[jboss-jira] [JBoss JIRA] Assigned: (JBAS-8600) An EJB invocation with runas-identity causes that runas-identity to be used for all invocations of that EJB

[Alexey Loubyansky (JIRA)]

     [ https://jira.jboss.org/browse/JBAS-8600?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Alexey Loubyansky reassigned JBAS-8600:
---------------------------------------

    Assignee: Anil Saldhana  (was: Alexey Loubyansky)


Anil, can you check, please?

> An EJB invocation with runas-identity causes that runas-identity to be used for all invocations of that EJB
> -----------------------------------------------------------------------------------------------------------
>
>                 Key: JBAS-8600
>                 URL: https://jira.jboss.org/browse/JBAS-8600
>             Project: JBoss Application Server
>          Issue Type: Bug
>      Security Level: Public(Everyone can see) 
>          Components: EJB2
>    Affects Versions: JBossAS-5.1.0.GA
>            Reporter: Magnus Lind
>            Assignee: Anil Saldhana
>
> If a context associated with a runas-identity invokes a method on a (non-runas deployed) stateless session EJB then subsequent invocations from any authenticated context will be performed as if the EJB was runas-deployed using that identity.
> Only a restart of the application server will help.
> A runas-identity context is usually established within invocations of Servlets or EJBs with runas-deployment. All non-runas deployed EJBs invoked from such a servlet, EJB (or MDB) will be affected.
> This behavior is probably caused by a bug in org.jboss.ejb.plugins.SecurityInterceptor. The following patch solves the problem for us:
> Index: org/jboss/ejb/plugins/SecurityInterceptor.java
> ===================================================================
> --- org/jboss/ejb/plugins/SecurityInterceptor.java	(revision 109035)
> +++ org/jboss/ejb/plugins/SecurityInterceptor.java	(arbetskopia)
> @@ -248,18 +248,19 @@
>           throw e;
>        }
>  
> +      RunAs runAsIdentityToPush = runAsIdentity;
>        /**
>         * Special case: if <use-caller-identity> configured and
>         * the caller is arriving with a run-as, we need to push that run-as
>         */
>        if (callerRunAsIdentity != null && this.isUseCallerIdentity)
> -         this.runAsIdentity = callerRunAsIdentity;
> +         runAsIdentityToPush = callerRunAsIdentity;
>  
>        /* If a run-as role was specified, push it so that any calls made
>         by this bean will have the runAsRole available for declarative
>         security checks.
>        */
> -      SecurityActions.pushRunAsIdentity(runAsIdentity);
> +      SecurityActions.pushRunAsIdentity(runAsIdentityToPush);
>  
>        try
>        {

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira