[Geoserver-devel] [JIRA] (GEOS-9484) ADMIN_ROLE is assigned by default if no role is returned for a user inside WebService Body Response

Giovanni Allegri created an issue

GeoServer / BugGEOS-9484

ADMIN_ROLE is assigned by default if no role is returned for a user inside WebService Body Response

Issue Type:

BugBug

Assignee:

Unassigned

Components:

authkey

Created:

04/Feb/20 2:55 PM

Priority:

HighHigh

Reporter:

Giovanni Allegri

When a “role” for a user is not returned inside the WebService Body Response WebServiceBodyResponseUserGroupService https://github.com/geoserver/geoserver/blob/master/src/extension/authkey/src/main/java/org/geoserver/security/WebServiceBodyResponseUserGroupService.java#L162.
This is clearly a security hole.
If an authority must be added it should be ANONYMOUS.

if (matcher.find()) {
	for (int i = 1; i <= matcher.groupCount(); i++) {
		for (String roleName : matcher.group(i).split(",")) {
			authorities.add(createAuthorityObject(roleName.trim()));
		}
	}
} else {
	LOGGER.log(
			Level.WARNING,
			"Error in WebServiceAuthenticationKeyMapper, cannot find any Role in response");
	authorities.add(GeoServerRole.ADMIN_ROLE);
}

Add Comment

Add Comment

Get Jira notifications on your phone! Download the Jira Cloud app for Android or iOS


This message was sent by Atlassian Jira (v1001.0.0-SNAPSHOT#100118-sha1:a758d7e)

Atlassian logo