[jboss-jira] [JBoss JIRA] (WFLY-9072) @RunAs role authorization from the first invoker of @Singleton bean is propagated through the @PostConstruct method of @Singleton bean with Elytron

@RunAs role authorization from the first invoker of @Singleton bean is propagated through the @PostConstruct method of @Singleton bean with Elytron --------------------------------------------------------------------------------------------------------------------------------------------------- Key: WFLY-9072 URL: https://issues.jboss.org/browse/WFLY-9072 Project: WildFly Issue Type: Bug Components: EJB, Security Reporter: Michal Jurc Assignee: Bartosz Baranowski Priority: Critical Suppose an environment with a chain of three bean invocations: {code:java|title=Bean1.java} @Stateless @Remote(WhoAmI.class) @RunAs("Admin") @SecurityDomain("other") public class Bean1 implements WhoAmI { @EJB(beanName = "Bean2") private WhoAmI singleton; public String getCallerPrincipal() { return singleton.getCallerPrincipal(); } }{code} {code:java|title=Bean2.java}@Singleton @Remote(WhoAmI.class) @SecurityDomain("other") public class Bean2 implements WhoAmI { @EJB(beanName = "Bean3") private WhoAmI bean3; private String principal; @PostConstruct public void init() { principal = bean3.getCallerPrincipal(); } public String getCallerPrincipal() { return principal; } } {code} {code:java|title=Bean3.java}@Stateless @Local(WhoAmI.class) @RolesAllowed("Admin") @SecurityDomain("other") public class Bean3 implements WhoAmI { @Resource private SessionContext ctx; public String getCallerPrincipal() { return ctx.getCallerPrincipal().getName(); } }{code} The {{@RunAs("Admin")}} is propagated from {{Bean1}} through {{Bean2.init()}} to {{Bean3}} with Elytron. The EJB3.1 specification does not specify security context of {{@PostConstruct}} method for {{@Singleton}} beans, however with this approach the {{@RunAs}} authorization of initialization of any {{@Singleton}} bean will be determined by its first invoker with Elytron. With legacy security, the {{@RunAs}} authorization of {{@PostConstruct}} method for {{@Singleton}} beans was undefined. This is covered by {{org.jboss.as.test.integration.ejb.security.RunAsPrincipalTestCase#testSingletonPostconstructSecurityNotPropagating}} in WildFly Integration/Basic Test Suite module.