[jboss-jira] [JBoss JIRA] (WFLY-6004) JAASCallbackHandler resets SecurityContext after authentication to it's pre-authentication value

Ian MacIntyre (JIRA) issues at jboss.org
Fri Jan 15 07:39:00 EST 2016 

    [ https://issues.jboss.org/browse/WFLY-6004?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13149320#comment-13149320 ] 

Ian MacIntyre commented on WFLY-6004:
-------------------------------------

OK, thanks for that - will need to see what our original code was trying to do and fix it.

> JAASCallbackHandler resets SecurityContext after authentication to it's pre-authentication value
> ------------------------------------------------------------------------------------------------
>
>                 Key: WFLY-6004
>                 URL: https://issues.jboss.org/browse/WFLY-6004
>             Project: WildFly
>          Issue Type: Bug
>          Components: Security
>    Affects Versions: 9.0.2.Final, 10.0.0.CR5
>            Reporter: Ian MacIntyre
>            Assignee: Darran Lofthouse
>              Labels: remote-ejb-connection, roles
>
> We are using remote EJB calls and are finding role information being lost.
> I have traced this to our use of JAAS authentication for the ApplicationRealm security realm
> Within the handle() method of JaasCallbackHander it stores the current Security context at that point (via securityManager.push())
> It then calls securityManager.authenticate() which results in login modules being called.  We use the ClientLoginModule which stores information on the SecurityContext via SecurityAssociationActions.setPrincipalInfo
> After authentication the JaasCallbackHandler calls securityManager.pop() which resets the SecurityContext back its state before authentication - thus losing the context set in the ClientLoginModule.
> This only occurs via a remote ejb call, not via a call made from the web tier (as it does not use JaasLoginHandler)
> Ideally I'd like some way to stop the JaasCallbackHandler reseting the SecurityContext (even if it was incredibly simple by checking for an attribute on the current security context)
> The same operations work in EAP 6.3 / JBoss 7.2



--
This message was sent by Atlassian JIRA
(v6.4.11#64026)

More information about the jboss-jira mailing list