[jboss-jira] [JBoss JIRA] (WFLY-140) switching users between ejb calls does not work when the call originates from a remote client

RH Bugzilla Integration (JIRA) issues at jboss.org
Wed Oct 29 06:18:36 EDT 2014 

     [ https://issues.jboss.org/browse/WFLY-140?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

RH Bugzilla Integration updated WFLY-140:
-----------------------------------------
        Bugzilla Update: Perform
    Bugzilla References: https://bugzilla.redhat.com/show_bug.cgi?id=921217


> switching users between ejb calls does not work when the call originates from a remote client
> ---------------------------------------------------------------------------------------------
>
>                 Key: WFLY-140
>                 URL: https://issues.jboss.org/browse/WFLY-140
>             Project: WildFly
>          Issue Type: Bug
>          Components: EJB
>            Reporter: Derek Horton
>            Assignee: Darran Lofthouse
>             Fix For: 8.0.0.Alpha1
>
>
> Description of problem:
> Switching users between ejb calls does not work when the call originates 
> from a remote client.  In this case, both ejbs are on the same JBoss instance.
> The use case looks like the following:
>   remote standalone client  --->  unsecured ejb3 (switch user here) -> secured ejb3
> I tried to use both approaches outlined in Q10/A10 of the JBoss
> Security FAQ [1] in order to establish a security context in
> the unsecured ejb that should be used to invoke the secured ejb.
> Neither approach worked in my testing.
> When the same unsecured ejb is called from a web application (secured
> or unsecured), then the user switching works correctly.
> The ejb security code appears to work differently based on the client
> type (standalone remote ejb client vs a web application).
> I believe this is happening because the
> org.jboss.as.security.service.SimpleSecurityManager.push method (called
> by the SecurityContextInterceptor) is checking for an existing
> RemotingContext and grabbing the security context from there even
> though the security context that should be used appears to be getting
> propagated correctly.
> The following area of the code appears to be causing the issue.  This
> section of code is executed which causes the newly established security
> context to be ignored:
>             if (RemotingContext.isSet()) {
>                 // In this case the principal and credential will not have been set to set some random values.
>                 SecurityContextUtil util = current.getUtil();
> Steps to Reproduce:
> Create a test application that looks like the following:
>  remote client --->  unsecured ejb3 (switch user here) -> secured ejb3
> Actual results:
> If the unsecured ejb is invoked from a remote client, the user switching that takes place in the first ejb is ignored.  Replace the remote standalone client with a web application and the user switching works.
> Expected results:
> User switching should work if the client is a standalone remote client or a web application.
> Additional info:



--
This message was sent by Atlassian JIRA
(v6.3.1#6329)

More information about the jboss-jira mailing list