[jboss-jira] [JBoss JIRA] (WFLY-5063) Confusing authorization behavior in undertow/ejb3

Brian Stansberry (JIRA) issues at jboss.org
Wed Nov 4 22:20:00 EST 2015 

     [ https://issues.jboss.org/browse/WFLY-5063?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Brian Stansberry updated WFLY-5063:
-----------------------------------
    Component/s: EJB
                 Security
                 Web (Undertow)


> Confusing authorization behavior in undertow/ejb3
> -------------------------------------------------
>
>                 Key: WFLY-5063
>                 URL: https://issues.jboss.org/browse/WFLY-5063
>             Project: WildFly
>          Issue Type: Bug
>          Components: EJB, Security, Web (Undertow)
>            Reporter: Michał Zegan
>            Assignee: Jason Greene
>
> I believe that the behavior of web and ejb authorization is confusing, and at the same time it is undocumented.
> Here it is:
> 1. There are authorization settings in security domains that specify policy modules to use.
> 2. In case of web authorization with undertow, security domains are not used by default unless this is enabled in jboss-web.xml, but even though this is the case, if you change a default module to jacc, undertow switches to jacc authorization even though it normally does not use security domains.
> 3. If jboss authorization is enabled in jboss-web.xml, then the default authorization module does nothing but you still get normal authz behavior as per servlet spec... But if you would set authorization policy to jacc, I believe it would cause jacc checks to be performed twice in case of successful auth, once because of security domain settings, once inside undertow...
> 4. At the same time EJB container uses authorization modules in security domains as the only authorization mechanism and in this case the default module really implements authorization decisions.
> 5. And, as the last point, in addition to the possibility to using jacc module or xacml module to authorize ejbs (and servlets), you can probably do the same with changing a delegate in the default delegating authz module.
> It is possible I forgot something or that I am wrong, but...... That seems extremely complex to actually understand, and some things here seem to be redundant.



--
This message was sent by Atlassian JIRA
(v6.4.11#64026)

More information about the jboss-jira mailing list