[jboss-jira] [JBoss JIRA] (WFLY-2412) Security Realm and LDAP Connection incorrectly available as resourced under core-services=management in domain mode.

Darran Lofthouse (JIRA) jira-events at lists.jboss.org
Wed Oct 30 12:14:02 EDT 2013 

     [ https://issues.jboss.org/browse/WFLY-2412?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Darran Lofthouse updated WFLY-2412:
-----------------------------------

    Description: 
Security realms and LDAP connections should only be definable under specific hosts in domain mode - the resources for these are currently available in the domain wide code-services=management resource.


  was:
Running WildFly master in domain mode and connect using the CLI.

{code}
[domain at localhost:9990 /] :whoami(verbose=true)
{
    "outcome" => "success",
    "result" => {
        "identity" => {
            "username" => "$local",
            "realm" => "ManagementRealm"
        },
        "mapped-roles" => ["SuperUser"]
    }
}
{code}

Although this shows the user has been authenticated against the ManagementRealm is apparently does not exist!

{code}
[domain at localhost:9990 /] ./core-service=management/security-realm=ManagementRealm:read-resource
{
    "outcome" => "failed",
    "failure-description" => "JBAS014807: Management resource '[
    (\"core-service\" => \"management\"),
    (\"security-realm\" => \"ManagementRealm\")
]' not found",
    "rolled-back" => true
}
{code}

First impression is that access control is hiding a sensitive resource even though with the default config it should not.


    
> Security Realm and LDAP Connection incorrectly available as resourced under core-services=management in domain mode.
> --------------------------------------------------------------------------------------------------------------------
>
>                 Key: WFLY-2412
>                 URL: https://issues.jboss.org/browse/WFLY-2412
>             Project: WildFly
>          Issue Type: Sub-task
>      Security Level: Public(Everyone can see) 
>          Components: Domain Management, Security
>            Reporter: Darran Lofthouse
>            Assignee: Darran Lofthouse
>             Fix For: 8.0.0.CR1
>
>
> Security realms and LDAP connections should only be definable under specific hosts in domain mode - the resources for these are currently available in the domain wide code-services=management resource.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list