[jboss-jira] [JBoss JIRA] (WFLY-2016) Security context associated with EJB asynchronous invocations can potentially be corrupted over time by the caller thread

[jaikiran pai (JIRA)]

jaikiran pai created WFLY-2016:
----------------------------------

             Summary: Security context associated with EJB asynchronous invocations can potentially be corrupted over time by the caller thread
                 Key: WFLY-2016
                 URL: https://issues.jboss.org/browse/WFLY-2016
             Project: WildFly
          Issue Type: Bug
          Components: EJB, Security
    Affects Versions: 8.0.0.Alpha4
            Reporter: jaikiran pai
            Assignee: jaikiran pai


Consider a servlet "S" which invokes on a asynchronous EJB "A". Let's assume "S" runs with a "foo" run-as role. Now when S invokes on "A", the run-as "foo" role is correctly propagated to the asynchronous EJB invocation. However, when the "S" invocation completes and potentially clears the security context (of any run-as role), the invocation(s) within the asynchronous EJB "A" too lose the corresponding security context role association. This is because the 2 threads (the servlet invocation one and the async EJB invocation one) literally share the same object instance of the SecurityContext.

The expected behaviour is that the original security context (attributes) are copied over to the async invocation and updates to that security context later on in a separate thread shouldn't affect the ongoing async EJB invocation.


--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira