The Alchemist updated an issue

PicketLink / PLINK-719 SAML2LoginModule/SPServletExtension swallow EJBContext's CallerPrincipal Change By: The Alchemist h2. Description I think Picketlink, when used for SAML authentication using {{SAML2LoginModule}} and {{SPServletExtension}}, swallow the {{EJBContext}}'s CallerPrincipal somehow. The result is that JSF beans cannot call EJBs because of security violations, even if you set {{@SecurityDomain}} and {{@RolesAllowed}} on the EJB. h2. How to Reproduce 0. Check out the org.picketlink.quickstarts.picketlink-federation-saml-idp-basic quickstart, and deploy it to Wildfly 1. Check out my fork of the picketlink-federation-saml-sp-post-basic quick start at https://github.com/The-Alchemist/jboss-picketlink-quickstarts/tree/ejb-context-test 2. Run the CLI script to create the {{sp}} security domain (no changes from the original) 3. Deploy my fork Try to access http://localhost:8080/sales-post/alchemist.xhtml (the IDP will ask you to login.  Login with tomcat/tomcat as the credentials). You will get a stack trace: {noformat} javax.servlet.ServletException: WFLYEJB0364: Invocation on method: public java.security.Principal alchemist.RandomEJB.getPrincipal() of bean: RandomEJB is not allowed javax.faces.webapp.FacesServlet.service(FacesServlet.java:667) io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:86) io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCacheHandler.java:33) io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:51) io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:56) io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58) io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:72) io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76) io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:282) io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:261) io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:80) io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:172) io.undertow.server.Connectors.executeRootHandler(Connectors.java:199) io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:774) java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) java.lang.Thread.run(Thread.java:745) {noformat} h3. The Offending EJB {code:java} @SecurityDomain("sp") @RolesAllowed("manager") @Named @Stateless public class RandomEJB {     @Inject     private Logger logger;     @Resource     private EJBContext ejbContext;     public Principal getPrincipal() {         Principal callerPrincipal = this.ejbContext.getCallerPrincipal();         logger.infov("EJB says that the caller principal is: {0}", callerPrincipal);         return callerPrincipal;     } } {code} h3. What I Tried I pulled out all the stops: * Tried both {{@SecurityDomain}} annotations from the two packages (...security.annotation and ...ejb.annotation) * I created a jboss.xml, jboss-ejb3.xml, jboss-web.xml and set the security-domain * I tried setting the {{default-security-domain}} in the standalone XML * Tried setting {{missing-method-permissions-deny-access}} to {{false}} Nothing has seemed to work... What's super strange is that everything is fine when you try a "regular" log in module like {{DatabaseServerLoginModule}}. h2. Sources I've Looked At * http://stackoverflow.com/a/28151391/423943 * https://github.com/wildfly/quickstart/tree/9.x/ejb-security * https://developer.jboss.org/thread/239395?start=0&tstart=0 * https://docs.jboss.org/author/display/WFLY8/Securing+EJBs * https://docs.oracle.com/cd/E19316-01/819-3669/bncaa/index.html Add Comment

This message was sent by Atlassian JIRA (v6.4.11#64026-sha1:78f6ec4)