[jboss-jira] [JBoss JIRA] (AS7-6730) switching users between ejb calls does not work when the call originates from a remote client

Darran Lofthouse (JIRA) jira-events at lists.jboss.org
Wed Mar 13 14:06:42 EDT 2013 

     [ https://issues.jboss.org/browse/AS7-6730?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Darran Lofthouse updated AS7-6730:
----------------------------------

    Fix Version/s: 8.0.0.Alpha1
                       (was: No Release)


I will check this in detail tomorrow but I am almost tempted to just switch this to a bug.
                
> switching users between ejb calls does not work when the call originates from a remote client
> ---------------------------------------------------------------------------------------------
>
>                 Key: AS7-6730
>                 URL: https://issues.jboss.org/browse/AS7-6730
>             Project: Application Server 7
>          Issue Type: Feature Request
>          Components: EJB
>    Affects Versions: 7.1.3.Final (EAP)
>            Reporter: Derek Horton
>            Assignee: Darran Lofthouse
>             Fix For: 8.0.0.Alpha1
>
>
> Description of problem:
> Switching users between ejb calls does not work when the call originates 
> from a remote client.  In this case, both ejbs are on the same JBoss instance.
> The use case looks like the following:
>   remote standalone client  --->  unsecured ejb3 (switch user here) -> secured ejb3
> I tried to use both approaches outlined in Q10/A10 of the JBoss
> Security FAQ [1] in order to establish a security context in
> the unsecured ejb that should be used to invoke the secured ejb.
> Neither approach worked in my testing.
> When the same unsecured ejb is called from a web application (secured
> or unsecured), then the user switching works correctly.
> The ejb security code appears to work differently based on the client
> type (standalone remote ejb client vs a web application).
> I believe this is happening because the
> org.jboss.as.security.service.SimpleSecurityManager.push method (called
> by the SecurityContextInterceptor) is checking for an existing
> RemotingContext and grabbing the security context from there even
> though the security context that should be used appears to be getting
> propagated correctly.
> The following area of the code appears to be causing the issue.  This
> section of code is executed which causes the newly established security
> context to be ignored:
>             if (RemotingContext.isSet()) {
>                 // In this case the principal and credential will not have been set to set some random values.
>                 SecurityContextUtil util = current.getUtil();
> Steps to Reproduce:
> Create a test application that looks like the following:
>  remote client --->  unsecured ejb3 (switch user here) -> secured ejb3
> Actual results:
> If the unsecured ejb is invoked from a remote client, the user switching that takes place in the first ejb is ignored.  Replace the remote standalone client with a web application and the user switching works.
> Expected results:
> User switching should work if the client is a standalone remote client or a web application.
> Additional info:

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list