[jboss-jira] [JBoss JIRA] (ELY-623) Checking for anonymous principal by name is insufficient
David Lloyd (JIRA)
issues at jboss.org
Mon Aug 29 08:02:00 EDT 2016
David Lloyd created ELY-623:
-------------------------------
Summary: Checking for anonymous principal by name is insufficient
Key: ELY-623
URL: https://issues.jboss.org/browse/ELY-623
Project: WildFly Elytron
Issue Type: Bug
Reporter: David Lloyd
In {{src/main/java/org/wildfly/security/auth/server/SecurityIdentity.java}}:
{noformat}
+ if (AnonymousPrincipal.getInstance().getName().equals(name)) {
+ if (! context.authorizeAnonymous(false)) {
+ throw log.runAsAuthorizationFailed(getPrincipal(), new AnonymousPrincipal(), null);
+ }
+ } else {
+ if (! (context.importIdentity(this) && context.authorize(name, authorize))) {
+ throw log.runAsAuthorizationFailed(getPrincipal(), new NamePrincipal(name), null);
+ }
}
{noformat}
Only a type check is sufficient to determine if a principal is anonymous. In this fix, the string name "anonymous" takes on a special meaning for the first time, which should not be the case.
--
This message was sent by Atlassian JIRA
(v6.4.11#64026)
More information about the jboss-jira
mailing list