Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-7143

Unsafe Elytron role/permission mapping

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Blocker
    • 11.0.0.Alpha1
    • None
    • Security
    • None

    Description

      Default Elytron configuration assigns role "All" to every user during authentication. If a deployed application uses such the role name for a resource protection, then every authenticated user can access the protected resource. So the security is bypassed then.

      The problem is caused by workaround used for mapping "LoginPermission" to all users. It maps role "All" to the users first and then maps "LoginPermission" to this role.

      <mappers>
    <simple-permission-mapper name="login-permission-mapper">
        <permission-mapping roles="All">
            <permission class-name="org.wildfly.security.auth.permission.LoginPermission"/>
        </permission-mapping>
    </simple-permission-mapper>
    <constant-role-mapper name="constant-roles" roles="All"/>
</mappers>

      We have to make the default server configuration secure for users.

      Suggestions for improvement:

      • the LoginPermission mapping should be implicit so everybody has it by default - without specifying it in the server configuration; users should only define cases when they don't want the permission to be assigned to some principals/roles
      • constant permission mapper should exist in Elytron subsystem (similar to constant-role-mapper) so the custom permission can be mapped without workarounds through role-mappings

      Attachments

        Issue Links

          clones

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-6070 Unsafe Elytron role/permission mapping

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Verified
          is cloned by

          Bug - A problem that impairs or prevents the functions of the product. ELY-641 Unsafe Elytron role/permission mapping

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Resolved
          is incorporated by

          Component Upgrade - A task tracking an update to a bundled component or revision of component upstream of the project. WFLY-7246 Upgrade to version 1.0.0.Alpha11 of the Elytron Subsystem

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Activity

            People

              jkalina@redhat.com Jan Kalina (Inactive)
              josef.cacek@gmail.com Josef Cacek (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: