[jboss-jira] [JBoss JIRA] (WFCORE-1948) Management IN-VM Bypass

Darran Lofthouse (JIRA) issues at jboss.org
Mon Nov 7 08:46:00 EST 2016 

     [ https://issues.jboss.org/browse/WFCORE-1948?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Darran Lofthouse updated WFCORE-1948:
-------------------------------------
    Description: 
Previously we were able to detect in-vm calls as they did not have a Subject established on the AccessControlContext.

Switching to WildFly Elytron we are guaranteed to always have a SecurityIdentity as by default an anonymous one will always be created.

This task is to add an API for in-vm calls backed by security manager based permission checks to allow tasks to be executed "bypassing" access control.  Our default implementation is role based so this bypass will work by assuming the SuperUser role.


  was:
Previously we were able to detect in-vm calls as they did not have a Subject established on the AccessControlContext.

Switching to WildFly Elytron we are guaranteed to always have a SecurityIdentity as by default an anonymous one will always be created.

This task is to add an API for in-vm calls backed by security manager based permission checks to allow tasks to be executed using a specified role.




> Management IN-VM Bypass
> -----------------------
>
>                 Key: WFCORE-1948
>                 URL: https://issues.jboss.org/browse/WFCORE-1948
>             Project: WildFly Core
>          Issue Type: Task
>          Components: Domain Management, Security
>            Reporter: Darran Lofthouse
>            Assignee: Darran Lofthouse
>             Fix For: 3.0.0.Alpha12
>
>
> Previously we were able to detect in-vm calls as they did not have a Subject established on the AccessControlContext.
> Switching to WildFly Elytron we are guaranteed to always have a SecurityIdentity as by default an anonymous one will always be created.
> This task is to add an API for in-vm calls backed by security manager based permission checks to allow tasks to be executed "bypassing" access control.  Our default implementation is role based so this bypass will work by assuming the SuperUser role.



--
This message was sent by Atlassian JIRA
(v7.2.3#72005)

More information about the jboss-jira mailing list