[jboss-jira] [JBoss JIRA] (WFLY-6004) JAASCallbackHandler resets SecurityContext after authentication to it's pre-authentication value

Darran Lofthouse (JIRA) issues at jboss.org
Fri Jan 15 07:26:00 EST 2016 

     [ https://issues.jboss.org/browse/WFLY-6004?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Darran Lofthouse resolved WFLY-6004.
------------------------------------
    Resolution: Rejected


The ClientLoginModule must never ever be used in this way - quite simply if there are ever bean to bean calls involving run as identities this login module risks getting the stack out of sync and effectively leaving requests running with random roles.

> JAASCallbackHandler resets SecurityContext after authentication to it's pre-authentication value
> ------------------------------------------------------------------------------------------------
>
>                 Key: WFLY-6004
>                 URL: https://issues.jboss.org/browse/WFLY-6004
>             Project: WildFly
>          Issue Type: Bug
>          Components: Security
>    Affects Versions: 9.0.2.Final, 10.0.0.CR5
>            Reporter: Ian MacIntyre
>            Assignee: Darran Lofthouse
>              Labels: remote-ejb-connection, roles
>
> We are using remote EJB calls and are finding role information being lost.
> I have traced this to our use of JAAS authentication for the ApplicationRealm security realm
> Within the handle() method of JaasCallbackHander it stores the current Security context at that point (via securityManager.push())
> It then calls securityManager.authenticate() which results in login modules being called.  We use the ClientLoginModule which stores information on the SecurityContext via SecurityAssociationActions.setPrincipalInfo
> After authentication the JaasCallbackHandler calls securityManager.pop() which resets the SecurityContext back its state before authentication - thus losing the context set in the ClientLoginModule.
> This only occurs via a remote ejb call, not via a call made from the web tier (as it does not use JaasLoginHandler)
> Ideally I'd like some way to stop the JaasCallbackHandler reseting the SecurityContext (even if it was incredibly simple by checking for an attribute on the current security context)
> The same operations work in EAP 6.3 / JBoss 7.2



--
This message was sent by Atlassian JIRA
(v6.4.11#64026)

More information about the jboss-jira mailing list