[jboss-jira] [JBoss JIRA] (AS7-4310) Re-review: EJB client should not have silet auth enabled by default

jaikiran pai (JIRA) jira-events at lists.jboss.org
Fri May 4 13:55:18 EDT 2012 

    [ https://issues.jboss.org/browse/AS7-4310?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12690504#comment-12690504 ] 

jaikiran pai commented on AS7-4310:
-----------------------------------

EJB client 1.0.9 version contains a fix where if the user configuration passes a username or a callbackhandler class, then the jboss.sasl.local-user.quiet-auth SASL_PROPERTY will _not_ be added by the EJB client library. However, if the username or callbackhandler class aren't explicitly specified and if the user doesn't specify a value for jboss.sasl.local-user.quiet-auth property, then EJB client library *implicitly adds* the jboss.sasl.local-user.quiet-auth to connection creation options to allow the JBoss Local Auth mechanism to silently use the default-user configured on the server side.

                
> Re-review: EJB client should not have silet auth enabled by default
> -------------------------------------------------------------------
>
>                 Key: AS7-4310
>                 URL: https://issues.jboss.org/browse/AS7-4310
>             Project: Application Server 7
>          Issue Type: Bug
>          Components: EJB, Security
>    Affects Versions: 7.1.1.Final
>            Reporter: Radoslav Husar
>            Assignee: jaikiran pai
>             Fix For: 7.1.2.Final (EAP)
>
>
> EJB client running on local node can bypass auth by using silet auth. This behaviour should be reviewed whether to be disabled by default.
> See comments
> https://issues.jboss.org/browse/AS7-4309?focusedCommentId=12679945&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-12679945
> https://issues.jboss.org/browse/AS7-4309?focusedCommentId=12679955&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-12679955

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list