Loading...

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Blocker
Fix Version/s: 7.1.0.DR17
Affects Version/s: 7.1.0.DR16
Component/s: Security
Labels:
- eap7.1-rfe-failure
- eap71_beta_candidate

CDW devel_ack:
CDW docs_ack:
CDW pm_ack:
CDW qa_ack:
CDW release:
Target Release:

7.1.0.GA
Git Pull Request:
https://github.com/wildfly-security-incubator/wildfly-core/pull/131

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

New default Elytron ApplicationDomain security domain allows anonymous authentication but PicketBox's default security other does not. As it's expected that ApplicationDomain should be equivalent to other security domain this should behave the same.

Customer impact: If customer switches from PicketBox to Elytron default security domain then it brings risk of unintentional permission of anonymous authentication. This would be security hole.

This is ongoing discussion from ~~JBEAP-9117~~ where this is discussed for messaging subsystem however this decision affects other subsystems and goes beyond messaging.

blocks

JBEAP-9117 Messaging SecurityTestCase fails with Elytron profile in AS TS

Closed

is cloned by

WFCORE-2666 Elytron ApplicationDomain allows anonymous authentication

Resolved

is incorporated by

JBEAP-10387 Bulk backport Elytron wfcore changes

Closed

JBEAP-10119 (7.1.0) Upgrade to WildFly Core to 3.0.0.Beta16

Closed

Assignee:: Darran Lofthouse

Reporter:: Miroslav Novak

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Created:: 2017/04/12 6:05 AM

Updated:: 2024/09/02 3:56 PM

Resolved:: 2017/04/18 11:00 AM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates