[JBoss JIRA] Created: (EJBTHREE-1027) Timeout method gets called with an unspecified caller identity
11:57 a.m.
Timeout method gets called with an unspecified caller identity
--------------------------------------------------------------
Key: EJBTHREE-1027
URL: http://jira.jboss.com/jira/browse/EJBTHREE-1027
Project: EJB 3.0
Issue Type: Bug
Components: Security
Affects Versions: AS 4.2.1.GA
Reporter: Carlo de Wolf
Having a secured bean with a timeout method with @PermitAll, but without an
unauthenticatedIdentity will lead to a 'random' identity being used to call the
method or no identity at all. The last one leads to EJBAccessExceptions.
Spec 18.2.2:
"Since the timeout callback method is an internal method of the bean class, it has no
client security context. When getCallerPrincipal is called from within the timeout
callback method, it returns the container's representation of the unauthenticated
identity."
We must disallow all calls to a timeout method if unauthenticatedIdentity is not set.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
11:58 a.m.
New subject: [JBoss JIRA] Commented: (EJBTHREE-1027) Timeout method gets called with an unspecified caller identity
[ http://jira.jboss.com/jira/browse/EJBTHREE-1027?page=comments#action_1237... ]
Carlo de Wolf commented on EJBTHREE-1027:
-----------------------------------------
Unit test: timer
Timeout method gets called with an unspecified caller identity
--------------------------------------------------------------
Key: EJBTHREE-1027
URL: http://jira.jboss.com/jira/browse/EJBTHREE-1027
Project: EJB 3.0
Issue Type: Bug
Components: Security
Affects Versions: AS 4.2.1.GA
Reporter: Carlo de Wolf
Having a secured bean with a timeout method with @PermitAll, but without an
unauthenticatedIdentity will lead to a 'random' identity being used to call the
method or no identity at all. The last one leads to EJBAccessExceptions.
Spec 18.2.2:
"Since the timeout callback method is an internal method of the bean class, it has
no client security context. When getCallerPrincipal is called from within the timeout
callback method, it returns the container's representation of the unauthenticated
identity."
We must disallow all calls to a timeout method if unauthenticatedIdentity is not set.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
7:31 a.m.
New subject: [JBoss JIRA] Commented: (EJBTHREE-1027) Timeout method gets called with an unspecified caller identity
[ http://jira.jboss.com/jira/browse/EJBTHREE-1027?page=comments#action_1237... ]
Anil Saldhana commented on EJBTHREE-1027:
-----------------------------------------
Please look at EJBTHREE-1036 which leads to a security bypass due to ejbTimeOut callback
having no security context as per spec. So any call to getCallerPrincipal should return
the unauthenticatedIdentity of the security domain that drives the ejb.
EJBTHREE-1036 is done for JBAS5 trunk.
Timeout method gets called with an unspecified caller identity
--------------------------------------------------------------
Key: EJBTHREE-1027
URL: http://jira.jboss.com/jira/browse/EJBTHREE-1027
Project: EJB 3.0
Issue Type: Bug
Components: Security
Affects Versions: AS 4.2.1.GA
Reporter: Carlo de Wolf
Having a secured bean with a timeout method with @PermitAll, but without an
unauthenticatedIdentity will lead to a 'random' identity being used to call the
method or no identity at all. The last one leads to EJBAccessExceptions.
Spec 18.2.2:
"Since the timeout callback method is an internal method of the bean class, it has
no client security context. When getCallerPrincipal is called from within the timeout
callback method, it returns the container's representation of the unauthenticated
identity."
We must disallow all calls to a timeout method if unauthenticatedIdentity is not set.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
9:18 p.m.
New subject: [JBoss JIRA] Assigned: (EJBTHREE-1027) Timeout method gets called with an unspecified caller identity
[ http://jira.jboss.com/jira/browse/EJBTHREE-1027?page=all ]
William DeCoste reassigned EJBTHREE-1027:
-----------------------------------------
Assignee: William DeCoste
Timeout method gets called with an unspecified caller identity
--------------------------------------------------------------
Key: EJBTHREE-1027
URL: http://jira.jboss.com/jira/browse/EJBTHREE-1027
Project: EJB 3.0
Issue Type: Bug
Components: Security
Affects Versions: AS 4.2.1.GA
Reporter: Carlo de Wolf
Assigned To: William DeCoste
Having a secured bean with a timeout method with @PermitAll, but without an
unauthenticatedIdentity will lead to a 'random' identity being used to call the
method or no identity at all. The last one leads to EJBAccessExceptions.
Spec 18.2.2:
"Since the timeout callback method is an internal method of the bean class, it has
no client security context. When getCallerPrincipal is called from within the timeout
callback method, it returns the container's representation of the unauthenticated
identity."
We must disallow all calls to a timeout method if unauthenticatedIdentity is not set.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
6:37 p.m.
New subject: [JBoss JIRA] Assigned: (EJBTHREE-1027) Timeout method gets called with an unspecified caller identity
[ http://jira.jboss.com/jira/browse/EJBTHREE-1027?page=all ]
William DeCoste reassigned EJBTHREE-1027:
-----------------------------------------
Assignee: Anil Saldhana (was: William DeCoste)
Timeout method gets called with an unspecified caller identity
--------------------------------------------------------------
Key: EJBTHREE-1027
URL: http://jira.jboss.com/jira/browse/EJBTHREE-1027
Project: EJB 3.0
Issue Type: Bug
Components: Security
Affects Versions: AS 4.2.1.GA
Reporter: Carlo de Wolf
Assigned To: Anil Saldhana
Having a secured bean with a timeout method with @PermitAll, but without an
unauthenticatedIdentity will lead to a 'random' identity being used to call the
method or no identity at all. The last one leads to EJBAccessExceptions.
Spec 18.2.2:
"Since the timeout callback method is an internal method of the bean class, it has
no client security context. When getCallerPrincipal is called from within the timeout
callback method, it returns the container's representation of the unauthenticated
identity."
We must disallow all calls to a timeout method if unauthenticatedIdentity is not set.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
6149
days inactive
6380
days old
4 comments
3 participants
participants (3)
-
Anil Saldhana (JIRA) -
Carlo de Wolf (JIRA)
-
William DeCoste (JIRA)