[jboss-jira] [JBoss JIRA] (WFLY-5740) ContextPolicy checks purely based on names, ignores Principal types

Darran Lofthouse (JIRA) issues at jboss.org
Sun Jan 8 11:17:05 EST 2017 

     [ https://issues.jboss.org/browse/WFLY-5740?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Darran Lofthouse reassigned WFLY-5740:
--------------------------------------

    Assignee: Pedro Igor  (was: Darran Lofthouse)


> ContextPolicy checks purely based on names, ignores Principal types
> -------------------------------------------------------------------
>
>                 Key: WFLY-5740
>                 URL: https://issues.jboss.org/browse/WFLY-5740
>             Project: WildFly
>          Issue Type: Bug
>          Components: Security
>    Affects Versions: 10.0.0.CR4
>            Reporter: Arjan t
>            Assignee: Pedro Igor
>
> In {{org.jboss.security.jacc.ContextPolicy}} the {{implies}} method only looks at the names of each {{Principal}} from the passed in {{ProtectionDomain}}, without checking if they're actually a role.
> The collection of these names is then used to check against role based permissions.
> If a user now has a name "expert" and there's also a role called "expert", access will be granted purely based on the user (caller) name. This is of course not correct.
> See the following code:
> {code:java}
> // Check principal to role permissions
> Principal[] principals = domain.getPrincipals();
> int length = principals != null ? principals.length : 0;
> ArrayList<String> principalNames = new ArrayList<String>();
> for (int n = 0; n < length; n ++) {
>    Principal p = principals[n];
>    if( p instanceof Group ) {
>       Group g = (Group) p;
>       Enumeration<? extends Principal> iter = g.members();
>       while(iter.hasMoreElements()) {
>          p = iter.nextElement();
>          // *** ONLY NAME IS USED. TYPE IS IGNORED
>          String name = p.getName();
>          principalNames.add(name);
>       }
>    }
>    else {
>       String name = p.getName();
>       // *** ONLY NAME IS USED. TYPE IS IGNORED
>       principalNames.add(name);
>    }
> }
> principalNames.add(ANY_AUTHENTICATED_USER_ROLE);
> for (int n = 0; implied == false && n < principalNames.size(); n ++) {
>    String name = principalNames.get(n);
>    // *** "name", WHICH CAN BE ANYTHING, USED FOR ROLE NAME HERE
>    Permissions perms = rolePermissions.get(name);
>    if( perms == null )
>       continue;
>    implied = perms.implies(permission);
> }
> {code}



--
This message was sent by Atlassian JIRA
(v7.2.3#72005)

More information about the jboss-jira mailing list