Details
-
Bug
-
Resolution: Done
-
Critical
-
11.0.0.Alpha1
-
None
Description
Security subsystem contains attributes with capabilities which don't set access-constraint.
How to reproduce:
/subsystem=security:read-resource-description(recursive=true)
Resources elytron-realm, elytron-key-store, elytron-trust-store, elytron-key-manager and elytron-trust-manager all contain attributes that reference a JAAS security domain and that are missing the SECURITY_DOMAIN_REF constraint.
Furthermore, these resources expose Elytron capabilities and they should also define access constraints. In the Elytron subsystem all resources exposing capabilities use constraints named "elytron-security" and the legacy subsystem resources should follow the same convention for consistency.