[jboss-jira] [JBoss JIRA] (WFLY-2584) RBAC: Silent failure of run-as role mapping

[Darran Lofthouse (JIRA)]

    [ https://issues.jboss.org/browse/WFLY-2584?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12927046#comment-12927046 ] 

Darran Lofthouse commented on WFLY-2584:
----------------------------------------

I see no reason not to fail, the client only has the ability to request a reduced set of roles - if one of the roles they are requesting does not exist they should be informed.

Not reporting an error would only lead to confusion I think overall. 
                
> RBAC: Silent failure of run-as role mapping
> -------------------------------------------
>
>                 Key: WFLY-2584
>                 URL: https://issues.jboss.org/browse/WFLY-2584
>             Project: WildFly
>          Issue Type: Bug
>      Security Level: Public(Everyone can see) 
>          Components: Domain Management
>    Affects Versions: 8.0.0.Beta1
>            Reporter: Brian Stansberry
>            Assignee: Darran Lofthouse
>             Fix For: 8.0.0.CR1
>
>
> RunAsRoleMapper.mapRoles(Caller caller, Set<String> currentRoles, Set<String> runAsRoles, boolean sanitized) ignores false results from realRoleMapper.canRunAs(currentRoles, requestedRole) and just leaves the user running in their regular roles. Some sort of failure condition seems more appropriate.
> I noticed this when I was investigating WFLY-2318 caused by WFLY-2583. The improperly parsed role list was resulting in realRoleMapper.canRunAs(currentRoles, requestedRole) returning false so the call would just execute as SuperUser.
> Same thing would happen with a simple typo like {roles=Mnitor}.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira