Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-490 Domain Management Role Based Access Control
  3. WFLY-1985

read-attribute operation is leaking value when user is not authorized to read that attribute

    XMLWordPrintable

Details

    Description

      This is affecting native interface and consequently CLI - HTTP and JMX have the correct behavior as they aren't simply forwarding the result of native interface. 

      [standalone@localhost:9990 /] :whoami(verbose=true)
{
    "outcome" => "success",
    "result" => {"identity" => {
        "username" => "monitor",
        "realm" => "ManagementRealm"
    }}
}
[standalone@localhost:9990 /] /subsystem=datasources/data-source=ExampleDS:read-attribute(name=password)
{
    "outcome" => "failed",
    "result" => "sa",
    "failure-description" => "JBAS013456: Unauthorized to execute operation 'read-attribute' for resource '[
    (\"subsystem\" => \"datasources\"),
    (\"data-source\" => \"ExampleDS\")
]' -- \"Permission denied\"",
    "rolled-back" => true
}

      Attachments

        Activity

          People

            lthon@redhat.com Ladislav Thon
            jcechace@redhat.com Jakub Čecháček
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: