[jboss-jira] [JBoss JIRA] (ELY-623) Checking for anonymous principal by name is insufficient
Jan Kalina (JIRA)
issues at jboss.org
Tue Sep 20 01:55:00 EDT 2016
[ https://issues.jboss.org/browse/ELY-623?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13295414#comment-13295414 ]
Jan Kalina edited comment on ELY-623 at 9/20/16 1:54 AM:
---------------------------------------------------------
Ok, so should I change input parameter of this method (createRunAsIdentity) from "String name" to "Principal" ?
(I dont see way to improve this without API change...)
was (Author: honza889):
Ok, so should I change input parameter of this method from "String name" to "Principal" ?
(I dont see way to improve this without API change...)
> Checking for anonymous principal by name is insufficient
> --------------------------------------------------------
>
> Key: ELY-623
> URL: https://issues.jboss.org/browse/ELY-623
> Project: WildFly Elytron
> Issue Type: Bug
> Reporter: David Lloyd
> Assignee: Jan Kalina
>
> In {{src/main/java/org/wildfly/security/auth/server/SecurityIdentity.java}}:
> {noformat}
> + if (AnonymousPrincipal.getInstance().getName().equals(name)) {
> + if (! context.authorizeAnonymous(false)) {
> + throw log.runAsAuthorizationFailed(getPrincipal(), new AnonymousPrincipal(), null);
> + }
> + } else {
> + if (! (context.importIdentity(this) && context.authorize(name, authorize))) {
> + throw log.runAsAuthorizationFailed(getPrincipal(), new NamePrincipal(name), null);
> + }
> }
> {noformat}
> Only a type check is sufficient to determine if a principal is anonymous. In this fix, the string name "anonymous" takes on a special meaning for the first time, which should not be the case.
--
This message was sent by Atlassian JIRA
(v6.4.11#64026)
More information about the jboss-jira
mailing list