[jboss-jira] [JBoss JIRA] (WFLY-6004) JAASCallbackHandler resets SecurityContext after authentication to it's pre-authentication value
Ian MacIntyre (JIRA)
issues at jboss.org
Fri Jan 15 07:03:00 EST 2016
Ian MacIntyre created WFLY-6004:
-----------------------------------
Summary: JAASCallbackHandler resets SecurityContext after authentication to it's pre-authentication value
Key: WFLY-6004
URL: https://issues.jboss.org/browse/WFLY-6004
Project: WildFly
Issue Type: Bug
Affects Versions: 10.0.0.CR5, 9.0.2.Final
Reporter: Ian MacIntyre
Assignee: Jason Greene
We are using remote EJB calls and are finding role information being lost.
I have traced this to our use of JAAS authentication for the ApplicationRealm security realm
Within the handle() method of JaasCallbackHander it stores the current Security context at that point (via securityManager.push())
It then calls securityManager.authenticate() which results in login modules being called. We use the ClientLoginModule which stores information on the SecurityContext via SecurityAssociationActions.setPrincipalInfo
After authentication the JaasCallbackHandler calls securityManager.pop() which resets the SecurityContext back its state before authentication - thus losing the context set in the ClientLoginModule.
This only occurs via a remote ejb call, not via a call made from the web tier (as it does not use JaasLoginHandler)
Ideally I'd like some way to stop the JaasCallbackHandler reseting the SecurityContext (even if it was incredibly simple by checking for an attribute on the current security context)
The same operations work in EAP 6.3 / JBoss 7.2
--
This message was sent by Atlassian JIRA
(v6.4.11#64026)
More information about the jboss-jira
mailing list