[jboss-jira] [JBoss JIRA] (WFLY-8749) RBAC, There are missing access-constraint for attributes which referencing elytron capabilities.

Darran Lofthouse (JIRA) issues at jboss.org
Fri Jul 7 12:32:00 EDT 2017 

     [ https://issues.jboss.org/browse/WFLY-8749?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Darran Lofthouse resolved WFLY-8749.
------------------------------------
    Fix Version/s: 11.0.0.Beta1
         Assignee: Stefan Guilhen
       Resolution: Done


> RBAC, There are missing access-constraint for attributes which referencing elytron capabilities.
> ------------------------------------------------------------------------------------------------
>
>                 Key: WFLY-8749
>                 URL: https://issues.jboss.org/browse/WFLY-8749
>             Project: WildFly
>          Issue Type: Bug
>          Components: Security
>            Reporter: Hynek Švábek
>            Assignee: Stefan Guilhen
>            Priority: Blocker
>             Fix For: 11.0.0.Beta1
>
>
> This is potentially security vulnerability therefore it is BLOCKER.
> According to RFE EAP7-548 there must be set access-constraint where are referenced elytron capabilities.
> I found 6 places where is access-constraint missing.
> {code}
> /subsystem=undertow:read-resource-description(recursive=true)
> {code}
> There is *http-invoker*, attr *http-authentication-factory* with *org.wildfly.security.http-authentication-factory* capability.
> {code}
> /subsystem=datasources:read-resource-description(recursive=true)
> {code}
> There is *xa-data-source*, attr *recovery-authentication-context* with *org.wildfly.security.authentication-context* capability.
> {code}
> /subsystem=ejb3:read-resource-description(recursive=true)
> {code}
> There is *identity*, attr *outflow-security-domains* with *org.wildfly.security.security-domain* capability.
> {code}
> /core-service=management/management-interface=http-interface:read-resource-description(recursive=true)
> {code}
> There is *sasl-authentication-factory* with *org.wildfly.security.sasl-authentication-factory* capability.
> {code}
> /deployment=test:read-resource-description(recursive=true)
> {code}
> There is *xa-data-source*, attr *recovery-authentication-context* with *org.wildfly.security.authentication-context* capability
> and *there is same problem in subdeployment resource too*.



--
This message was sent by Atlassian JIRA
(v7.2.3#72005)

More information about the jboss-jira mailing list