[jboss-jira] [JBoss JIRA] (WFCORE-2666) Elytron ApplicationDomain allows anonymous authentication
Darran Lofthouse (JIRA)
issues at jboss.org
Wed Apr 12 07:20:00 EDT 2017
[ https://issues.jboss.org/browse/WFCORE-2666?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Darran Lofthouse moved JBEAP-10311 to WFCORE-2666:
--------------------------------------------------
Project: WildFly Core (was: JBoss Enterprise Application Platform)
Key: WFCORE-2666 (was: JBEAP-10311)
Workflow: GIT Pull Request workflow (was: CDW with loose statuses v1)
Component/s: Security
(was: Security)
Affects Version/s: 3.0.0.Beta14
(was: 7.1.0.DR16)
> Elytron ApplicationDomain allows anonymous authentication
> ---------------------------------------------------------
>
> Key: WFCORE-2666
> URL: https://issues.jboss.org/browse/WFCORE-2666
> Project: WildFly Core
> Issue Type: Bug
> Components: Security
> Affects Versions: 3.0.0.Beta14
> Reporter: Darran Lofthouse
> Assignee: Darran Lofthouse
> Priority: Blocker
> Labels: eap7.1-rfe-failure, eap71_beta_candidate
> Fix For: 3.0.0.Beta15
>
>
> New default Elytron {{ApplicationDomain}} security domain allows anonymous authentication but PicketBox's default security {{other}} does not. As it's expected that {{ApplicationDomain}} should be equivalent to {{other}} security domain this should behave the same.
> _Customer impact:_ If customer switches from PicketBox to Elytron default security domain then it brings risk of unintentional permission of anonymous authentication. This would be security hole.
> This is ongoing discussion from JBEAP-9117 where this is discussed for messaging subsystem however this decision affects other subsystems and goes beyond messaging.
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
More information about the jboss-jira
mailing list