2:02 a.m.
Michael Gronau created AS7-5075:
-----------------------------------
Summary: Local ejb calls are always anonymous
Key: AS7-5075
URL: https://issues.jboss.org/browse/AS7-5075
Project: Application Server 7
Issue Type: Bug
Components: EJB
Affects Versions: 7.1.2.Final (EAP)
Reporter: Michael Gronau
Assignee: jaikiran pai
Calling an ejb from within a mbean service for example is always running under
'anonymous' user even with a JAAS login before the invocation.
Debugging has shown that only a correct security context is created by the
SimpleSecurityManager when the call comes from a remote client.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
2:10 a.m.
[
https://issues.jboss.org/browse/AS7-5075?page=com.atlassian.jira.plugin.s...
]
jaikiran pai commented on AS7-5075:
-----------------------------------
Can you please attach an example which reproduces this?
Local ejb calls are always anonymous
------------------------------------
Key: AS7-5075
URL: https://issues.jboss.org/browse/AS7-5075
Project: Application Server 7
Issue Type: Bug
Components: EJB
Affects Versions: 7.1.2.Final (EAP)
Reporter: Michael Gronau
Assignee: jaikiran pai
Labels: ejb, local, remote
Calling an ejb from within a mbean service for example is always running under
'anonymous' user even with a JAAS login before the invocation.
Debugging has shown that only a correct security context is created by the
SimpleSecurityManager when the call comes from a remote client.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
2:52 a.m.
[
https://issues.jboss.org/browse/AS7-5075?page=com.atlassian.jira.plugin.s...
]
Michael Gronau commented on AS7-5075:
-------------------------------------
Thats a bit too difficult. But taking a look at the push(...) method in
SimpleSecurityManager should help: here we run into these lines of code:
// If we have a trusted identity no need for a re-auth.
if (authenticated == false) {
authenticated = authenticate(current, null);
So, authenticate() is called with no subject as for remote calls as well, but for remote
calls a current subject info is created with the user principal of the current remoting
user (taken from the connection) and set in the current security context which goes into
the authenticate(..) method:
util.createSubjectInfo(p, credential, subject);.
Here is the difference. For calls coming from an mbean for example no SubjectInfo is set
for the current context before invoking authenticate(current, null).
Local ejb calls are always anonymous
------------------------------------
Key: AS7-5075
URL: https://issues.jboss.org/browse/AS7-5075
Project: Application Server 7
Issue Type: Bug
Components: EJB
Affects Versions: 7.1.2.Final (EAP)
Reporter: Michael Gronau
Assignee: jaikiran pai
Labels: ejb, local, remote
Calling an ejb from within a mbean service for example is always running under
'anonymous' user even with a JAAS login before the invocation.
Debugging has shown that only a correct security context is created by the
SimpleSecurityManager when the call comes from a remote client.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
3:37 a.m.
[
https://issues.jboss.org/browse/AS7-5075?page=com.atlassian.jira.plugin.s...
]
jaikiran pai commented on AS7-5075:
-----------------------------------
I would be surprised if we don't have tests for secured invocation via local EJB
interfaces in our testsuite. In fact, I do see in our testsuite that the
org.jboss.as.test.integration.ejb.security.EJBSecurityTestCase uses local interface of a
bean for a security test.
So what I'm looking for, from you, is a code snippet from your application which shows
the bean class(es) and any annotations/deployment descriptors that you use and the client
invocation (including any login that's involved). It need not be a runnable
application, just a code snippet is fine.
Local ejb calls are always anonymous
------------------------------------
Key: AS7-5075
URL: https://issues.jboss.org/browse/AS7-5075
Project: Application Server 7
Issue Type: Bug
Components: EJB
Affects Versions: 7.1.2.Final (EAP)
Reporter: Michael Gronau
Assignee: jaikiran pai
Labels: ejb, local, remote
Calling an ejb from within a mbean service for example is always running under
'anonymous' user even with a JAAS login before the invocation.
Debugging has shown that only a correct security context is created by the
SimpleSecurityManager when the call comes from a remote client.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
1:13 a.m.
[
https://issues.jboss.org/browse/AS7-5075?page=com.atlassian.jira.plugin.s...
]
Stuart Douglas commented on AS7-5075:
-------------------------------------
Do you mean that you are doing a JAAS login on the mbean client, and then doing a remote
JMX invocation that calls an EJB, or is the JAAS auth in the MBean method itself?
Local ejb calls are always anonymous
------------------------------------
Key: AS7-5075
URL: https://issues.jboss.org/browse/AS7-5075
Project: Application Server 7
Issue Type: Bug
Components: EJB
Affects Versions: 7.1.2.Final (EAP)
Reporter: Michael Gronau
Assignee: jaikiran pai
Labels: ejb, local, remote
Calling an ejb from within a mbean service for example is always running under
'anonymous' user even with a JAAS login before the invocation.
Debugging has shown that only a correct security context is created by the
SimpleSecurityManager when the call comes from a remote client.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
6:48 a.m.
[
https://issues.jboss.org/browse/AS7-5075?page=com.atlassian.jira.plugin.s...
]
Michael Gronau commented on AS7-5075:
-------------------------------------
The JAAS login takes place inside the mbean method which then calls the ejb.
Local ejb calls are always anonymous
------------------------------------
Key: AS7-5075
URL: https://issues.jboss.org/browse/AS7-5075
Project: Application Server 7
Issue Type: Bug
Components: EJB
Affects Versions: 7.1.2.Final (EAP)
Reporter: Michael Gronau
Assignee: jaikiran pai
Labels: ejb, local, remote
Calling an ejb from within a mbean service for example is always running under
'anonymous' user even with a JAAS login before the invocation.
Debugging has shown that only a correct security context is created by the
SimpleSecurityManager when the call comes from a remote client.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
7:03 a.m.
[
https://issues.jboss.org/browse/AS7-5075?page=com.atlassian.jira.plugin.s...
]
Darran Lofthouse commented on AS7-5075:
---------------------------------------
You shouldn't be calling the actual JAAS domain to authenticate at that point, instead
you should call a JAAS domain that just has the ClientLoginModule - that will set the
username and password so that it is used for authentication once the call reaches the EJB
interceptors.
Local ejb calls are always anonymous
------------------------------------
Key: AS7-5075
URL: https://issues.jboss.org/browse/AS7-5075
Project: Application Server 7
Issue Type: Bug
Components: EJB
Affects Versions: 7.1.2.Final (EAP)
Reporter: Michael Gronau
Assignee: jaikiran pai
Labels: ejb, local, remote
Calling an ejb from within a mbean service for example is always running under
'anonymous' user even with a JAAS login before the invocation.
Debugging has shown that only a correct security context is created by the
SimpleSecurityManager when the call comes from a remote client.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
7:13 a.m.
[
https://issues.jboss.org/browse/AS7-5075?page=com.atlassian.jira.plugin.s...
]
Michael Gronau commented on AS7-5075:
-------------------------------------
Thanks you Darran, thats it! It works like a charm with this configuration.
Local ejb calls are always anonymous
------------------------------------
Key: AS7-5075
URL: https://issues.jboss.org/browse/AS7-5075
Project: Application Server 7
Issue Type: Bug
Components: EJB
Affects Versions: 7.1.2.Final (EAP)
Reporter: Michael Gronau
Assignee: jaikiran pai
Labels: ejb, local, remote
Calling an ejb from within a mbean service for example is always running under
'anonymous' user even with a JAAS login before the invocation.
Debugging has shown that only a correct security context is created by the
SimpleSecurityManager when the call comes from a remote client.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
2:29 a.m.
[
https://issues.jboss.org/browse/AS7-5075?page=com.atlassian.jira.plugin.s...
]
jaikiran pai resolved AS7-5075.
-------------------------------
Resolution: Rejected
Local ejb calls are always anonymous
------------------------------------
Key: AS7-5075
URL: https://issues.jboss.org/browse/AS7-5075
Project: Application Server 7
Issue Type: Bug
Components: EJB
Affects Versions: 7.1.2.Final (EAP)
Reporter: Michael Gronau
Assignee: jaikiran pai
Labels: ejb, local, remote
Calling an ejb from within a mbean service for example is always running under
'anonymous' user even with a JAAS login before the invocation.
Debugging has shown that only a correct security context is created by the
SimpleSecurityManager when the call comes from a remote client.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
4311
days inactive
4319
days old
8 comments
4 participants
participants (4)
-
Darran Lofthouse (JIRA) -
jaikiran pai (JIRA)
-
Michael Gronau (JIRA)
-
Stuart Douglas (JIRA)