[jboss-jira] [JBoss JIRA] (WFLY-2847) Caller's security identity doesn't get propagated by default
Matus Abaffy (JIRA)
issues at jboss.org
Fri Jan 31 08:49:28 EST 2014
[ https://issues.jboss.org/browse/WFLY-2847?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Matus Abaffy updated WFLY-2847:
-------------------------------
Description:
3 session beans: @RunAs("printer") Printer, which calls HelperBean (no security annotations), which calls @RolesAllowed("printer") Toner. The last invocation results in
{{javax.ejb.EJBAccessException: JBAS014502: Invocation on method: public void org.jboss.as.test.integration.ejb.security.runas.propagation.Toner.spill() of bean: Toner is not allowed}}
Printer calling Toner (directly) works just fine. And if the HelperBean is a CDI managed bean, it works just fine too.
According to EJB spec, 12 Security management, 12.1 Overview:
bq. "By default, the caller principal will be propagated as the caller identity. The Bean Provider can use the RunAs annotation to specify that a security principal that has been assigned to a specified security role be used instead. See Section 12.3.4."
12.3.4 Specification of Security Identities in the Deployment Descriptor:
bq. "The Bean Provider or Application Assembler typically specifies whether the caller’s security identity should be used for the execution of the methods of an enterprise bean or whether a specific run-as identity should be used. By default the caller’s security identity is used."
etc.
{code}
@Stateless
@RunAs("printer")
@PermitAll
public class Printer {
@EJB
HelperBean hb;
public void invokeHelperBean() {
hb.invokeToner();
}
}
{code}
{code}
@Stateful
public class HelperBean {
@EJB
Toner toner;
public void invokeToner() {
toner.spill();
}
}
{code}
{code}
@Stateless
@RolesAllowed("printer")
public class Toner {
public void spill() {}
}
{code}
A bit sophisticated test available at: https://github.com/bafco/wildfly/commits/securityContext
was:
3 session beans: @RunAs("printer") Printer, which calls HelperBean (no security annotations), which calls @RolesAllowed("printer") Toner. The last invocation results in
{{javax.ejb.EJBAccessException: JBAS014502: Invocation on method: public void org.jboss.as.test.integration.ejb.security.runas.propagation.Toner.spill() of bean: Toner is not allowed}}
Printer calling Toner (directly) works just fine. And if the HelperBean is a CDI managed bean, it works just fine too.
According to EJB spec, 12 Security management, 12.1 Overview:
bq. "By default, the caller principal will be propagated as the caller identity. The Bean Provider can use the RunAs annotation to specify that a security principal that has been assigned to a specified security role be used instead. See Section 12.3.4."
12.3.4 Specification of Security Identities in the Deployment Descriptor:
bq. "The Bean Provider or Application Assembler typically specifies whether the caller’s security identity should be used for the execution of the methods of an enterprise bean or whether a specific run-as identity should be used. By default the caller’s security identity is used."
etc.
{code}
@RunAs("printer")
@PermitAll
public class Printer {
@EJB
HelperBean hb;
public void invokeHelperBean() {
hb.invokeToner();
}
}
{code}
{code}
@Stateful
public class HelperBean {
@EJB
Toner toner;
public void invokeToner() {
toner.spill();
}
}
{code}
{code}
@Stateless
@RolesAllowed("printer")
public class Toner {
public void spill() {}
}
{code}
A bit sophisticated test available at: https://github.com/bafco/wildfly/commits/securityContext
> Caller's security identity doesn't get propagated by default
> ------------------------------------------------------------
>
> Key: WFLY-2847
> URL: https://issues.jboss.org/browse/WFLY-2847
> Project: WildFly
> Issue Type: Bug
> Security Level: Public(Everyone can see)
> Components: EJB, Security
> Affects Versions: 8.0.0.CR1
> Reporter: Matus Abaffy
> Assignee: David Lloyd
>
> 3 session beans: @RunAs("printer") Printer, which calls HelperBean (no security annotations), which calls @RolesAllowed("printer") Toner. The last invocation results in
> {{javax.ejb.EJBAccessException: JBAS014502: Invocation on method: public void org.jboss.as.test.integration.ejb.security.runas.propagation.Toner.spill() of bean: Toner is not allowed}}
> Printer calling Toner (directly) works just fine. And if the HelperBean is a CDI managed bean, it works just fine too.
> According to EJB spec, 12 Security management, 12.1 Overview:
> bq. "By default, the caller principal will be propagated as the caller identity. The Bean Provider can use the RunAs annotation to specify that a security principal that has been assigned to a specified security role be used instead. See Section 12.3.4."
> 12.3.4 Specification of Security Identities in the Deployment Descriptor:
> bq. "The Bean Provider or Application Assembler typically specifies whether the caller’s security identity should be used for the execution of the methods of an enterprise bean or whether a specific run-as identity should be used. By default the caller’s security identity is used."
> etc.
> {code}
> @Stateless
> @RunAs("printer")
> @PermitAll
> public class Printer {
> @EJB
> HelperBean hb;
> public void invokeHelperBean() {
> hb.invokeToner();
> }
> }
> {code}
> {code}
> @Stateful
> public class HelperBean {
> @EJB
> Toner toner;
> public void invokeToner() {
> toner.spill();
> }
> }
> {code}
> {code}
> @Stateless
> @RolesAllowed("printer")
> public class Toner {
> public void spill() {}
> }
> {code}
> A bit sophisticated test available at: https://github.com/bafco/wildfly/commits/securityContext
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the jboss-jira
mailing list