[jboss-jira] [JBoss JIRA] (WFLY-8974) RBAC, There are missing access-constraint for attributes which referencing elytron capabilities.
Stefan Guilhen (JIRA)
issues at jboss.org
Tue Jun 20 22:18:00 EDT 2017
[ https://issues.jboss.org/browse/WFLY-8974?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Stefan Guilhen updated WFLY-8974:
---------------------------------
Description:
According to RFE EAP7-548 there must be set access-constraint where are referenced elytron capabilities.
6 places were found where access-constraint missing.
{code}
/subsystem=undertow:read-resource-description(recursive=true)
{code}
There is http-invoker, attr http-authentication-factory with org.wildfly.security.http-authentication-factory capability.
{code}
/subsystem=datasources:read-resource-description(recursive=true)
{code}
There is xa-data-source, attr recovery-authentication-context with org.wildfly.security.authentication-context capability.
{code}
/subsystem=ejb3:read-resource-description(recursive=true)
{code}
There is identity, attr outflow-security-domains with org.wildfly.security.security-domain capability.
{code}
/core-service=management/management-interface=http-interface:read-resource-description(recursive=true)
{code}
There is sasl-authentication-factory with org.wildfly.security.sasl-authentication-factory capability.
{code}
/deployment=test:read-resource-description(recursive=true)
{code}
There is xa-data-source, attr recovery-authentication-context with org.wildfly.security.authentication-context capability
and there is same problem in subdeployment resource too.
> RBAC, There are missing access-constraint for attributes which referencing elytron capabilities.
> ------------------------------------------------------------------------------------------------
>
> Key: WFLY-8974
> URL: https://issues.jboss.org/browse/WFLY-8974
> Project: WildFly
> Issue Type: Bug
> Components: Domain Management, Security
> Affects Versions: 11.0.0.Alpha1
> Reporter: Stefan Guilhen
> Assignee: Stefan Guilhen
> Priority: Critical
>
> According to RFE EAP7-548 there must be set access-constraint where are referenced elytron capabilities.
> 6 places were found where access-constraint missing.
> {code}
> /subsystem=undertow:read-resource-description(recursive=true)
> {code}
> There is http-invoker, attr http-authentication-factory with org.wildfly.security.http-authentication-factory capability.
> {code}
> /subsystem=datasources:read-resource-description(recursive=true)
> {code}
> There is xa-data-source, attr recovery-authentication-context with org.wildfly.security.authentication-context capability.
> {code}
> /subsystem=ejb3:read-resource-description(recursive=true)
> {code}
> There is identity, attr outflow-security-domains with org.wildfly.security.security-domain capability.
> {code}
> /core-service=management/management-interface=http-interface:read-resource-description(recursive=true)
> {code}
> There is sasl-authentication-factory with org.wildfly.security.sasl-authentication-factory capability.
> {code}
> /deployment=test:read-resource-description(recursive=true)
> {code}
> There is xa-data-source, attr recovery-authentication-context with org.wildfly.security.authentication-context capability
> and there is same problem in subdeployment resource too.
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
More information about the jboss-jira
mailing list