[jboss-jira] [JBoss JIRA] (WFLY-2847) Caller's security identity doesn't get propagated by default

Matus Abaffy (JIRA) issues at jboss.org
Thu Jan 30 11:37:28 EST 2014 

Matus Abaffy created WFLY-2847:
----------------------------------

             Summary: Caller's security identity doesn't get propagated by default
                 Key: WFLY-2847
                 URL: https://issues.jboss.org/browse/WFLY-2847
             Project: WildFly
          Issue Type: Bug
      Security Level: Public (Everyone can see)
          Components: EJB, Security
    Affects Versions: 8.0.0.CR1
            Reporter: Matus Abaffy
            Assignee: David Lloyd


3 session beans: @RunAs("printer") Printer, which calls HelperBean (no security annotations), which calls @RolesAllowed("printer") Toner. The last invocation results in
{{javax.ejb.EJBAccessException: JBAS014502: Invocation on method: public void org.jboss.as.test.integration.ejb.security.runas.propagation.Toner.spill() of bean: Toner is not allowed}}

Printer calling Toner (directly) works just fine. And if the HelperBean is a CDI managed bean, it works just fine too.

According to EJB spec, 12 Security management, 12.1 Overview:
bq. "By default, the caller principal will be propagated as the caller identity. The Bean Provider can use the RunAs annotation to specify that a security principal that has been assigned to a specified security role be used instead. See Section 12.3.4."
12.3.4 Specification of Security Identities in the Deployment Descriptor:
bq. "The Bean Provider or Application Assembler typically specifies whether the caller’s security identity should be used for the execution of the methods of an enterprise bean or whether a specific run-as identity should be used. By default the caller’s security identity is used."
etc.
{code}
@RunAs("printer")
@PermitAll
public class Printer {
    @EJB
    HelperBean hb;

    public void invokeHelperBean() {
        hb.invokeToner();
    }
}
{code}
{code}
@Stateful
public class HelperBean {
    @EJB
    Toner toner;

    public void invokeToner() {
        toner.spill();
    }
}
{code}
{code}
@Stateless
@RolesAllowed("printer")
public class Toner {
    public void spill() {}
}
{code}
A bit sophisticated test available at: https://github.com/bafco/wildfly/commits/securityContext

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list