[jboss-jira] [JBoss JIRA] (WFLY-1985) read-attribute operation is leaking value when user is not authorized to read that attribute
Jakub Cechacek (JIRA)
jira-events at lists.jboss.org
Tue Sep 3 03:41:03 EDT 2013
Jakub Cechacek created WFLY-1985:
------------------------------------
Summary: read-attribute operation is leaking value when user is not authorized to read that attribute
Key: WFLY-1985
URL: https://issues.jboss.org/browse/WFLY-1985
Project: WildFly
Issue Type: Sub-task
Reporter: Jakub Cechacek
Assignee: Brian Stansberry
Priority: Critical
This is affecting native interface and consequently CLI - HTTP and JMX have the correct behavior as they aren't simply forwarding the result of native interface.
{code}
[standalone at localhost:9990 /] :whoami(verbose=true)
{
"outcome" => "success",
"result" => {"identity" => {
"username" => "monitor",
"realm" => "ManagementRealm"
}}
}
[standalone at localhost:9990 /] /subsystem=datasources/data-source=ExampleDS:read-attribute(name=password)
{
"outcome" => "failed",
"result" => "sa",
"failure-description" => "JBAS013456: Unauthorized to execute operation 'read-attribute' for resource '[
(\"subsystem\" => \"datasources\"),
(\"data-source\" => \"ExampleDS\")
]' -- \"Permission denied\"",
"rolled-back" => true
}
{code}
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the jboss-jira
mailing list