[jboss-jira] [JBoss JIRA] (WFLY-1985) read-attribute operation is leaking value when user is not authorized to read that attribute
Brian Stansberry (JIRA)
jira-events at lists.jboss.org
Wed Sep 4 22:22:03 EDT 2013
[ https://issues.jboss.org/browse/WFLY-1985?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Brian Stansberry updated WFLY-1985:
-----------------------------------
Assignee: Ladislav Thon (was: Brian Stansberry)
> read-attribute operation is leaking value when user is not authorized to read that attribute
> --------------------------------------------------------------------------------------------
>
> Key: WFLY-1985
> URL: https://issues.jboss.org/browse/WFLY-1985
> Project: WildFly
> Issue Type: Sub-task
> Components: Domain Management, Security
> Reporter: Jakub Cechacek
> Assignee: Ladislav Thon
> Priority: Critical
> Labels: rbac-filed-by-qa
> Fix For: 8.0.0.CR1
>
>
> This is affecting native interface and consequently CLI - HTTP and JMX have the correct behavior as they aren't simply forwarding the result of native interface.
> {code}
> [standalone at localhost:9990 /] :whoami(verbose=true)
> {
> "outcome" => "success",
> "result" => {"identity" => {
> "username" => "monitor",
> "realm" => "ManagementRealm"
> }}
> }
> [standalone at localhost:9990 /] /subsystem=datasources/data-source=ExampleDS:read-attribute(name=password)
> {
> "outcome" => "failed",
> "result" => "sa",
> "failure-description" => "JBAS013456: Unauthorized to execute operation 'read-attribute' for resource '[
> (\"subsystem\" => \"datasources\"),
> (\"data-source\" => \"ExampleDS\")
> ]' -- \"Permission denied\"",
> "rolled-back" => true
> }
> {code}
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the jboss-jira
mailing list