July 5, 2016 at 11:40 am #11823
I have 2 realms under root and same level,
Authenticated as User-1 using Authentication API and i got access token.
Using Realm-1 user’s(User-1) access token i can perform, list users, list groups or any other operations in Realm-2. We can’t allow that.
No data isolation? or any settings to do?July 27, 2016 at 2:41 pm #12279
How to secure data realm wise? is it a bug? or any config issue?August 1, 2016 at 9:17 am #12333
Isn’t OpenAM provides Realm wise data isolation and security?August 2, 2016 at 7:38 am #12349
One realm can read data of other realms, why…..?August 2, 2016 at 2:42 pm #12360Rogerio RondiniParticipant
Should not, I believe.
Check Privileges for “All authenticated users” in the tab Privileges for each sub-realm.August 2, 2016 at 2:49 pm #12361August 4, 2016 at 1:33 pm #12436
One user cannot access details of another user in same or another realm(at that time API response is no permission). But one user can list all users/groups in the same or another realm.August 10, 2016 at 3:19 pm #12584Peter MajorModerator
This issue is covered by https://forgerock.org/2016/08/openam-security-advisory-201605/#201605-02August 12, 2016 at 1:56 pm #12613
Oh great, i think next version will resolve the issue, otherwise it will be a security issue.
Thanks Peter, i was not sure is the issue with my configurations or not.
You must be logged in to reply to this topic.