[jboss-jira] [JBoss JIRA] (WFLY-2412) Security Realm and LDAP Connection incorrectly available as resourced under core-services=management in domain mode.

Darran Lofthouse (JIRA) jira-events at lists.jboss.org
Wed Oct 30 12:14:02 EDT 2013 

     [ https://issues.jboss.org/browse/WFLY-2412?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Darran Lofthouse updated WFLY-2412:
-----------------------------------

    Summary: Security Realm and LDAP Connection incorrectly available as resourced under core-services=management in domain mode.  (was: security realms and ldap connections incorrectly hidden by default in domain mode.)

    
> Security Realm and LDAP Connection incorrectly available as resourced under core-services=management in domain mode.
> --------------------------------------------------------------------------------------------------------------------
>
>                 Key: WFLY-2412
>                 URL: https://issues.jboss.org/browse/WFLY-2412
>             Project: WildFly
>          Issue Type: Sub-task
>      Security Level: Public(Everyone can see) 
>          Components: Domain Management, Security
>            Reporter: Darran Lofthouse
>            Assignee: Darran Lofthouse
>             Fix For: 8.0.0.CR1
>
>
> Running WildFly master in domain mode and connect using the CLI.
> {code}
> [domain at localhost:9990 /] :whoami(verbose=true)
> {
>     "outcome" => "success",
>     "result" => {
>         "identity" => {
>             "username" => "$local",
>             "realm" => "ManagementRealm"
>         },
>         "mapped-roles" => ["SuperUser"]
>     }
> }
> {code}
> Although this shows the user has been authenticated against the ManagementRealm is apparently does not exist!
> {code}
> [domain at localhost:9990 /] ./core-service=management/security-realm=ManagementRealm:read-resource
> {
>     "outcome" => "failed",
>     "failure-description" => "JBAS014807: Management resource '[
>     (\"core-service\" => \"management\"),
>     (\"security-realm\" => \"ManagementRealm\")
> ]' not found",
>     "rolled-back" => true
> }
> {code}
> First impression is that access control is hiding a sensitive resource even though with the default config it should not.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list