[jboss-jira] [JBoss JIRA] (WFLY-1986) Review exceptions thrown for authorization cases in JMX

[Brian Stansberry (JIRA)]

    [ https://issues.jboss.org/browse/WFLY-1986?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12804018#comment-12804018 ] 

Brian Stansberry commented on WFLY-1986:
----------------------------------------

Darran, I agree, we need to be careful. But, we've established on the core side that the permission to "address" things (i.e. to even confirm the existence of something) applies to resources only, not to attributes and operations. This is because resource addresses contain dynamic data (e.g. security domain/realm names) while attribute and operation names are static and can be learned simply by looking at source or starting up a system with rbac disabled. So, the same basic philosophy should apply here.
                
> Review exceptions thrown for authorization cases in JMX
> -------------------------------------------------------
>
>                 Key: WFLY-1986
>                 URL: https://issues.jboss.org/browse/WFLY-1986
>             Project: WildFly
>          Issue Type: Sub-task
>          Components: Domain Management, Security
>            Reporter: Jakub Cechacek
>            Assignee: Kabir Khan
>              Labels: rbac-filed-by-qa
>             Fix For: 8.0.0.CR1
>
>
> It should be reconsidered which exception to use for RBAC authorization cases in JMX. 
> For example "AttributeNotFoundException" doesn't make much sense when attribute exists but user is missing permissions for write. In this case I would use its superclass "OperationsException" instead. 

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira