[
https://jira.jboss.org/jira/browse/JBAS-7053?page=com.atlassian.jira.plug...
]
Jesus Menendez updated JBAS-7053:
---------------------------------
Description:
I configured two EJBs to make use of the run-as security identity tag
The EJBS implement a class called AgentBean
When I use PolicyContext.getContext("javax.security.auth.Subject.container")
within and AgentBean method it should return the RunAsIdentity of that method as declared
in the run-as tag . it returns anonymous wihch is the current authenticated user.. not the
one specified in run-as
When I looked at the source code in org.jboss.security.jacc.SubjectPolicyContexthandler
I saw this method call in lines 55 and 73
RunAsIdentity callerRunAsIdentity = (RunAsIdentity)
SecurityAssociation.peekRunAsIdentity(1);
What I did is to change the parameter from a value of 1 to a value of 0 so it peeks the
top element in the stack
I patched Jboss with this modification and the
PolicyContext.getContext("javax.security.auth.Subject.container") started
returning the right values (editors and publishers)
So, do you think this is a bug in org.jboss.security.jacc.SubjectPolicyContexthandler
Why SecurityAssociation.peekRunAsIdentity is it being called with a parameter value of 1.
That is looking two levels down in the stack isn't it?
Connfiguration of EJB is
ejb-jar.xml
<?xml version="1.0" encoding="UTF-8"?>
<ejb-jar version="3.0"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/ejb-jar_3_0.xsd"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://java.sun.com/xml/ns/javaee">
<enterprise-beans>
<session>
<ejb-name>editors</ejb-name>
<mapped-name>ejb/assethouse/goya/process/agents/editors</mapped-name>
<business-local>com.assethouse.goya.process.agent.Agent</business-local>
<ejb-class>com.assethouse.goya.process.agent.AgentBean</ejb-class>
<session-type>Stateless</session-type>
<timeout-method>
<method-name>startTask</method-name>
</timeout-method>
<security-identity>
<run-as>
<description>Group for editors Partition</description>
<role-name>editors</role-name>
</run-as>
</security-identity>
</session>
<session>
<ejb-name>publishers</ejb-name>
<mapped-name>ejb/assethouse/goya/process/agents/publishers</mapped-name>
<business-local>com.assethouse.goya.process.agent.Agent</business-local>
<ejb-class>com.assethouse.goya.process.agent.AgentBean</ejb-class>
<session-type>Stateless</session-type>
<timeout-method>
<method-name>startTask</method-name>
</timeout-method>
<security-identity>
<run-as>
<description>Group for publishers Partition</description>
<role-name>publishers</role-name>
</run-as>
</security-identity>
</session>
</enterprise-beans>
<assembly-descriptor>
<security-role>
<role-name>editors</role-name>
</security-role>
<security-role>
<role-name>publisher</role-name>
</security-role>
</assembly-descriptor>
</ejb-jar>
jboss.xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE jboss PUBLIC
"-//JBoss//DTD JBOSS 4_2//EN"
"http://www.jboss.org/j2ee/dtd/jboss_4_2.dtd">
<jboss>
<security-domain>java:/jaas/process</security-domain>
<enterprise-beans>
<session>
<ejb-name>editors</ejb-name>
<security-identity>
<run-as-principal>editor</run-as-principal>
</security-identity>
</session>
<session>
<ejb-name>publishers</ejb-name>
<security-identity>
<run-as-principal>publisher</run-as-principal>
</security-identity>
</session>
</enterprise-beans>
<assembly-descriptor>
<security-role>
<role-name>publishers</role-name>
<principal-name>publisher</principal-name>
</security-role>
<security-role>
<role-name>editors</role-name>
<principal-name>editor</principal-name>
</security-role>
</assembly-descriptor>
</jboss>
Also configured the login-module with a new security domain with an UserRoleLoginModule
plugin
roles.properties
publisher=publishers
editor=editors
user.properties
publisher=password
editor=password
was:
Connfiguration of EJB is
ejb-jar.xml
<?xml version="1.0" encoding="UTF-8"?>
<ejb-jar version="3.0"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/ejb-jar_3_0.xsd"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://java.sun.com/xml/ns/javaee">
<enterprise-beans>
<session>
<ejb-name>editors</ejb-name>
<mapped-name>ejb/assethouse/goya/process/agents/editors</mapped-name>
<business-local>com.assethouse.goya.process.agent.Agent</business-local>
<ejb-class>com.assethouse.goya.process.agent.AgentBean</ejb-class>
<session-type>Stateless</session-type>
<timeout-method>
<method-name>startTask</method-name>
</timeout-method>
<security-identity>
<run-as>
<description>Group for editors Partition</description>
<role-name>editors</role-name>
</run-as>
</security-identity>
</session>
<session>
<ejb-name>publishers</ejb-name>
<mapped-name>ejb/assethouse/goya/process/agents/publishers</mapped-name>
<business-local>com.assethouse.goya.process.agent.Agent</business-local>
<ejb-class>com.assethouse.goya.process.agent.AgentBean</ejb-class>
<session-type>Stateless</session-type>
<timeout-method>
<method-name>startTask</method-name>
</timeout-method>
<security-identity>
<run-as>
<description>Group for publishers Partition</description>
<role-name>publishers</role-name>
</run-as>
</security-identity>
</session>
</enterprise-beans>
<assembly-descriptor>
<security-role>
<role-name>editors</role-name>
</security-role>
<security-role>
<role-name>publisher</role-name>
</security-role>
</assembly-descriptor>
</ejb-jar>
jboss.xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE jboss PUBLIC
"-//JBoss//DTD JBOSS 4_2//EN"
"http://www.jboss.org/j2ee/dtd/jboss_4_2.dtd">
<jboss>
<security-domain>java:/jaas/process</security-domain>
<enterprise-beans>
<session>
<ejb-name>editors</ejb-name>
<security-identity>
<run-as-principal>editor</run-as-principal>
</security-identity>
</session>
<session>
<ejb-name>publishers</ejb-name>
<security-identity>
<run-as-principal>publisher</run-as-principal>
</security-identity>
</session>
</enterprise-beans>
<assembly-descriptor>
<security-role>
<role-name>publishers</role-name>
<principal-name>publisher</principal-name>
</security-role>
<security-role>
<role-name>editors</role-name>
<principal-name>editor</principal-name>
</security-role>
</assembly-descriptor>
</jboss>
Also configured the login-module with a new security domain with an UserRoleLoginModule
plugin
roles.properties
publisher=publishers
editor=editors
user.properties
publisher=password
editor=password
When I use PolicyContext.getContext("") within and AgentBean method it should
return the RunAsIdentity of that method as declared in the run-as . it returns anonymous
wihch is the current authenticated user.. not the one specified in run-as
When I looked at the source code in org.jboss.security.jacc.SubjectPolicyContexthandler
I saw this method call in lines 55 and 73
RunAsIdentity callerRunAsIdentity = (RunAsIdentity)
SecurityAssociation.peekRunAsIdentity(1);
What I did is to change the parameter from a value of 1 to a value of 0 so it peeks the
top element in the stack
I patched Jboss with this modification and the PolicyContext.getContext("")
started returning the right values (editors and publishers)
So, do you think this is a bug in org.jboss.security.jacc.SubjectPolicyContexthandler
Why SecurityAssociation.peekRunAsIdentity is it being called with a parameter value of 1.
That is looking two levels down in the stack isn't it?
org.jboss.security.jacc.SubjectPolicyContexthandler looking two
levels up into RunAsIdentity stack
--------------------------------------------------------------------------------------------------
Key: JBAS-7053
URL:
https://jira.jboss.org/jira/browse/JBAS-7053
Project: JBoss Application Server
Issue Type: Bug
Security Level: Public(Everyone can see)
Components: Security
Affects Versions: JBossAS-4.2.2.GA, JBossAS-4.2.3.GA
Reporter: Jesus Menendez
Assignee: Anil Saldhana
I configured two EJBs to make use of the run-as security identity tag
The EJBS implement a class called AgentBean
When I use PolicyContext.getContext("javax.security.auth.Subject.container")
within and AgentBean method it should return the RunAsIdentity of that method as declared
in the run-as tag . it returns anonymous wihch is the current authenticated user.. not the
one specified in run-as
When I looked at the source code in org.jboss.security.jacc.SubjectPolicyContexthandler
I saw this method call in lines 55 and 73
RunAsIdentity callerRunAsIdentity = (RunAsIdentity)
SecurityAssociation.peekRunAsIdentity(1);
What I did is to change the parameter from a value of 1 to a value of 0 so it peeks the
top element in the stack
I patched Jboss with this modification and the
PolicyContext.getContext("javax.security.auth.Subject.container") started
returning the right values (editors and publishers)
So, do you think this is a bug in org.jboss.security.jacc.SubjectPolicyContexthandler
Why SecurityAssociation.peekRunAsIdentity is it being called with a parameter value of 1.
That is looking two levels down in the stack isn't it?
Connfiguration of EJB is
ejb-jar.xml
<?xml version="1.0" encoding="UTF-8"?>
<ejb-jar version="3.0"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/ejb-jar_3_0.xsd"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://java.sun.com/xml/ns/javaee">
<enterprise-beans>
<session>
<ejb-name>editors</ejb-name>
<mapped-name>ejb/assethouse/goya/process/agents/editors</mapped-name>
<business-local>com.assethouse.goya.process.agent.Agent</business-local>
<ejb-class>com.assethouse.goya.process.agent.AgentBean</ejb-class>
<session-type>Stateless</session-type>
<timeout-method>
<method-name>startTask</method-name>
</timeout-method>
<security-identity>
<run-as>
<description>Group for editors Partition</description>
<role-name>editors</role-name>
</run-as>
</security-identity>
</session>
<session>
<ejb-name>publishers</ejb-name>
<mapped-name>ejb/assethouse/goya/process/agents/publishers</mapped-name>
<business-local>com.assethouse.goya.process.agent.Agent</business-local>
<ejb-class>com.assethouse.goya.process.agent.AgentBean</ejb-class>
<session-type>Stateless</session-type>
<timeout-method>
<method-name>startTask</method-name>
</timeout-method>
<security-identity>
<run-as>
<description>Group for publishers Partition</description>
<role-name>publishers</role-name>
</run-as>
</security-identity>
</session>
</enterprise-beans>
<assembly-descriptor>
<security-role>
<role-name>editors</role-name>
</security-role>
<security-role>
<role-name>publisher</role-name>
</security-role>
</assembly-descriptor>
</ejb-jar>
jboss.xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE jboss PUBLIC
"-//JBoss//DTD JBOSS 4_2//EN"
"http://www.jboss.org/j2ee/dtd/jboss_4_2.dtd">
<jboss>
<security-domain>java:/jaas/process</security-domain>
<enterprise-beans>
<session>
<ejb-name>editors</ejb-name>
<security-identity>
<run-as-principal>editor</run-as-principal>
</security-identity>
</session>
<session>
<ejb-name>publishers</ejb-name>
<security-identity>
<run-as-principal>publisher</run-as-principal>
</security-identity>
</session>
</enterprise-beans>
<assembly-descriptor>
<security-role>
<role-name>publishers</role-name>
<principal-name>publisher</principal-name>
</security-role>
<security-role>
<role-name>editors</role-name>
<principal-name>editor</principal-name>
</security-role>
</assembly-descriptor>
</jboss>
Also configured the login-module with a new security domain with an UserRoleLoginModule
plugin
roles.properties
publisher=publishers
editor=editors
user.properties
publisher=password
editor=password
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira