[jboss-jira] [JBoss JIRA] (WFLY-7143) Unsafe Elytron role/permission mapping

Jan Kalina (JIRA) issues at jboss.org
Wed Sep 21 04:59:00 EDT 2016 

    [ https://issues.jboss.org/browse/WFLY-7143?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13296168#comment-13296168 ] 

Jan Kalina commented on WFLY-7143:
----------------------------------

Yes, add constant-permission-mapper sounds much better then to have part of permission as blacklist (LoginPermission) and part as whitelist (others).

> Unsafe Elytron role/permission mapping
> --------------------------------------
>
>                 Key: WFLY-7143
>                 URL: https://issues.jboss.org/browse/WFLY-7143
>             Project: WildFly
>          Issue Type: Bug
>          Components: Security
>            Reporter: Josef Cacek
>            Assignee: Jan Kalina
>            Priority: Blocker
>
> Default Elytron configuration assigns role "All" to every user during authentication. If a deployed application uses such the role name for a resource protection, then every authenticated user can access the protected resource. So the security is bypassed then.
> The problem is caused by workaround used for mapping "LoginPermission" to all users. It maps role "All" to the users first and then maps "LoginPermission" to this role.
> {code:xml}
> <mappers>
>     <simple-permission-mapper name="login-permission-mapper">
>         <permission-mapping roles="All">
>             <permission class-name="org.wildfly.security.auth.permission.LoginPermission"/>
>         </permission-mapping>
>     </simple-permission-mapper>
>     <constant-role-mapper name="constant-roles" roles="All"/>
> </mappers>
> {code}
> We have to make the default server configuration secure for users.
> *Suggestions for improvement:*
> * the {{LoginPermission}} mapping should be implicit so everybody has it by default - without specifying it in the server configuration; users should only define cases when they don't want the permission to be assigned to some principals/roles
> * constant permission mapper should exist in Elytron subsystem (similar to {{constant-role-mapper}}) so the custom permission can be mapped without workarounds through role-mappings



--
This message was sent by Atlassian JIRA
(v6.4.11#64026)

More information about the jboss-jira mailing list