Are there any security risks to including the roles required on authentication failed metadata requests

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Are there any security risks to including the roles required on authentication failed metadata requests

dcrissman
If a user is not in the proper ldap group for an action in metadata, they will get a SecurityException. The message of that exception includes a list of roles that would grant them that access. Is that a potential security risk?

See AbstractMetadataResource#checkPermission
Reply | Threaded
Open this post in threaded view
|

Re: Are there any security risks to including the roles required on authentication failed metadata requests

jewzaam
Administrator
The caller cannot use that info to add roles to the request.  If this was crud it would be more of a problem in that it would expose info about what roles exist for fields.  Might give hints to field names that the client is not authorized to access.  But, that is also exposed in metadata which is open for read operations to anybody who can authenticate.

On Wed Jan 07 2015 at 2:55:59 PM dcrissman [via lightblue-dev] <[hidden email]> wrote:
If a user is not in the proper ldap group for an action in metadata, they will get a SecurityException. The message of that exception includes a list of roles that would grant them that access. Is that a potential security risk?

See AbstractMetadataResource#checkPermission


To start a new topic under lightblue-dev, email [hidden email]
To unsubscribe from lightblue-dev, click here.
NAML