Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-5740

ContextPolicy checks purely based on names, ignores Principal types

    Details

    • Type: Bug
    • Status: Resolved (View Workflow)
    • Priority: Major
    • Resolution: Won't Fix
    • Affects Version/s: 10.0.0.CR4
    • Fix Version/s: None
    • Component/s: Security
    • Labels:
      None

      Description

      In org.jboss.security.jacc.ContextPolicy the implies method only looks at the names of each Principal from the passed in ProtectionDomain, without checking if they're actually a role.

      The collection of these names is then used to check against role based permissions.

      If a user now has a name "expert" and there's also a role called "expert", access will be granted purely based on the user (caller) name. This is of course not correct.

      See the following code:

      // Check principal to role permissions
      Principal[] principals = domain.getPrincipals();
      int length = principals != null ? principals.length : 0;
      ArrayList<String> principalNames = new ArrayList<String>();
      
      for (int n = 0; n < length; n ++) {
         Principal p = principals[n];
         if( p instanceof Group ) {
            Group g = (Group) p;
            Enumeration<? extends Principal> iter = g.members();
            while(iter.hasMoreElements()) {
               p = iter.nextElement();
               // *** ONLY NAME IS USED. TYPE IS IGNORED
               String name = p.getName();
               principalNames.add(name);
            }
         }
         else {
            String name = p.getName();
            // *** ONLY NAME IS USED. TYPE IS IGNORED
            principalNames.add(name);
         }
      }
      
      principalNames.add(ANY_AUTHENTICATED_USER_ROLE);
      
      for (int n = 0; implied == false && n < principalNames.size(); n ++) {
         String name = principalNames.get(n);
         // *** "name", WHICH CAN BE ANYTHING, USED FOR ROLE NAME HERE
         Permissions perms = rolePermissions.get(name);
         if( perms == null )
            continue;
         implied = perms.implies(permission);
      }
      

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                dlofthouse Darran Lofthouse
                Reporter:
                arjant Arjan t
              • Votes:
                1 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: