Security bypass with Subject.getSubject(AccessController.getContext()) returning null
vbchin2 May 12, 2014 2:52 AMI have written a small web application that starts and interacts with embedded infinispan (infinispan-core-7.0.0.Alpha3.jar) on JBoss EAP 6.2. The entire web app context is secured with FORM based authentication backed by a security domain based DatabaseServerLoginModule. I have a ServletContextListener that sets the SecurityManager on Context Initialization.
The webapp security works as expected. Only allowed roles (web.xml) are permitted to access protected resources of the web app. I am also able to get the Subject by making the call:
Subject subject = SecurityContextAssociation.getSubject();
Based on above call, I can see the associated principals and verify that the Subject is built appropriately. But, here is where the problem lies, regardless of what role principal is tied to the Subject, the Subject is able to perform ALL operations on the Cache and the CacheManager. Upon further digging into Infinispan code, I found:
- The call Subject.getSubject(AccessController.getContext()) is made to get the subject in the APIs. The same call in my case return null.
- Below is the snippet of code from https://github.com/infinispan/infinispan/blob/master/core/src/main/java/org/infinispan/security/impl/AuthorizationManagerImpl.java#L48 . I see during debugging that this portion of the code is executed. But since on line #3, in snippet below the subject is null, the control jumps to #9 below which seems to permit ALL access (that is subject=null and subjectMask=0)
- I heard a similar concern about null return value at this post: http://stackoverflow.com/questions/16260460/subject-getsubject-always-return-null-after-jdk1-6-0-39. Perhaps relevant, please check
@Override public void checkPermission(AuthorizationPermission perm) { Subject subject = Subject.getSubject(AccessController.getContext()); Integer subjectMask = (subject == null) ? Integer.valueOf(0) : null; //ISPN-4056 subjectRoleMaskCache.get(authCacheScope, subject); if (subjectMask == null) { subjectMask = AuthorizationHelper.computeSubjectRoleMask(subject, globalConfiguration, configuration); //ISPN-4056 subjectRoleMaskCache.put(authCacheScope, subject, subjectMask, globalConfiguration.securityCacheTimeout(), TimeUnit.MILLISECONDS); } authzHelper.checkPermission(subject, subjectMask, perm); }
Please help in figuring out where the issue lies and how to get it rectified.