[jboss-jira] [JBoss JIRA] (WFLY-8750) RBAC, Security subsystem contains attributes with capabilities which don't set access-constraint.

[Hynek Švábek (JIRA)]

Hynek Švábek created WFLY-8750:
----------------------------------

             Summary: RBAC, Security subsystem contains attributes with capabilities which don't set access-constraint.
                 Key: WFLY-8750
                 URL: https://issues.jboss.org/browse/WFLY-8750
             Project: WildFly
          Issue Type: Bug
          Components: Security
            Reporter: Hynek Švábek
            Assignee: Darran Lofthouse
            Priority: Blocker


This is potentially security vulnerability therefore it is BLOCKER.

Security subsystem contains attributes with capabilities which don't set access-constraint.

All of them has Elytron compatibility capability and I expect there some access constraint too.

*How to reproduce:*
{code}
/subsystem=security:read-resource-description(recursive=true)
{code}
There are some places where missing access constraints.
elytron-key-store with *org.wildfly.security.key-store* capability.
elytron-realm with *org.wildfly.security.security-realm* capability.
elytron-trust-manager with *org.wildfly.security.trust-managers* capability.
elytron-key-manager with *org.wildfly.security.key-managers* capability.
elytron-trust-store with *org.wildfly.security.key-store* capability.



--
This message was sent by Atlassian JIRA
(v7.2.3#72005)