Uploaded image for project: 'WildFly Core'
  1. WildFly Core
  2. WFCORE-2666

Elytron ApplicationDomain allows anonymous authentication

    Details

      Description

      New default Elytron ApplicationDomain security domain allows anonymous authentication but PicketBox's default security other does not. As it's expected that ApplicationDomain should be equivalent to other security domain this should behave the same.

      Customer impact: If customer switches from PicketBox to Elytron default security domain then it brings risk of unintentional permission of anonymous authentication. This would be security hole.

      This is ongoing discussion from JBEAP-9117 where this is discussed for messaging subsystem however this decision affects other subsystems and goes beyond messaging.

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  dlofthouse Darran Lofthouse
                  Reporter:
                  dlofthouse Darran Lofthouse
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  1 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: