Details
-
Bug
-
Resolution: Done
-
Major
-
PicketBox_v4_0_9.Final
-
None
Description
Since EAP6, AbstractServerLoginModule.commit() contains the following piece of code just before getRoleSets() is called:
// add the CallerPrincipal group
Group callerGroup = getCallerPrincipalGroup(principals);
if (callerGroup == null)
{
callerGroup = new SimpleGroup(SecurityConstants.CALLER_PRINCIPAL_GROUP);
callerGroup.addMember(identity);
principals.add(callerGroup);
}
Since getRoleSets() should also return the CallerPrincipal group (as specified in the documentation), the identity is often added to the CallerPrincipal.
As a result, the Principal used when authenticating is sometimes not the desired CallerPrincipal element but the identity (which one is determined by the backing HashMap of SimpleGroup). This can lead to security problems.
From the Javadoc of getRoleSets():
"A second common group is "CallerPrincipal" that provides the application identity of the user rather than the security domain identity."
JBoss EAP 6 however creates this CallerPrincipal group itself with the identity SimplePrincipal as its sole member. This group is then merged with the CallerPrincipal group returned by getRoleSets(), causing the two members.
One solution could be to move the above piece of code to the end of the commit() method. This way, if getRoleSets() returns the CallerPrincipal group, this will remain unmodified, and if it does not then a new CallerPrincipal group will be created.
