Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-8749

RBAC, There are missing access-constraint for attributes which referencing elytron capabilities.

    Details

    • Security Sensitive Issue:
      This issue is security relevant

      Description

      This is potentially security vulnerability therefore it is BLOCKER.

      According to RFE EAP7-548 there must be set access-constraint where are referenced elytron capabilities.

      I found 6 places where is access-constraint missing.

      /subsystem=undertow:read-resource-description(recursive=true)
      

      There is http-invoker, attr http-authentication-factory with org.wildfly.security.http-authentication-factory capability.

      /subsystem=datasources:read-resource-description(recursive=true)
      

      There is xa-data-source, attr recovery-authentication-context with org.wildfly.security.authentication-context capability.

      /subsystem=ejb3:read-resource-description(recursive=true)
      

      There is identity, attr outflow-security-domains with org.wildfly.security.security-domain capability.

      /core-service=management/management-interface=http-interface:read-resource-description(recursive=true)
      

      There is sasl-authentication-factory with org.wildfly.security.sasl-authentication-factory capability.

      /deployment=test:read-resource-description(recursive=true)
      

      There is xa-data-source, attr recovery-authentication-context with org.wildfly.security.authentication-context capability
      and there is same problem in subdeployment resource too.

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  sguilhen Stefan Guilhen
                  Reporter:
                  hsvabek Hynek Švábek
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  2 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: