7:50 a.m.
RunAs Causes Unexpected Principal Propagation Switch
----------------------------------------------------
Key: JBAS-3945
URL: http://jira.jboss.com/jira/browse/JBAS-3945
Project: JBoss Application Server
Issue Type: Bug
Security Level: Public (Everyone can see)
Components: Security
Affects Versions: JBossAS-4.0.5.GA
Environment: JBoss 4.0.5.GA
JSE 1.5.0_09
Reporter: Stefan Schulze
Assigned To: Scott M Stark
Attachments: runAsError.zip
My application is using JAAS authentication on web and ejb side. An authenticated user
calls a stateless session bean from the web application which uses 'runAs' to
change security role and calls a second stateless session bean. The second bean
recuperates an 'anonymous' principal but it should be the authenticated user. This
does not happen on our production server (JBoss 3.2.7) but on JBoss 4.05.GA.
Test case:
I try to attach my test case (where can I attach it ???) which boils down the problem.
To run it, please
- unzip the file (runAsError.zip)
- you can import the content as a project in Eclipse if you prefer
- change the 'jboss.dist' property in the 'ant.properties' file to your
jBoss 4.0.5.GA installation
- run the 'install' target of 'build.xml' which creates a new jboss
container called 'runAsError'
- start the 'runAsError' container (run -c runAsError)
- run the 'test' target of 'build.xml'
What happens:
Standalone client calls Session1.hello() with caller principal 'max' . Session1
calls Session2.hello2() using runAs 'internal'. Session2 should get caller
principal 'max' but gets 'anonymous'. See Exception that is thrown in
SessionBean2.hello2().
It seems to be a different bug than http://jira.jboss.com/jira/browse/JBAS-1852 since I
run the JBAS-1852 test and it seemed to work (I had some troubles with the
DatabaseServerLoginModule that were probably related to my incompetence ;-).
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
7:50 a.m.
New subject: [JBoss JIRA] Updated: (JBAS-3945) RunAs Causes Unexpected Principal Propagation Switch
[ http://jira.jboss.com/jira/browse/JBAS-3945?page=all ]
Stefan Schulze updated JBAS-3945:
---------------------------------
Attachment: runAsError.zip
The test case .. I finally found the attach file link ;-)
RunAs Causes Unexpected Principal Propagation Switch
----------------------------------------------------
Key: JBAS-3945
URL: http://jira.jboss.com/jira/browse/JBAS-3945
Project: JBoss Application Server
Issue Type: Bug
Security Level: Public(Everyone can see)
Components: Security
Affects Versions: JBossAS-4.0.5.GA
Environment: JBoss 4.0.5.GA
JSE 1.5.0_09
Reporter: Stefan Schulze
Assigned To: Scott M Stark
Attachments: runAsError.zip
My application is using JAAS authentication on web and ejb side. An authenticated user
calls a stateless session bean from the web application which uses 'runAs' to
change security role and calls a second stateless session bean. The second bean
recuperates an 'anonymous' principal but it should be the authenticated user. This
does not happen on our production server (JBoss 3.2.7) but on JBoss 4.05.GA.
Test case:
I try to attach my test case (where can I attach it ???) which boils down the problem.
To run it, please
- unzip the file (runAsError.zip)
- you can import the content as a project in Eclipse if you prefer
- change the 'jboss.dist' property in the 'ant.properties' file to your
jBoss 4.0.5.GA installation
- run the 'install' target of 'build.xml' which creates a new jboss
container called 'runAsError'
- start the 'runAsError' container (run -c runAsError)
- run the 'test' target of 'build.xml'
What happens:
Standalone client calls Session1.hello() with caller principal 'max' . Session1
calls Session2.hello2() using runAs 'internal'. Session2 should get caller
principal 'max' but gets 'anonymous'. See Exception that is thrown in
SessionBean2.hello2().
It seems to be a different bug than http://jira.jboss.com/jira/browse/JBAS-1852 since I
run the JBAS-1852 test and it seemed to work (I had some troubles with the
DatabaseServerLoginModule that were probably related to my incompetence ;-).
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
8:33 p.m.
New subject: [JBoss JIRA] Commented: (JBAS-3945) RunAs Causes Unexpected Principal Propagation Switch
[
https://jira.jboss.org/jira/browse/JBAS-3945?page=com.atlassian.jira.plug...
]
Rajesh Bhabu commented on JBAS-3945:
------------------------------------
I see similar issue on JBoss 4.2.3. My issue is very similar to the one reported here. I
ran the test application provided by the filer on various versions of the Jboss. Here is
the result:
JBoss 403SP1 - Works fine.
JBoss 405GA - Fails
JBoss 423 - Fails
JBoss 422 - Fails
JBoss 421 - Fails
JBoss 420 - Fails
JBoss 5.0 - Fails
Will appreciate if some one can post on how to get around this issue.
RunAs Causes Unexpected Principal Propagation Switch
----------------------------------------------------
Key: JBAS-3945
URL: https://jira.jboss.org/jira/browse/JBAS-3945
Project: JBoss Application Server
Issue Type: Bug
Security Level: Public(Everyone can see)
Components: Security
Affects Versions: JBossAS-4.0.5.GA
Environment: JBoss 4.0.5.GA
JSE 1.5.0_09
Reporter: Stefan Schulze
Assignee: Scott M Stark
Attachments: runAsError.zip
My application is using JAAS authentication on web and ejb side. An authenticated user
calls a stateless session bean from the web application which uses 'runAs' to
change security role and calls a second stateless session bean. The second bean
recuperates an 'anonymous' principal but it should be the authenticated user. This
does not happen on our production server (JBoss 3.2.7) but on JBoss 4.05.GA.
Test case:
I try to attach my test case (where can I attach it ???) which boils down the problem.
To run it, please
- unzip the file (runAsError.zip)
- you can import the content as a project in Eclipse if you prefer
- change the 'jboss.dist' property in the 'ant.properties' file to your
jBoss 4.0.5.GA installation
- run the 'install' target of 'build.xml' which creates a new jboss
container called 'runAsError'
- start the 'runAsError' container (run -c runAsError)
- run the 'test' target of 'build.xml'
What happens:
Standalone client calls Session1.hello() with caller principal 'max' . Session1
calls Session2.hello2() using runAs 'internal'. Session2 should get caller
principal 'max' but gets 'anonymous'. See Exception that is thrown in
SessionBean2.hello2().
It seems to be a different bug than http://jira.jboss.com/jira/browse/JBAS-1852 since I
run the JBAS-1852 test and it seemed to work (I had some troubles with the
DatabaseServerLoginModule that were probably related to my incompetence ;-).
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
10:27 p.m.
New subject: [JBoss JIRA] Assigned: (JBAS-3945) RunAs Causes Unexpected Principal Propagation Switch
[
https://jira.jboss.org/jira/browse/JBAS-3945?page=com.atlassian.jira.plug...
]
Anil Saldhana reassigned JBAS-3945:
-----------------------------------
Assignee: Peter Skopek (was: Scott M Stark)
Peter, are you able to check this in Branch_4_2 if it is a bug?
If it is a bug, able to create a test case?
If the test case indicates a problem, we can fix it in multiple branches.
RunAs Causes Unexpected Principal Propagation Switch
----------------------------------------------------
Key: JBAS-3945
URL: https://jira.jboss.org/jira/browse/JBAS-3945
Project: JBoss Application Server
Issue Type: Bug
Security Level: Public(Everyone can see)
Components: Security
Affects Versions: JBossAS-4.0.5.GA
Environment: JBoss 4.0.5.GA
JSE 1.5.0_09
Reporter: Stefan Schulze
Assignee: Peter Skopek
Attachments: runAsError.zip
My application is using JAAS authentication on web and ejb side. An authenticated user
calls a stateless session bean from the web application which uses 'runAs' to
change security role and calls a second stateless session bean. The second bean
recuperates an 'anonymous' principal but it should be the authenticated user. This
does not happen on our production server (JBoss 3.2.7) but on JBoss 4.05.GA.
Test case:
I try to attach my test case (where can I attach it ???) which boils down the problem.
To run it, please
- unzip the file (runAsError.zip)
- you can import the content as a project in Eclipse if you prefer
- change the 'jboss.dist' property in the 'ant.properties' file to your
jBoss 4.0.5.GA installation
- run the 'install' target of 'build.xml' which creates a new jboss
container called 'runAsError'
- start the 'runAsError' container (run -c runAsError)
- run the 'test' target of 'build.xml'
What happens:
Standalone client calls Session1.hello() with caller principal 'max' . Session1
calls Session2.hello2() using runAs 'internal'. Session2 should get caller
principal 'max' but gets 'anonymous'. See Exception that is thrown in
SessionBean2.hello2().
It seems to be a different bug than http://jira.jboss.com/jira/browse/JBAS-1852 since I
run the JBAS-1852 test and it seemed to work (I had some troubles with the
DatabaseServerLoginModule that were probably related to my incompetence ;-).
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
2:39 p.m.
New subject: [JBoss JIRA] Commented: (JBAS-3945) RunAs Causes Unexpected Principal Propagation Switch
[
https://jira.jboss.org/jira/browse/JBAS-3945?page=com.atlassian.jira.plug...
]
Marcus Moyses commented on JBAS-3945:
-------------------------------------
This behavior is exactly what is described in the documentation. If another principal is
to be associated with the call (instead of anonymous), a <run-as-principal> element
must be set in the jboss.xml descriptor.
RunAs Causes Unexpected Principal Propagation Switch
----------------------------------------------------
Key: JBAS-3945
URL: https://jira.jboss.org/jira/browse/JBAS-3945
Project: JBoss Application Server
Issue Type: Bug
Security Level: Public(Everyone can see)
Components: Security
Affects Versions: JBossAS-4.0.5.GA
Environment: JBoss 4.0.5.GA
JSE 1.5.0_09
Reporter: Stefan Schulze
Assignee: Peter Skopek
Attachments: runAsError.zip
My application is using JAAS authentication on web and ejb side. An authenticated user
calls a stateless session bean from the web application which uses 'runAs' to
change security role and calls a second stateless session bean. The second bean
recuperates an 'anonymous' principal but it should be the authenticated user. This
does not happen on our production server (JBoss 3.2.7) but on JBoss 4.05.GA.
Test case:
I try to attach my test case (where can I attach it ???) which boils down the problem.
To run it, please
- unzip the file (runAsError.zip)
- you can import the content as a project in Eclipse if you prefer
- change the 'jboss.dist' property in the 'ant.properties' file to your
jBoss 4.0.5.GA installation
- run the 'install' target of 'build.xml' which creates a new jboss
container called 'runAsError'
- start the 'runAsError' container (run -c runAsError)
- run the 'test' target of 'build.xml'
What happens:
Standalone client calls Session1.hello() with caller principal 'max' . Session1
calls Session2.hello2() using runAs 'internal'. Session2 should get caller
principal 'max' but gets 'anonymous'. See Exception that is thrown in
SessionBean2.hello2().
It seems to be a different bug than http://jira.jboss.com/jira/browse/JBAS-1852 since I
run the JBAS-1852 test and it seemed to work (I had some troubles with the
DatabaseServerLoginModule that were probably related to my incompetence ;-).
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
2:39 p.m.
New subject: [JBoss JIRA] Resolved: (JBAS-3945) RunAs Causes Unexpected Principal Propagation Switch
[
https://jira.jboss.org/jira/browse/JBAS-3945?page=com.atlassian.jira.plug...
]
Marcus Moyses resolved JBAS-3945.
---------------------------------
Resolution: Rejected
RunAs Causes Unexpected Principal Propagation Switch
----------------------------------------------------
Key: JBAS-3945
URL: https://jira.jboss.org/jira/browse/JBAS-3945
Project: JBoss Application Server
Issue Type: Bug
Security Level: Public(Everyone can see)
Components: Security
Affects Versions: JBossAS-4.0.5.GA
Environment: JBoss 4.0.5.GA
JSE 1.5.0_09
Reporter: Stefan Schulze
Assignee: Peter Skopek
Attachments: runAsError.zip
My application is using JAAS authentication on web and ejb side. An authenticated user
calls a stateless session bean from the web application which uses 'runAs' to
change security role and calls a second stateless session bean. The second bean
recuperates an 'anonymous' principal but it should be the authenticated user. This
does not happen on our production server (JBoss 3.2.7) but on JBoss 4.05.GA.
Test case:
I try to attach my test case (where can I attach it ???) which boils down the problem.
To run it, please
- unzip the file (runAsError.zip)
- you can import the content as a project in Eclipse if you prefer
- change the 'jboss.dist' property in the 'ant.properties' file to your
jBoss 4.0.5.GA installation
- run the 'install' target of 'build.xml' which creates a new jboss
container called 'runAsError'
- start the 'runAsError' container (run -c runAsError)
- run the 'test' target of 'build.xml'
What happens:
Standalone client calls Session1.hello() with caller principal 'max' . Session1
calls Session2.hello2() using runAs 'internal'. Session2 should get caller
principal 'max' but gets 'anonymous'. See Exception that is thrown in
SessionBean2.hello2().
It seems to be a different bug than http://jira.jboss.com/jira/browse/JBAS-1852 since I
run the JBAS-1852 test and it seemed to work (I had some troubles with the
DatabaseServerLoginModule that were probably related to my incompetence ;-).
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
2:52 p.m.
New subject: [JBoss JIRA] Commented: (JBAS-3945) RunAs Causes Unexpected Principal Propagation Switch
[
https://jira.jboss.org/jira/browse/JBAS-3945?page=com.atlassian.jira.plug...
]
Anil Saldhana commented on JBAS-3945:
-------------------------------------
The EJB2/3 specification talk about run-as in terms of roles that are propagated between
two components. If you need a different principal to be associated for a run-as, it needs
to be specified in a vendor descriptor. In the case of JBoss, it has to be jboss.xml
Look at the ejb-jar.xml
=======================
<enterprise-beans>
<session>
<description>session 1</description>
<ejb-name>Session1</ejb-name>
<home>org.runAsError.test.Session1Home</home>
<remote>org.runAsError.test.Session1</remote>
<ejb-class>org.runAsError.test.SessionBean1</ejb-class>
<session-type>Stateless</session-type>
<transaction-type>Container</transaction-type>
<ejb-ref>
<ejb-ref-name>ejb/Session2</ejb-ref-name>
<ejb-ref-type>Session</ejb-ref-type>
<home>org.runAsError.test.Session2Home</home>
<remote>org.runAsError.test.Session2</remote>
<ejb-link>Session2</ejb-link>
</ejb-ref>
<security-role-ref>
<role-name>tester</role-name>
<role-link>tester</role-link>
</security-role-ref>
<security-identity>
<run-as>
<role-name>internal</role-name>
</run-as>
</security-identity>
</session>
===============================================================
Here you are specifying a role "internal" to be used as the propagated run-as
role to session bean 2.
Now JBoss will use an anonymous principal to propagate along to provide the
getCallerPrincipal
contract at the other end even though, the deciding aspect for session bean2 access
control
was the role "internal".
If you need a different principal other than "anonymous", then you need to
specify it in jboss.xml
<session>
<ejb-name>Session1</ejb-name>
<jndi-name>runAsError/Session1</jndi-name>
<security-identity>
<run-as-principal>MyNewPrincipalForRunAs</run-as-principal>
</security-identity>
</session>
RunAs Causes Unexpected Principal Propagation Switch
----------------------------------------------------
Key: JBAS-3945
URL: https://jira.jboss.org/jira/browse/JBAS-3945
Project: JBoss Application Server
Issue Type: Bug
Security Level: Public(Everyone can see)
Components: Security
Affects Versions: JBossAS-4.0.5.GA
Environment: JBoss 4.0.5.GA
JSE 1.5.0_09
Reporter: Stefan Schulze
Assignee: Peter Skopek
Attachments: runAsError.zip
My application is using JAAS authentication on web and ejb side. An authenticated user
calls a stateless session bean from the web application which uses 'runAs' to
change security role and calls a second stateless session bean. The second bean
recuperates an 'anonymous' principal but it should be the authenticated user. This
does not happen on our production server (JBoss 3.2.7) but on JBoss 4.05.GA.
Test case:
I try to attach my test case (where can I attach it ???) which boils down the problem.
To run it, please
- unzip the file (runAsError.zip)
- you can import the content as a project in Eclipse if you prefer
- change the 'jboss.dist' property in the 'ant.properties' file to your
jBoss 4.0.5.GA installation
- run the 'install' target of 'build.xml' which creates a new jboss
container called 'runAsError'
- start the 'runAsError' container (run -c runAsError)
- run the 'test' target of 'build.xml'
What happens:
Standalone client calls Session1.hello() with caller principal 'max' . Session1
calls Session2.hello2() using runAs 'internal'. Session2 should get caller
principal 'max' but gets 'anonymous'. See Exception that is thrown in
SessionBean2.hello2().
It seems to be a different bug than http://jira.jboss.com/jira/browse/JBAS-1852 since I
run the JBAS-1852 test and it seemed to work (I had some troubles with the
DatabaseServerLoginModule that were probably related to my incompetence ;-).
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
1:47 a.m.
New subject: [JBoss JIRA] Closed: (JBAS-3945) RunAs Causes Unexpected Principal Propagation Switch
[
https://jira.jboss.org/jira/browse/JBAS-3945?page=com.atlassian.jira.plug...
]
Stefan Schulze closed JBAS-3945.
--------------------------------
RunAs Causes Unexpected Principal Propagation Switch
----------------------------------------------------
Key: JBAS-3945
URL: https://jira.jboss.org/jira/browse/JBAS-3945
Project: JBoss Application Server
Issue Type: Bug
Security Level: Public(Everyone can see)
Components: Security
Affects Versions: JBossAS-4.0.5.GA
Environment: JBoss 4.0.5.GA
JSE 1.5.0_09
Reporter: Stefan Schulze
Assignee: Peter Skopek
Attachments: runAsError.zip
My application is using JAAS authentication on web and ejb side. An authenticated user
calls a stateless session bean from the web application which uses 'runAs' to
change security role and calls a second stateless session bean. The second bean
recuperates an 'anonymous' principal but it should be the authenticated user. This
does not happen on our production server (JBoss 3.2.7) but on JBoss 4.05.GA.
Test case:
I try to attach my test case (where can I attach it ???) which boils down the problem.
To run it, please
- unzip the file (runAsError.zip)
- you can import the content as a project in Eclipse if you prefer
- change the 'jboss.dist' property in the 'ant.properties' file to your
jBoss 4.0.5.GA installation
- run the 'install' target of 'build.xml' which creates a new jboss
container called 'runAsError'
- start the 'runAsError' container (run -c runAsError)
- run the 'test' target of 'build.xml'
What happens:
Standalone client calls Session1.hello() with caller principal 'max' . Session1
calls Session2.hello2() using runAs 'internal'. Session2 should get caller
principal 'max' but gets 'anonymous'. See Exception that is thrown in
SessionBean2.hello2().
It seems to be a different bug than http://jira.jboss.com/jira/browse/JBAS-1852 since I
run the JBAS-1852 test and it seemed to work (I had some troubles with the
DatabaseServerLoginModule that were probably related to my incompetence ;-).
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
1:47 a.m.
New subject: [JBoss JIRA] Commented: (JBAS-3945) RunAs Causes Unexpected Principal Propagation Switch
[
https://jira.jboss.org/jira/browse/JBAS-3945?page=com.atlassian.jira.plug...
]
Stefan Schulze commented on JBAS-3945:
--------------------------------------
Thanks for your comments and your time spent on the issue! Apparently I misunderstood the
spec. Sorry!
Actually I did not want to choose a distinct caller principal I just didn't want to
loose the original principal while 'boosting' it with a special role. I needed the
original principal later on in my ejb to check if it has the right to access the data
(data based security). Anyway in the meantime we found a different solution. Thanks again
for your help.
RunAs Causes Unexpected Principal Propagation Switch
----------------------------------------------------
Key: JBAS-3945
URL: https://jira.jboss.org/jira/browse/JBAS-3945
Project: JBoss Application Server
Issue Type: Bug
Security Level: Public(Everyone can see)
Components: Security
Affects Versions: JBossAS-4.0.5.GA
Environment: JBoss 4.0.5.GA
JSE 1.5.0_09
Reporter: Stefan Schulze
Assignee: Peter Skopek
Attachments: runAsError.zip
My application is using JAAS authentication on web and ejb side. An authenticated user
calls a stateless session bean from the web application which uses 'runAs' to
change security role and calls a second stateless session bean. The second bean
recuperates an 'anonymous' principal but it should be the authenticated user. This
does not happen on our production server (JBoss 3.2.7) but on JBoss 4.05.GA.
Test case:
I try to attach my test case (where can I attach it ???) which boils down the problem.
To run it, please
- unzip the file (runAsError.zip)
- you can import the content as a project in Eclipse if you prefer
- change the 'jboss.dist' property in the 'ant.properties' file to your
jBoss 4.0.5.GA installation
- run the 'install' target of 'build.xml' which creates a new jboss
container called 'runAsError'
- start the 'runAsError' container (run -c runAsError)
- run the 'test' target of 'build.xml'
What happens:
Standalone client calls Session1.hello() with caller principal 'max' . Session1
calls Session2.hello2() using runAs 'internal'. Session2 should get caller
principal 'max' but gets 'anonymous'. See Exception that is thrown in
SessionBean2.hello2().
It seems to be a different bug than http://jira.jboss.com/jira/browse/JBAS-1852 since I
run the JBAS-1852 test and it seemed to work (I had some troubles with the
DatabaseServerLoginModule that were probably related to my incompetence ;-).
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
5753
days inactive
6543
days old
8 comments
5 participants
participants (5)
-
Anil Saldhana (JIRA) -
Marcus Moyses (JIRA)
-
Rajesh Bhabu (JIRA)
-
Stefan Schulze (JIRA) -
Stefan Schulze (JIRA)