[jboss-jira] [JBoss JIRA] Updated: (JBAS-7053) org.jboss.security.jacc.SubjectPolicyContexthandler looking two levels up into RunAsIdentity stack
Jesus Menendez (JIRA)
jira-events at lists.jboss.org
Wed Jun 24 08:58:56 EDT 2009
[ https://jira.jboss.org/jira/browse/JBAS-7053?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jesus Menendez updated JBAS-7053:
---------------------------------
Description:
I configured two EJBs to make use of the run-as security identity tag
The EJBS implement a class called AgentBean
When I use PolicyContext.getContext("javax.security.auth.Subject.container") within and AgentBean method it should return the RunAsIdentity of that method as declared in the run-as tag . it returns anonymous wihch is the current authenticated user.. not the one specified in run-as
When I looked at the source code in org.jboss.security.jacc.SubjectPolicyContexthandler
I saw this method call in lines 55 and 73
RunAsIdentity callerRunAsIdentity = (RunAsIdentity)
SecurityAssociation.peekRunAsIdentity(1);
What I did is to change the parameter from a value of 1 to a value of 0 so it peeks the top element in the stack
I patched Jboss with this modification and the PolicyContext.getContext("javax.security.auth.Subject.container") started returning the right values (editors and publishers)
So, do you think this is a bug in org.jboss.security.jacc.SubjectPolicyContexthandler
Why SecurityAssociation.peekRunAsIdentity is it being called with a parameter value of 1. That is looking two levels down in the stack isn't it?
Connfiguration of EJB is
ejb-jar.xml
<?xml version="1.0" encoding="UTF-8"?>
<ejb-jar version="3.0" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/ejb-jar_3_0.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee">
<enterprise-beans>
<session>
<ejb-name>editors</ejb-name>
<mapped-name>ejb/assethouse/goya/process/agents/editors</mapped-name>
<business-local>com.assethouse.goya.process.agent.Agent</business-local>
<ejb-class>com.assethouse.goya.process.agent.AgentBean</ejb-class>
<session-type>Stateless</session-type>
<timeout-method>
<method-name>startTask</method-name>
</timeout-method>
<security-identity>
<run-as>
<description>Group for editors Partition</description>
<role-name>editors</role-name>
</run-as>
</security-identity>
</session>
<session>
<ejb-name>publishers</ejb-name>
<mapped-name>ejb/assethouse/goya/process/agents/publishers</mapped-name>
<business-local>com.assethouse.goya.process.agent.Agent</business-local>
<ejb-class>com.assethouse.goya.process.agent.AgentBean</ejb-class>
<session-type>Stateless</session-type>
<timeout-method>
<method-name>startTask</method-name>
</timeout-method>
<security-identity>
<run-as>
<description>Group for publishers Partition</description>
<role-name>publishers</role-name>
</run-as>
</security-identity>
</session>
</enterprise-beans>
<assembly-descriptor>
<security-role>
<role-name>editors</role-name>
</security-role>
<security-role>
<role-name>publisher</role-name>
</security-role>
</assembly-descriptor>
</ejb-jar>
jboss.xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE jboss PUBLIC
"-//JBoss//DTD JBOSS 4_2//EN"
"http://www.jboss.org/j2ee/dtd/jboss_4_2.dtd">
<jboss>
<security-domain>java:/jaas/process</security-domain>
<enterprise-beans>
<session>
<ejb-name>editors</ejb-name>
<security-identity>
<run-as-principal>editor</run-as-principal>
</security-identity>
</session>
<session>
<ejb-name>publishers</ejb-name>
<security-identity>
<run-as-principal>publisher</run-as-principal>
</security-identity>
</session>
</enterprise-beans>
<assembly-descriptor>
<security-role>
<role-name>publishers</role-name>
<principal-name>publisher</principal-name>
</security-role>
<security-role>
<role-name>editors</role-name>
<principal-name>editor</principal-name>
</security-role>
</assembly-descriptor>
</jboss>
Also configured the login-module with a new security domain with an UserRoleLoginModule plugin
roles.properties
publisher=publishers
editor=editors
user.properties
publisher=password
editor=password
was:
Connfiguration of EJB is
ejb-jar.xml
<?xml version="1.0" encoding="UTF-8"?>
<ejb-jar version="3.0" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/ejb-jar_3_0.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee">
<enterprise-beans>
<session>
<ejb-name>editors</ejb-name>
<mapped-name>ejb/assethouse/goya/process/agents/editors</mapped-name>
<business-local>com.assethouse.goya.process.agent.Agent</business-local>
<ejb-class>com.assethouse.goya.process.agent.AgentBean</ejb-class>
<session-type>Stateless</session-type>
<timeout-method>
<method-name>startTask</method-name>
</timeout-method>
<security-identity>
<run-as>
<description>Group for editors Partition</description>
<role-name>editors</role-name>
</run-as>
</security-identity>
</session>
<session>
<ejb-name>publishers</ejb-name>
<mapped-name>ejb/assethouse/goya/process/agents/publishers</mapped-name>
<business-local>com.assethouse.goya.process.agent.Agent</business-local>
<ejb-class>com.assethouse.goya.process.agent.AgentBean</ejb-class>
<session-type>Stateless</session-type>
<timeout-method>
<method-name>startTask</method-name>
</timeout-method>
<security-identity>
<run-as>
<description>Group for publishers Partition</description>
<role-name>publishers</role-name>
</run-as>
</security-identity>
</session>
</enterprise-beans>
<assembly-descriptor>
<security-role>
<role-name>editors</role-name>
</security-role>
<security-role>
<role-name>publisher</role-name>
</security-role>
</assembly-descriptor>
</ejb-jar>
jboss.xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE jboss PUBLIC
"-//JBoss//DTD JBOSS 4_2//EN"
"http://www.jboss.org/j2ee/dtd/jboss_4_2.dtd">
<jboss>
<security-domain>java:/jaas/process</security-domain>
<enterprise-beans>
<session>
<ejb-name>editors</ejb-name>
<security-identity>
<run-as-principal>editor</run-as-principal>
</security-identity>
</session>
<session>
<ejb-name>publishers</ejb-name>
<security-identity>
<run-as-principal>publisher</run-as-principal>
</security-identity>
</session>
</enterprise-beans>
<assembly-descriptor>
<security-role>
<role-name>publishers</role-name>
<principal-name>publisher</principal-name>
</security-role>
<security-role>
<role-name>editors</role-name>
<principal-name>editor</principal-name>
</security-role>
</assembly-descriptor>
</jboss>
Also configured the login-module with a new security domain with an UserRoleLoginModule plugin
roles.properties
publisher=publishers
editor=editors
user.properties
publisher=password
editor=password
When I use PolicyContext.getContext("") within and AgentBean method it should return the RunAsIdentity of that method as declared in the run-as . it returns anonymous wihch is the current authenticated user.. not the one specified in run-as
When I looked at the source code in org.jboss.security.jacc.SubjectPolicyContexthandler
I saw this method call in lines 55 and 73
RunAsIdentity callerRunAsIdentity = (RunAsIdentity)
SecurityAssociation.peekRunAsIdentity(1);
What I did is to change the parameter from a value of 1 to a value of 0 so it peeks the top element in the stack
I patched Jboss with this modification and the PolicyContext.getContext("") started returning the right values (editors and publishers)
So, do you think this is a bug in org.jboss.security.jacc.SubjectPolicyContexthandler
Why SecurityAssociation.peekRunAsIdentity is it being called with a parameter value of 1. That is looking two levels down in the stack isn't it?
> org.jboss.security.jacc.SubjectPolicyContexthandler looking two levels up into RunAsIdentity stack
> --------------------------------------------------------------------------------------------------
>
> Key: JBAS-7053
> URL: https://jira.jboss.org/jira/browse/JBAS-7053
> Project: JBoss Application Server
> Issue Type: Bug
> Security Level: Public(Everyone can see)
> Components: Security
> Affects Versions: JBossAS-4.2.2.GA, JBossAS-4.2.3.GA
> Reporter: Jesus Menendez
> Assignee: Anil Saldhana
>
> I configured two EJBs to make use of the run-as security identity tag
> The EJBS implement a class called AgentBean
> When I use PolicyContext.getContext("javax.security.auth.Subject.container") within and AgentBean method it should return the RunAsIdentity of that method as declared in the run-as tag . it returns anonymous wihch is the current authenticated user.. not the one specified in run-as
> When I looked at the source code in org.jboss.security.jacc.SubjectPolicyContexthandler
> I saw this method call in lines 55 and 73
> RunAsIdentity callerRunAsIdentity = (RunAsIdentity)
> SecurityAssociation.peekRunAsIdentity(1);
> What I did is to change the parameter from a value of 1 to a value of 0 so it peeks the top element in the stack
> I patched Jboss with this modification and the PolicyContext.getContext("javax.security.auth.Subject.container") started returning the right values (editors and publishers)
> So, do you think this is a bug in org.jboss.security.jacc.SubjectPolicyContexthandler
> Why SecurityAssociation.peekRunAsIdentity is it being called with a parameter value of 1. That is looking two levels down in the stack isn't it?
> Connfiguration of EJB is
> ejb-jar.xml
> <?xml version="1.0" encoding="UTF-8"?>
> <ejb-jar version="3.0" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/ejb-jar_3_0.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee">
> <enterprise-beans>
> <session>
> <ejb-name>editors</ejb-name>
> <mapped-name>ejb/assethouse/goya/process/agents/editors</mapped-name>
> <business-local>com.assethouse.goya.process.agent.Agent</business-local>
> <ejb-class>com.assethouse.goya.process.agent.AgentBean</ejb-class>
> <session-type>Stateless</session-type>
> <timeout-method>
> <method-name>startTask</method-name>
> </timeout-method>
> <security-identity>
> <run-as>
> <description>Group for editors Partition</description>
> <role-name>editors</role-name>
> </run-as>
> </security-identity>
> </session>
> <session>
> <ejb-name>publishers</ejb-name>
> <mapped-name>ejb/assethouse/goya/process/agents/publishers</mapped-name>
> <business-local>com.assethouse.goya.process.agent.Agent</business-local>
> <ejb-class>com.assethouse.goya.process.agent.AgentBean</ejb-class>
> <session-type>Stateless</session-type>
> <timeout-method>
> <method-name>startTask</method-name>
> </timeout-method>
> <security-identity>
> <run-as>
> <description>Group for publishers Partition</description>
> <role-name>publishers</role-name>
> </run-as>
> </security-identity>
> </session>
>
> </enterprise-beans>
> <assembly-descriptor>
> <security-role>
> <role-name>editors</role-name>
> </security-role>
> <security-role>
> <role-name>publisher</role-name>
> </security-role>
> </assembly-descriptor>
> </ejb-jar>
> jboss.xml
> <?xml version="1.0" encoding="UTF-8"?>
> <!DOCTYPE jboss PUBLIC
> "-//JBoss//DTD JBOSS 4_2//EN"
> "http://www.jboss.org/j2ee/dtd/jboss_4_2.dtd">
> <jboss>
> <security-domain>java:/jaas/process</security-domain>
>
> <enterprise-beans>
> <session>
> <ejb-name>editors</ejb-name>
> <security-identity>
> <run-as-principal>editor</run-as-principal>
> </security-identity>
> </session>
> <session>
> <ejb-name>publishers</ejb-name>
> <security-identity>
> <run-as-principal>publisher</run-as-principal>
> </security-identity>
> </session>
> </enterprise-beans>
> <assembly-descriptor>
> <security-role>
> <role-name>publishers</role-name>
> <principal-name>publisher</principal-name>
> </security-role>
> <security-role>
> <role-name>editors</role-name>
> <principal-name>editor</principal-name>
> </security-role>
> </assembly-descriptor>
> </jboss>
> Also configured the login-module with a new security domain with an UserRoleLoginModule plugin
> roles.properties
> publisher=publishers
> editor=editors
> user.properties
> publisher=password
> editor=password
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the jboss-jira
mailing list