[jboss-jira] [JBoss JIRA] (ELY-410) Add the ability to check if the caller has RuntimePermission("setRunAsPermission") when creating a RunAs identity
Farah Juma (JIRA)
issues at jboss.org
Thu Jan 28 11:00:04 EST 2016
Farah Juma created ELY-410:
------------------------------
Summary: Add the ability to check if the caller has RuntimePermission("setRunAsPermission") when creating a RunAs identity
Key: ELY-410
URL: https://issues.jboss.org/browse/ELY-410
Project: WildFly Elytron
Issue Type: Enhancement
Components: API / SPI
Reporter: Farah Juma
Assignee: Farah Juma
Currently, there's a difference between Elytron and PicketBox in the behaviour of a run-as-principal operation. In particular, Elytron's {{SecurityIdentity#createRunAsIdentity()}} always attempts to authorize a run-as-principal operation, which means that a user needs to be granted the {{RunAsPrincipalPermission}} via a custom {{PermissionMapper}} in order to run as the given principal (even to run as the anonymous principal). However, PicketBox only performs an authorization check in this case if the security manager is enabled and the check itself seems to be a bit different - PicketBox just checks the caller has {{"setRunAsPermission"}}, which is a {{RuntimePermission}} that doesn't depend on the given principal.
--
This message was sent by Atlassian JIRA
(v6.4.11#64026)
More information about the jboss-jira
mailing list