[jboss-jira] [JBoss JIRA] (SECURITY-680) AbstractServerLoginModule.commit() always adds the identity Principal to the CallerPrincipal group

Stefan Guilhen (JIRA) jira-events at lists.jboss.org
Fri Aug 10 17:06:07 EDT 2012 

     [ https://issues.jboss.org/browse/SECURITY-680?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Stefan Guilhen closed SECURITY-680.
-----------------------------------

    Fix Version/s: PicketBox_4_0_10.Final
       Resolution: Done


I've fixed the issue by moving the getCallerPrincipalGroup call to the end of the commit() method. This way, a caller principal will only be added if it hasn't been returned by getRoleSets.

I'll be cutting a release today to upgrade PicketBox on AS7 (master and branch 7.1)
                
> AbstractServerLoginModule.commit() always adds the identity Principal to the CallerPrincipal group
> --------------------------------------------------------------------------------------------------
>
>                 Key: SECURITY-680
>                 URL: https://issues.jboss.org/browse/SECURITY-680
>             Project: PicketBox (JBoss Security and Identity Management)
>          Issue Type: Bug
>      Security Level: Public(Everyone can see) 
>          Components: JBossSX
>    Affects Versions: PicketBox_v4_0_9.Final
>         Environment: JBoss EAP 6.0
>            Reporter: Tom Fonteyne
>            Assignee: Stefan Guilhen
>             Fix For: PicketBox_4_0_10.Final
>
>
> Since EAP6, AbstractServerLoginModule.commit() contains the following piece of code just before getRoleSets() is called:
> // add the CallerPrincipal group
> Group callerGroup = getCallerPrincipalGroup(principals);
> if (callerGroup == null)
> {
>    callerGroup = new SimpleGroup(SecurityConstants.CALLER_PRINCIPAL_GROUP);
>    callerGroup.addMember(identity);
>    principals.add(callerGroup);
> }
> Since getRoleSets() should also return the CallerPrincipal group (as specified in the documentation), the identity is often added to the CallerPrincipal.
> As a result, the Principal used when authenticating is sometimes not the desired CallerPrincipal element but the identity (which one is determined by the backing HashMap of SimpleGroup). This can lead to security problems.
> From the Javadoc of getRoleSets():
> "A second common group is "CallerPrincipal" that provides the application identity of the user rather than the security domain identity."
> JBoss EAP 6 however creates this CallerPrincipal group itself with the identity SimplePrincipal as its sole member. This group is then merged with the CallerPrincipal group returned by getRoleSets(), causing the two members.
> One solution could be to move the above piece of code to the end of the commit() method. This way, if getRoleSets() returns the CallerPrincipal group, this will remain unmodified, and if it does not then a new CallerPrincipal group will be created.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list