[jboss-jira] [JBoss JIRA] (SECURITY-680) AbstractServerLoginModule.commit() always adds the identity Principal to the CallerPrincipal group

Tom Fonteyne (JIRA) jira-events at lists.jboss.org
Tue Aug 7 08:51:06 EDT 2012 

Tom Fonteyne created SECURITY-680:
-------------------------------------

             Summary: AbstractServerLoginModule.commit() always adds the identity Principal to the CallerPrincipal group
                 Key: SECURITY-680
                 URL: https://issues.jboss.org/browse/SECURITY-680
             Project: PicketBox (JBoss Security and Identity Management)
          Issue Type: Bug
      Security Level: Public (Everyone can see)
          Components: JBossSX
    Affects Versions: PicketBox_v4_0_9.Final
         Environment: JBoss EAP 6.0
            Reporter: Tom Fonteyne
            Assignee: Anil Saldhana


Since EAP6, AbstractServerLoginModule.commit() contains the following piece of code just before getRoleSets() is called:

// add the CallerPrincipal group
Group callerGroup = getCallerPrincipalGroup(principals);
if (callerGroup == null)
{
   callerGroup = new SimpleGroup(SecurityConstants.CALLER_PRINCIPAL_GROUP);
   callerGroup.addMember(identity);
   principals.add(callerGroup);
}

Since getRoleSets() should also return the CallerPrincipal group (as specified in the documentation), the identity is often added to the CallerPrincipal.

As a result, the Principal used when authenticating is sometimes not the desired CallerPrincipal element but the identity (which one is determined by the backing HashMap of SimpleGroup). This can lead to security problems.

>From the Javadoc of getRoleSets():
"A second common group is "CallerPrincipal" that provides the application identity of the user rather than the security domain identity."

JBoss EAP 6 however creates this CallerPrincipal group itself with the identity SimplePrincipal as its sole member. This group is then merged with the CallerPrincipal group returned by getRoleSets(), causing the two members.

One solution could be to move the above piece of code to the end of the commit() method. This way, if getRoleSets() returns the CallerPrincipal group, this will remain unmodified, and if it does not then a new CallerPrincipal group will be created.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list