Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-8750

RBAC, Security subsystem contains attributes with capabilities which don't set access-constraint.

    Details

      Description

      This is potentially security vulnerability therefore it is BLOCKER.

      Security subsystem contains attributes with capabilities which don't set access-constraint.

      All of them have Elytron compatibility capability and I expect there some access constraint too.

      How to reproduce:

      /subsystem=security:read-resource-description(recursive=true)
      

      There are some places where missing access constraints.
      elytron-key-store with org.wildfly.security.key-store capability.
      elytron-realm with org.wildfly.security.security-realm capability.
      elytron-trust-manager with org.wildfly.security.trust-managers capability.
      elytron-key-manager with org.wildfly.security.key-managers capability.
      elytron-trust-store with org.wildfly.security.key-store capability.

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  dlofthouse Darran Lofthouse
                  Reporter:
                  hsvabek Hynek Švábek
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  2 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: