Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-10309

Elytron ApplicationDomain allows anonymous authentication


      New default Elytron ApplicationDomain security domain allows anonymous authentication but PicketBox's default security other does not. As it's expected that ApplicationDomain should be equivalent to other security domain this should behave the same.

      Customer impact: If customer switches from PicketBox to Elytron default security domain then it brings risk of unintentional permission of anonymous authentication. This would be security hole.

      This is ongoing discussion from JBEAP-9117 where this is discussed for messaging subsystem however this decision affects other subsystems and goes beyond messaging.

            darran.lofthouse@redhat.com Darran Lofthouse
            mnovak1@redhat.com Miroslav Novak
            0 Vote for this issue
            3 Start watching this issue