]
Darran Lofthouse reassigned WFLY-8568:
--------------------------------------
Assignee: (was: Darran Lofthouse)
Elytron outflow-security-domains doesn't work for Servlet-to-EJB
calls
----------------------------------------------------------------------
Key: WFLY-8568
URL:
https://issues.jboss.org/browse/WFLY-8568
Project: WildFly
Issue Type: Bug
Components: EJB, Security, Web (Undertow)
Reporter: Josef Cacek
Priority: Major
Security context propagation with using Elytron {{outflow-security-domains}} attribute in
security domain doesn't work for Servlet-to-EJB calls.
This could also be a test configuration issue, but as there is not yet documentation
covering this area, I can't guess what could be wrong in the scenario.
1. I have 2 similar web applications with servlets and EJBs:
* the `secured-webapp` is mapped to `web-tests` security domain
* the `second` application is mapped to `second-domain` security domain
2. Undertow and EJB subsystems maps the application domains `web-tests` and
`second-domain` to Elytron domains with the same name.
3. trust between the domains is defined in following way:
{code}
/subsystem=elytron/security-domain=second-domain:write-attribute(name=outflow-security-domains,value=[web-tests])
/subsystem=elytron/security-domain=second-domain:write-attribute(name=trusted-security-domains,
value=[web-tests])
/subsystem=elytron/security-domain=web-tests:write-attribute(name=trusted-security-domains,
value=[second-domain])
{code}
4. the test itself calls servlet from the `second` web application and it calls protected
EJB from the `secured-webapp`.
The EJB call fails with EJBAccessException
{noformat}
14:30:04,631 ERROR [org.jboss.as.ejb3.invocation] (default task-3) WFLYEJB0034: EJB
Invocation failed on component HelloBean for method public abstract java.lang.String
org.jboss.test.ejb.Hello.sayHello(): javax.ejb.EJBAccessException: WFLYEJB0364: Invocation
on method: public abstract java.lang.String org.jboss.test.ejb.Hello.sayHello() of bean:
HelloBean is not allowed
{noformat}