Details
-
Bug
-
Resolution: Won't Do
-
Major
-
None
-
10.0.0.CR4
-
None
Description
In org.jboss.security.jacc.ContextPolicy the implies method only looks at the names of each Principal from the passed in ProtectionDomain, without checking if they're actually a role.
The collection of these names is then used to check against role based permissions.
If a user now has a name "expert" and there's also a role called "expert", access will be granted purely based on the user (caller) name. This is of course not correct.
See the following code:
// Check principal to role permissions Principal[] principals = domain.getPrincipals(); int length = principals != null ? principals.length : 0; ArrayList<String> principalNames = new ArrayList<String>(); for (int n = 0; n < length; n ++) { Principal p = principals[n]; if( p instanceof Group ) { Group g = (Group) p; Enumeration<? extends Principal> iter = g.members(); while(iter.hasMoreElements()) { p = iter.nextElement(); // *** ONLY NAME IS USED. TYPE IS IGNORED String name = p.getName(); principalNames.add(name); } } else { String name = p.getName(); // *** ONLY NAME IS USED. TYPE IS IGNORED principalNames.add(name); } } principalNames.add(ANY_AUTHENTICATED_USER_ROLE); for (int n = 0; implied == false && n < principalNames.size(); n ++) { String name = principalNames.get(n); // *** "name", WHICH CAN BE ANYTHING, USED FOR ROLE NAME HERE Permissions perms = rolePermissions.get(name); if( perms == null ) continue; implied = perms.implies(permission); }