[jboss-jira] [JBoss JIRA] (WFLY-8750) RBAC, Security subsystem contains attributes with capabilities which don't set access-constraint.

[Darran Lofthouse (JIRA)]

     [ https://issues.jboss.org/browse/WFLY-8750?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Darran Lofthouse resolved WFLY-8750.
------------------------------------
    Fix Version/s: 11.0.0.Beta1
       Resolution: Done


> RBAC, Security subsystem contains attributes with capabilities which don't set access-constraint.
> -------------------------------------------------------------------------------------------------
>
>                 Key: WFLY-8750
>                 URL: https://issues.jboss.org/browse/WFLY-8750
>             Project: WildFly
>          Issue Type: Bug
>          Components: Security
>            Reporter: Hynek Švábek
>            Assignee: Darran Lofthouse
>            Priority: Blocker
>             Fix For: 11.0.0.Beta1
>
>
> This is potentially security vulnerability therefore it is BLOCKER.
> Security subsystem contains attributes with capabilities which don't set access-constraint.
> All of them have Elytron compatibility capability and I expect there some access constraint too.
> *How to reproduce:*
> {code}
> /subsystem=security:read-resource-description(recursive=true)
> {code}
> There are some places where missing access constraints.
> elytron-key-store with *org.wildfly.security.key-store* capability.
> elytron-realm with *org.wildfly.security.security-realm* capability.
> elytron-trust-manager with *org.wildfly.security.trust-managers* capability.
> elytron-key-manager with *org.wildfly.security.key-managers* capability.
> elytron-trust-store with *org.wildfly.security.key-store* capability.



--
This message was sent by Atlassian JIRA
(v7.2.3#72005)