Sensitive data can be exposed at the server level through CLI in domain mode
When configuring RBAC and marking information as sensitive,the users under Monitor role are able to view it.The following are the details: <security-realms> <security-realm name="ManagementRealm"> <authentication> <properties path="mgmt-users.properties" relative-to="jboss.domain.config.dir"/> </authentication> <authorization map-groups-to-roles="false"> <properties path="mgmt-groups.properties" relative-to="jboss.domain.config.dir"/> </authorization> </security-realm> <management> <access-control provider="rbac"> <role-mapping> <role name="SuperUser"> <include> <user name="adminuser"/> </include> </role> <role name="Monitor"> <include> <user name="rbactest"/> </include> </role> </role-mapping> <constraints> <sensitive-classifications> <sensitive-classification type="core" name="socket-config" requires-read="true"/> </sensitive-classifications> </constraints> </access-control> </management> With user rabactest under monitor role ,the socket-bindidng read reseource fails: [bkundal@dhcp193-167 bin]$ ./jboss-cli.sh --connect Authenticating against security realm: ManagementRealm Username: rbactest Password: [domain@localhost:9999 /] cd socket-binding-group=ha-sockets [domain@localhost:9999 socket-binding-group=ha-sockets] /socket-binding-group=ha-sockets/socket-binding=http:read-resource { "outcome" => "failed", "failure-description" => "JBAS013456: Unauthorized to execute operation 'read-resource' for resource '[ (\"socket-binding-group\" => \"ha-sockets\"), (\"socket-binding\" => \"http\") ]' -- \"JBAS013475: Permission denied\"", "rolled-back" => true } [domain@localhost:9999 socket-binding-group=ha-sockets] but this socket-config can be viewed at the server level domain@localhost:9999 socket-binding-group=ha-sockets] cd /host=master/ [domain@localhost:9999 host=master] cd server=server-one [domain@localhost:9999 server=server-one] cd socket-binding-group=full-sockets [domain@localhost:9999 socket-binding-group=full-sockets] cd socket-binding=http [domain@localhost:9999 socket-binding=http] ls -l ATTRIBUTE VALUE TYPE bound true BOOLEAN bound-address 127.0.0.1 STRING bound-port 8080 INT client-mappings undefined LIST fixed-port false BOOLEAN interface undefined STRING multicast-address undefined STRING multicast-port undefined INT name http STRING port 8080 INT [domain@localhost:9999 socket-binding=http]
This issue has been addressed in the following products: JBoss Enterprise Application Platform 7.0.4 Via RHSA-2017:0172 https://rhn.redhat.com/errata/RHSA-2017-0172.html
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Via RHSA-2017:0171 https://rhn.redhat.com/errata/RHSA-2017-0171.html
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Via RHSA-2017:0170 https://rhn.redhat.com/errata/RHSA-2017-0170.html
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Via RHSA-2017:0173 https://rhn.redhat.com/errata/RHSA-2017-0173.html
This issue has been addressed in the following products: Via RHSA-2017:0247 https://rhn.redhat.com/errata/RHSA-2017-0247.html
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 5 Via RHSA-2017:0246 https://rhn.redhat.com/errata/RHSA-2017-0246.html
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Via RHSA-2017:0245 https://rhn.redhat.com/errata/RHSA-2017-0245.html
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Via RHSA-2017:0244 https://rhn.redhat.com/errata/RHSA-2017-0244.html
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Via RHSA-2017:0250 https://rhn.redhat.com/errata/RHSA-2017-0250.html
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2017:3456 https://access.redhat.com/errata/RHSA-2017:3456
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6 Via RHSA-2017:3454 https://access.redhat.com/errata/RHSA-2017:3454
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7 Via RHSA-2017:3455 https://access.redhat.com/errata/RHSA-2017:3455
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7 Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6 Via RHSA-2017:3458 https://access.redhat.com/errata/RHSA-2017:3458