[jboss-jira] [JBoss JIRA] (WFLY-5740) ContextPolicy checks purely based on names, ignores Principal types

Darran Lofthouse (Jira) issues at jboss.org
Tue Dec 18 08:47:09 EST 2018 

     [ https://issues.jboss.org/browse/WFLY-5740?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Darran Lofthouse resolved WFLY-5740.
------------------------------------
      Assignee: Darran Lofthouse  (was: Pedro Igor)
    Resolution: Won't Fix


Marking as 'Won't Fix' as this is in relation to PicketBox which is deprecated.

> ContextPolicy checks purely based on names, ignores Principal types
> -------------------------------------------------------------------
>
>                 Key: WFLY-5740
>                 URL: https://issues.jboss.org/browse/WFLY-5740
>             Project: WildFly
>          Issue Type: Bug
>          Components: Security
>    Affects Versions: 10.0.0.CR4
>            Reporter: Arjan t
>            Assignee: Darran Lofthouse
>            Priority: Major
>
> In {{org.jboss.security.jacc.ContextPolicy}} the {{implies}} method only looks at the names of each {{Principal}} from the passed in {{ProtectionDomain}}, without checking if they're actually a role.
> The collection of these names is then used to check against role based permissions.
> If a user now has a name "expert" and there's also a role called "expert", access will be granted purely based on the user (caller) name. This is of course not correct.
> See the following code:
> {code:java}
> // Check principal to role permissions
> Principal[] principals = domain.getPrincipals();
> int length = principals != null ? principals.length : 0;
> ArrayList<String> principalNames = new ArrayList<String>();
> for (int n = 0; n < length; n ++) {
>    Principal p = principals[n];
>    if( p instanceof Group ) {
>       Group g = (Group) p;
>       Enumeration<? extends Principal> iter = g.members();
>       while(iter.hasMoreElements()) {
>          p = iter.nextElement();
>          // *** ONLY NAME IS USED. TYPE IS IGNORED
>          String name = p.getName();
>          principalNames.add(name);
>       }
>    }
>    else {
>       String name = p.getName();
>       // *** ONLY NAME IS USED. TYPE IS IGNORED
>       principalNames.add(name);
>    }
> }
> principalNames.add(ANY_AUTHENTICATED_USER_ROLE);
> for (int n = 0; implied == false && n < principalNames.size(); n ++) {
>    String name = principalNames.get(n);
>    // *** "name", WHICH CAN BE ANYTHING, USED FOR ROLE NAME HERE
>    Permissions perms = rolePermissions.get(name);
>    if( perms == null )
>       continue;
>    implied = perms.implies(permission);
> }
> {code}



--
This message was sent by Atlassian Jira
(v7.12.1#712002)

More information about the jboss-jira mailing list