[JBoss JIRA] (WFLY-12301) CallerPrincipal will be anonymous (randomly) if EJB2 is called
by Farah Juma (Jira)
[ https://issues.jboss.org/browse/WFLY-12301?page=com.atlassian.jira.plugin... ]
Farah Juma commented on WFLY-12301:
-----------------------------------
I was able to reproduce this locally and found the following:
* When the caller principal for the EJB2 bean is correct, the corresponding {{EJBComponentDescription}} always has {{securityRequired}} set to {{true}}.
* When the caller principal for the EJB2 bean is anonymous, the corresponding {{EJBComponentDescription}} always has {{securityRequired}} set to {{false}}.
* Whether or not security is required for the {{EJBComponentDescription}} gets set in [EJBSecurityViewConfigurator|https://github.com/wildfly/wildfly/blob/1bf99...].
* The {{EJBSecurityViewConfigurator}} gets called for each view that is associated with the {{EJBComponentDescription}}.
* For EJB2, unlike EJB3, there are actually two views associated with the {{EJBComponentDescription}}: {{server.SomeEJB2}} and {{server.SomeEJBHome}}. Currently, whether or not security is required for the {{EJBComponentDescription}} associated with the EJB2 bean depends on the order in which these two views are processed. If {{server.SomeEJB2}} is processed last, {{securityRequired}} will be set to {{true}} since it has method level security metadata. However, if {{server.SomeEJBHome}} is processed last, {{securityRequired}} will be set to {{false}} since it does not have method level security metadata.
The following PR fixes this by ensuring that {{EJBComponentDescription#setSecurityRequired}} only gets called in {{EJBSecurityViewConfigurator}} if security is actually required to avoid resetting the value when there are multiple views:
https://github.com/wildfly/wildfly/pull/12468
> CallerPrincipal will be anonymous (randomly) if EJB2 is called
> --------------------------------------------------------------
>
> Key: WFLY-12301
> URL: https://issues.jboss.org/browse/WFLY-12301
> Project: WildFly
> Issue Type: Bug
> Components: EJB, Security
> Affects Versions: 17.0.1.Final
> Reporter: Wolf-Dieter Fink
> Assignee: Darran Lofthouse
> Priority: Major
> Labels: EJB2, security
> Attachments: reproducer.zip
>
>
> An EJB application which call an EJB2 SLSB will fail (randomly) to show the correct user if getCallerPrincipal is used inside. Also the roles are not set.
> The EJB2 Bean is secured by ejb-jar.xml so it is not expected that it will be called without role
> <assembly-descriptor>
> <method-permission>
> <role-name>testRole</role-name>
> <method>
> <ejb-name>simpleejb.server.SomeEJB2Bean</ejb-name>
> <method-intf>Remote</method-intf>
> <method-name>*</method-name>
> </method>
> </method-permission>
> This error is constant seen if the server is up and running but each restart will change the behaviour randomly.
> Note that an EJB3 bean of the same EAR file will work always correctly.
--
This message was sent by Atlassian Jira
(v7.12.1#712002)
4 years, 9 months