[jboss-jira] [JBoss JIRA] (WFLY-430) Update the whoami operation to output additional information when called with verbose=true

Darran Lofthouse (JIRA) jira-events at lists.jboss.org
Mon Aug 12 10:37:26 EDT 2013 

    [ https://issues.jboss.org/browse/WFLY-430?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12796298#comment-12796298 ] 

Darran Lofthouse commented on WFLY-430:
---------------------------------------

After some further discussion, access control specific items can be output from the whoami operation, however the additional output should be in such a way that clients can detect it but at the same time understand it may not always be present if the access control implementation is switched.

Also consider how the access control implementation is either asked to provide it's whoami content or even better has a way to register that is can populate whoami.  Access control implementations that do not populate whoami will not care if they have not registered to populate it.

                
> Update the whoami operation to output additional information when called with verbose=true
> ------------------------------------------------------------------------------------------
>
>                 Key: WFLY-430
>                 URL: https://issues.jboss.org/browse/WFLY-430
>             Project: WildFly
>          Issue Type: Task
>          Components: CLI, Security
>            Reporter: Darran Lofthouse
>            Assignee: Darran Lofthouse
>            Priority: Critical
>             Fix For: 8.0.0.Alpha4
>
>
> I need to review if this is feasible but there are a number of reports coming in where end users believe their server is not secured because our local / silent mechanism is working so quietly.
> Initially this issue was to just output the authentication mechanism used however with the addition of access control to WildFly 8 there is additional information that will be useful: -
>  - Authentication Mechanism
>  - Current role membership (May need to take into account the address i.e. what roles do I have at this address)
>  - Additional items that may be used in an authorization decision? e.g. Confidential connection, time, address of client (verify a local connection does appear local)
> Anything else that is included in the audit?
> Could some of these attributes in a response be considered sensitive?  Return everything except the sensitive ones.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list