[jboss-jira] [JBoss JIRA] Created: (EJBTHREE-918) problem with security principal then using @PreUpdate annotation on entity

[Ramil Israfilov (JIRA)]

problem with security principal then using @PreUpdate annotation on entity
--------------------------------------------------------------------------

                 Key: EJBTHREE-918
                 URL: http://jira.jboss.com/jira/browse/EJBTHREE-918
             Project: EJB 3.0
          Issue Type: Bug
          Components: Security
    Affects Versions: EJB 3.0 RC9 - FD
            Reporter: Ramil Israfilov


We have an entity which is annotated using  an @EntityListener(SecurityEntityListener.class). On this SecurityEntityListener class we have methods which a annotated using @PrePersist and @PreUpdate they are identical and do some security check:

------------
void isAllowed(SecuredObject object) {
		Subject subject = SecurityAssociation.getSubject();
		Principal principal = SecurityAssociation.getPrincipal();
		if (principal == null || subject == null) {
			SecurityException e = new SecurityException("No principal/subject for EJB session, can't persist object class: " + object.getClass() + " object: " + object);
			log.error(e);
			throw e;

		}
		if (isAdministrator()) {
			return;
		}
....

               throw new SecurityException("Session with subject " + subject + "doesn't have right to work with this object:" + object);
}


	public static boolean isAdministrator() {
		Subject subject = SecurityAssociation.getSubject();
		if (subject == null) {
			log.warn("No subject assosiated with execution thread");
			return false;
		}
		Set<Group> set = subject.getPrincipals(Group.class);
		if (set == null)
			return false;
		for (Principal p : set) {
			Group group = (Group) p;
			if (group != null && ROLES_GROUP_NAME.equals(group.getName())) {
				Enumeration enumeration = group.members();
				for (; enumeration.hasMoreElements();) {
					Principal role = (Principal) enumeration.nextElement();
					if (role != null && role instanceof Principal && ADMIN_ROLE.equals(((Principal) role).getName())) {
						if(log.isDebugEnabled()) log.debug("User will get administrator access to the database");
						return true;
					}
				}
			}
		}
		return false;
	}

------------

This entity is persisted/update from EJB3 stateless bean which is protected by @SecurityDomain("ourdomain") annotation.
We have our own jboss module for this domain which do login of user and assigning of roles from database.

This EJB3 bean is called from MDB:
onMessage(Message msg){
...
		final String user = msg.getStringProperty(PROCESS_USER);
			final String password = msg.getStringProperty(PROCESS_PASSWORD);
                	login = JAASLoginHelper.getLoginContext(user, password);
				login.login();			
                        InitialContext ctx = new InitialContext();
		        ExecutorInterface executor = (ExecutorInterface) ctx
					.lookup(beanName);
                         auditId = executor.setResultData(properties, obj1, jmsId);
			
...
}

In method setResultData we perform persist or update (if it is already exists) of entity
 
If we do persist then everything works ok.
But if we do update of object then isAdministrator method returns false and we have a securityexception as result.


It seems that during commit of JMS message (we are using RDBMS to store jms messages) EJB3 container is trying to do a flush() and at this time securityprincipal is lost.

Strange thing that it works with @PrePersist annotation and doesn't work with @PreUpdate




-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira