Details
-
Bug
-
Resolution: Done
-
Major
-
JBossAS-4.0.2RC1
-
None
Description
Currently JACC authorization happens only if the caller is authenticated.
If the caller is not authenticated, JBoss simply calls the next Interceptor.
Code snippet from JaccAuthorizationInterceptor.checkSecurityAssociation():
...
// Get the caller, return if there is no authenticated caller
Subject caller = SecurityActions.getContextSubject();
if( caller == null )
return null;
...
Why can an unauthenticated caller invoke 'everything', whereas an authenticated caller gets authorized?
Of course, it can be assumed that a LoginModule is used.
We ran into this by using runAs in a MDB.
Authorization bases on authentication and if authentication was not done properly, an exception would be appropriate.
