[jboss-jira] [JBoss JIRA] Created: (JBAS-7053) org.jboss.security.jacc.SubjectPolicyContexthandler looking two levels up into RunAsIdentity stack

Jesus Menendez (JIRA) jira-events at lists.jboss.org
Wed Jun 24 08:54:56 EDT 2009 

org.jboss.security.jacc.SubjectPolicyContexthandler looking two levels up into RunAsIdentity stack
--------------------------------------------------------------------------------------------------

                 Key: JBAS-7053
                 URL: https://jira.jboss.org/jira/browse/JBAS-7053
             Project: JBoss Application Server
          Issue Type: Bug
      Security Level: Public (Everyone can see)
          Components: Security
    Affects Versions: JBossAS-4.2.3.GA, JBossAS-4.2.2.GA
            Reporter: Jesus Menendez
            Assignee: Anil Saldhana



Connfiguration of EJB is
ejb-jar.xml

<?xml version="1.0" encoding="UTF-8"?>
<ejb-jar version="3.0" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/ejb-jar_3_0.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee">
  <enterprise-beans>
    <session> 
         <ejb-name>editors</ejb-name>
         <mapped-name>ejb/assethouse/goya/process/agents/editors</mapped-name>
         <business-local>com.assethouse.goya.process.agent.Agent</business-local>
         <ejb-class>com.assethouse.goya.process.agent.AgentBean</ejb-class>
         <session-type>Stateless</session-type>
         <timeout-method>
              <method-name>startTask</method-name>
         </timeout-method>
         <security-identity>
            <run-as>
                <description>Group for editors Partition</description>
                <role-name>editors</role-name>
            </run-as>
         </security-identity>
      </session>
     <session>
         <ejb-name>publishers</ejb-name>
        <mapped-name>ejb/assethouse/goya/process/agents/publishers</mapped-name>
        <business-local>com.assethouse.goya.process.agent.Agent</business-local>
        <ejb-class>com.assethouse.goya.process.agent.AgentBean</ejb-class>
        <session-type>Stateless</session-type>
        <timeout-method>
           <method-name>startTask</method-name>
           </timeout-method>
        <security-identity>
           <run-as>
               <description>Group for publishers Partition</description>
               <role-name>publishers</role-name>
           </run-as>
        </security-identity>
     </session>
     
</enterprise-beans>
<assembly-descriptor>
   <security-role>
       <role-name>editors</role-name>
    </security-role>
    <security-role>
        <role-name>publisher</role-name>
     </security-role>
  </assembly-descriptor>
</ejb-jar>



jboss.xml

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE jboss PUBLIC
    "-//JBoss//DTD JBOSS 4_2//EN"
    "http://www.jboss.org/j2ee/dtd/jboss_4_2.dtd">

<jboss>

    <security-domain>java:/jaas/process</security-domain>
    
    <enterprise-beans>
        <session>
            <ejb-name>editors</ejb-name>
            <security-identity>
                <run-as-principal>editor</run-as-principal>
            </security-identity>
        </session>

        <session>
            <ejb-name>publishers</ejb-name>
            <security-identity>
                <run-as-principal>publisher</run-as-principal>
            </security-identity>
        </session>

    </enterprise-beans>

    <assembly-descriptor>
        <security-role>
            <role-name>publishers</role-name>
            <principal-name>publisher</principal-name>
        </security-role>
        <security-role>
            <role-name>editors</role-name>
            <principal-name>editor</principal-name>
        </security-role>
    </assembly-descriptor>

</jboss>


Also configured the login-module with a new security domain with an UserRoleLoginModule plugin

roles.properties
   publisher=publishers
   editor=editors

user.properties
     publisher=password
     editor=password


When I use PolicyContext.getContext("") within and AgentBean method it should return the RunAsIdentity of that method as declared in the run-as . it returns anonymous wihch is the current authenticated user.. not the one specified in run-as

When I looked at the source code  in org.jboss.security.jacc.SubjectPolicyContexthandler
I saw this method call in  lines 55 and 73
RunAsIdentity callerRunAsIdentity = (RunAsIdentity)
               SecurityAssociation.peekRunAsIdentity(1);

What I did is to change the parameter from a value of 1 to a value of 0 so it peeks the top element in the stack
I patched Jboss with this modification and the PolicyContext.getContext("") started returning the right values (editors and publishers)

So, do you think this is a bug in org.jboss.security.jacc.SubjectPolicyContexthandler
Why SecurityAssociation.peekRunAsIdentity is it being called with a parameter value of 1. That is looking two levels down in the stack isn't it? 



-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list