Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-490 Domain Management Role Based Access Control
  3. WFLY-1985

read-attribute operation is leaking value when user is not authorized to read that attribute

XMLWordPrintable

      This is affecting native interface and consequently CLI - HTTP and JMX have the correct behavior as they aren't simply forwarding the result of native interface. 

      [standalone@localhost:9990 /] :whoami(verbose=true)
{
    "outcome" => "success",
    "result" => {"identity" => {
        "username" => "monitor",
        "realm" => "ManagementRealm"
    }}
}
[standalone@localhost:9990 /] /subsystem=datasources/data-source=ExampleDS:read-attribute(name=password)
{
    "outcome" => "failed",
    "result" => "sa",
    "failure-description" => "JBAS013456: Unauthorized to execute operation 'read-attribute' for resource '[
    (\"subsystem\" => \"datasources\"),
    (\"data-source\" => \"ExampleDS\")
]' -- \"Permission denied\"",
    "rolled-back" => true
}

              lthon@redhat.com Ladislav Thon
              jcechace@redhat.com Jakub Čecháček (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: