to be disabled by default.
> See comments
> https://issues.jboss.org/browse/AS7-4309?focusedCommentId=12679945&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-12679945
> https://issues.jboss.org/browse/AS7-4309?focusedCommentId=12679955&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-12679955

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list