[jboss-jira] [JBoss JIRA] (WFLY-7143) Unsafe Elytron role/permission mapping
Darran Lofthouse (JIRA)
issues at jboss.org
Tue Sep 20 06:35:01 EDT 2016
[ https://issues.jboss.org/browse/WFLY-7143?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Darran Lofthouse reassigned WFLY-7143:
--------------------------------------
Assignee: Jan Kalina (was: Darran Lofthouse)
> Unsafe Elytron role/permission mapping
> --------------------------------------
>
> Key: WFLY-7143
> URL: https://issues.jboss.org/browse/WFLY-7143
> Project: WildFly
> Issue Type: Bug
> Components: Security
> Reporter: Josef Cacek
> Assignee: Jan Kalina
> Priority: Blocker
>
> Default Elytron configuration assigns role "All" to every user during authentication. If a deployed application uses such the role name for a resource protection, then every authenticated user can access the protected resource. So the security is bypassed then.
> The problem is caused by workaround used for mapping "LoginPermission" to all users. It maps role "All" to the users first and then maps "LoginPermission" to this role.
> {code:xml}
> <mappers>
> <simple-permission-mapper name="login-permission-mapper">
> <permission-mapping roles="All">
> <permission class-name="org.wildfly.security.auth.permission.LoginPermission"/>
> </permission-mapping>
> </simple-permission-mapper>
> <constant-role-mapper name="constant-roles" roles="All"/>
> </mappers>
> {code}
> We have to make the default server configuration secure for users.
> *Suggestions for improvement:*
> * the {{LoginPermission}} mapping should be implicit so everybody has it by default - without specifying it in the server configuration; users should only define cases when they don't want the permission to be assigned to some principals/roles
> * constant permission mapper should exist in Elytron subsystem (similar to {{constant-role-mapper}}) so the custom permission can be mapped without workarounds through role-mappings
--
This message was sent by Atlassian JIRA
(v6.4.11#64026)
More information about the jboss-jira
mailing list