11:29 a.m.
Security Context over the invocation
------------------------------------
Key: JBAS-4317
URL: http://jira.jboss.com/jira/browse/JBAS-4317
Project: JBoss Application Server
Issue Type: Task
Security Level: Public (Everyone can see)
Components: Security
Affects Versions: JBossAS-5.0.0.Beta2
Reporter: Anil Saldhana
Assigned To: Anil Saldhana
Fix For: JBossAS-5.0.0.Beta3
Need to move away from the SecurityAssociation usage to incorporate Security Context over
the invocation.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
10:40 a.m.
New subject: [JBoss JIRA] Resolved: (JBAS-4317) Security Context over the invocation
[ http://jira.jboss.com/jira/browse/JBAS-4317?page=all ]
Anil Saldhana resolved JBAS-4317.
---------------------------------
Resolution: Done
The issue will be closed when no issues associated will be identified by the various
subsystems.
Security Context over the invocation
------------------------------------
Key: JBAS-4317
URL: http://jira.jboss.com/jira/browse/JBAS-4317
Project: JBoss Application Server
Issue Type: Task
Security Level: Public(Everyone can see)
Components: Security
Affects Versions: JBossAS-5.0.0.Beta2
Reporter: Anil Saldhana
Assigned To: Anil Saldhana
Fix For: JBossAS-5.0.0.Beta3
Need to move away from the SecurityAssociation usage to incorporate Security Context over
the invocation.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
3:48 a.m.
New subject: [JBoss JIRA] Reopened: (JBAS-4317) Security Context over the invocation
[ http://jira.jboss.com/jira/browse/JBAS-4317?page=all ]
Thomas Diesler reopened JBAS-4317:
----------------------------------
With various jbossws tests I was getting
IllegalStateException("Security Context in invocation is null");
Please validate the change below.
First throwing an ISE and then further down calling seems not logical
//Place on the invocation
if(mi.getSecurityContext() == null)
mi.setSecurityContext(SecurityActions.getSecurityContext());
[tdiesler@tddell trunk]$ svn diff server
Index: server/src/main/org/jboss/ejb/SessionContainer.java
===================================================================
--- server/src/main/org/jboss/ejb/SessionContainer.java (revision 62601)
+++ server/src/main/org/jboss/ejb/SessionContainer.java (working copy)
@@ -620,9 +620,9 @@
public Object internalInvokeHome(Invocation mi) throws Exception
{
- //Validate that there is a security context on the invocation
+ //Place on the invocation
if(mi.getSecurityContext() == null)
- throw new IllegalStateException("Security Context in invocation is
null");
+ mi.setSecurityContext(SecurityActions.getSecurityContext());
String securityDomain = SecurityConstants.DEFAULT_APPLICATION_POLICY;
if(sm != null)
@@ -633,9 +633,6 @@
mi.getCredential(), securityDomain, null);
}
SecurityActions.pushCallerRunAsIdentity(mi.getSecurityContext().getRunAs());
- //Place on the invocation
- if(mi.getSecurityContext() == null)
- mi.setSecurityContext(SecurityActions.getSecurityContext());
Method method = mi.getMethod();
if (method != null && method.getName().equals("remove"))
@@ -672,9 +669,9 @@
*/
public Object internalInvoke(Invocation mi) throws Exception
{
- //Validate that there is a security context on the invocation
+ //Place on the invocation
if(mi.getSecurityContext() == null)
- throw new IllegalStateException("Security Context in invocation is
null");
+ mi.setSecurityContext(SecurityActions.getSecurityContext());
String securityDomain = SecurityConstants.DEFAULT_APPLICATION_POLICY;
if(sm != null)
@@ -685,9 +682,6 @@
mi.getCredential(), securityDomain, null);
}
SecurityActions.pushCallerRunAsIdentity(mi.getSecurityContext().getRunAs());
- //Place on the invocation
- if(mi.getSecurityContext() == null)
- mi.setSecurityContext(SecurityActions.getSecurityContext());
try
{
Security Context over the invocation
------------------------------------
Key: JBAS-4317
URL: http://jira.jboss.com/jira/browse/JBAS-4317
Project: JBoss Application Server
Issue Type: Task
Security Level: Public(Everyone can see)
Components: Security
Affects Versions: JBossAS-5.0.0.Beta2
Reporter: Anil Saldhana
Assigned To: Anil Saldhana
Fix For: JBossAS-5.0.0.Beta3
Need to move away from the SecurityAssociation usage to incorporate Security Context over
the invocation.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
9:26 a.m.
New subject: [JBoss JIRA] Commented: (JBAS-4317) Security Context over the invocation
[ http://jira.jboss.com/jira/browse/JBAS-4317?page=comments#action_12360717 ]
Anil Saldhana commented on JBAS-4317:
-------------------------------------
Thomas, the security context either comes over the wire (remote calls) or comes from the
thread local (Local EJB invocations). So where-ever the Invocation object is created on
the server side, the security context needs to be set on the Invocation object. The
IllegalStateException thrown in the containers was one way of validating that whoever was
creating the Invocation object has set the security context (just the way they would have
done with .setPrincipal, setCredential etc).
The primary issue is that there are various integration layers constructing the Invocation
object rather than a central place. Some of the examples where the Invocation object is
created on the server side include the BaseLocalProxyFactory, ProxyFinderFactory,
CMPFieldBridgexxxx.
So I will need to revert back the IllegalStateException and need your stack trace so that
I can understand where your Invocation is being created.
Once the containers have established that the invocation does contain a security context,
they set it on the thread local so that the JACC PolicyContext get Subject call always
takes care of the RunAsIdentity that came into the specific container.
Security Context over the invocation
------------------------------------
Key: JBAS-4317
URL: http://jira.jboss.com/jira/browse/JBAS-4317
Project: JBoss Application Server
Issue Type: Task
Security Level: Public(Everyone can see)
Components: Security
Affects Versions: JBossAS-5.0.0.Beta2
Reporter: Anil Saldhana
Assigned To: Anil Saldhana
Fix For: JBossAS-5.0.0.Beta3
Need to move away from the SecurityAssociation usage to incorporate Security Context over
the invocation.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
11:35 p.m.
New subject: [JBoss JIRA] Closed: (JBAS-4317) Security Context over the invocation
[ http://jira.jboss.com/jira/browse/JBAS-4317?page=all ]
Anil Saldhana closed JBAS-4317.
-------------------------------
Resolution: Done
The establishment of security context over the invocation and verification is performed in
a separate interceptor now. Actors that create their own invocation objects do not need to
explicitly set the security context on the invocation on the server side.
Security Context over the invocation
------------------------------------
Key: JBAS-4317
URL: http://jira.jboss.com/jira/browse/JBAS-4317
Project: JBoss Application Server
Issue Type: Task
Security Level: Public(Everyone can see)
Components: Security
Affects Versions: JBossAS-5.0.0.Beta2
Reporter: Anil Saldhana
Assigned To: Anil Saldhana
Fix For: JBossAS-5.0.0.Beta3
Need to move away from the SecurityAssociation usage to incorporate Security Context over
the invocation.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
6444
days inactive
6464
days old
4 comments
2 participants
participants (2)
-
Anil Saldhana (JIRA) -
Thomas Diesler (JIRA)