[JBoss JIRA] Created: (JBAS-3781) Stateful SB Instance Interceptor should not push SubjectContext if RunAsIdentity present
by Anil Saldhana (JIRA)
Stateful SB Instance Interceptor should not push SubjectContext if RunAsIdentity present
----------------------------------------------------------------------------------------
Key: JBAS-3781
URL: http://jira.jboss.com/jira/browse/JBAS-3781
Project: JBoss Application Server
Issue Type: Bug
Security Level: Public (Everyone can see)
Components: EJB2
Affects Versions: JBossAS-4.0.5.GA, JBossAS-3.2.8.SP1, JBossAS-5.0.0.Beta
Reporter: Anil Saldhana
Assigned To: Anil Saldhana
Fix For: JBossAS-5.0.0.Beta, JBossAS-3.2.8.SP2, JBossAS-4.0.6.CR1
The following Subject Context push (with null Subject) to establish client security context should not be performed if the user has configured a RunAsIdentity in the caller bean.
/* The security context must be established before the cache
lookup because the activation of a session should have the caller's
security context as ejbActivate is allowed to call other secured
resources. Since the pm makes the ejbActivate call, we need to
set the caller's security context. The only reason this shows up for
stateful session is that we moved the SecurityInterceptor to after
the instance interceptor to allow security exceptions to result in
invalidation of the session. This may be too literal an interpretation
of the ejb spec requirement that runtime exceptions should invalidate
the session.
*/
SecurityActions.pushSubjectContext(mi.getPrincipal(), mi.getCredential(), null);
The resolution is:
if(SecurityActions.peekRunAsIdentity() == null)
SecurityActions.pushSubjectContext(mi.getPrincipal(), mi.getCredential(), null);
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
19 years, 4 months
[JBoss JIRA] Created: (JBAS-4003) using run-as causes anonymous principal to be propagated across EARs and security domains
by Michal Borowiecki (JIRA)
using run-as causes anonymous principal to be propagated across EARs and security domains
-----------------------------------------------------------------------------------------
Key: JBAS-4003
URL: http://jira.jboss.com/jira/browse/JBAS-4003
Project: JBoss Application Server
Issue Type: Bug
Security Level: Public (Everyone can see)
Affects Versions: JBossAS-4.0.5.GA
Reporter: Michal Borowiecki
Using run-as causes anonymous principal to be propagated across EARs and security domains.
I have a MDB in EAR 1 with run-as configured.
It calls a session bean in the same EAR and the reported identity in the target session bean's method is anonymous, which is OK.
The session bean then calls another session bean in another EAR which is in a different security-domain.
A ClientLoginModule is used to authenticate in the other security domain.
Nevertheless, the target bean sees the caller as anonymous, with the role configured as run-as in EAR1.
The same code works OK when run-as is removed from configuration.
I understand that the run-as role with anonymous identity is propagated across subsequent ejb calls, however it should not be propagated when explicit login is used on some other security domain. After all, the whole point of authenticating into a security domain is to establish an identity in that domain. It seems that the newly established identity is ignored in favour of the run-as identity and role propagated from the original security domain.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
19 years, 4 months
[JBoss JIRA] Created: (JBRULES-578) Running Jboss Rules in Weblogic
by Ruban Mahendran (JIRA)
Running Jboss Rules in Weblogic
-------------------------------
Key: JBRULES-578
URL: http://jira.jboss.com/jira/browse/JBRULES-578
Project: JBoss Rules
Issue Type: Bug
Security Level: Public (Everyone can see)
Affects Versions: 3.0.5
Environment: Running JBoss Rules in Weblogic8.14 via a JSP deployed in a WAR.
Reporter: Ruban Mahendran
Assigned To: Mark Proctor
When attempting to create a package from a class called by a JSP ( see below) I get the following error:
CharScanner; panic: ClassNotFoundException: org.antlr.stringtemplate.language.ChunkToken
Stopping the Weblogic Workshop debugger...
Debugger Stopped.
The Weblogic server stops as well.
Here is the code snippet called by the jsp
PackageBuilderConfiguration pkgBuilderCfg = new PackageBuilderConfiguration();
pkgBuilderCfg.setCompiler(PackageBuilderConfiguration.JANINO);
PackageBuilder builder = new PackageBuilder(pkgBuilderCfg);
builder.addPackageFromDrl((new InputStreamReader(new FileInputStream("c:\\myruleresource.drl")) ) );
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
19 years, 4 months