Bug 1022778 - RBAC: Add READ_WHOLE_CONFIG sensitivity classification to "describe" op; enforce constraint on "describe" and "read-config-as-xml"
Summary: RBAC: Add READ_WHOLE_CONFIG sensitivity classification to "describe" op; enfo...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: Domain Management
Version: 6.2.0
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ER7
: EAP 6.2.0
Assignee: Brian Stansberry
QA Contact: Ladislav Thon
Russell Dickenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-10-24 03:10 UTC by Brian Stansberry
Modified: 2013-12-15 16:18 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2013-12-15 16:18:50 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Brian Stansberry 2013-10-24 03:10:49 UTC 
EAP includes a couple of unusual operations that allow reads of chunks or all of the model: "read-config-as-xml" and the internal-only "describe". These operations should have sensitive resource constraints to ensure that they don't provide an alternate way of reading resources.

A couple fixes need to be backported from WildFly related to these:

1) Add the READ_WHOLE_CONFIG sensitivity constraint to the "describe" op.

2) Alter the execution of both so the constraint is properly enforced.
Comment 2 Ladislav Thon 2013-11-06 11:36:14 UTC 
Verified with EAP 6.2.0.ER7.
Note You need to log in before you can comment on or make changes to this bug.