[jboss-jira] [JBoss JIRA] (WFLY-6699) Custom principal is lost during remote ejb authentication
Vlado Pakan (JIRA)
issues at jboss.org
Fri Jun 10 10:12:00 EDT 2016
Vlado Pakan created WFLY-6699:
---------------------------------
Summary: Custom principal is lost during remote ejb authentication
Key: WFLY-6699
URL: https://issues.jboss.org/browse/WFLY-6699
Project: WildFly
Issue Type: Bug
Components: EJB, Security
Affects Versions: 10.0.0.Final
Reporter: Vlado Pakan
Assignee: Vlado Pakan
A custom principal (instead of the JBoss provided SimplePrincipal class) is used to store the authenticated username in a custom login module. The custom principal class is lost when attempting to retrieve it from the subject from within a secured EJB. The custom principal is only lost if it is used to store the username instead of using the JBoss provided SimplePrincipal class. Other instances of the custom principal class are passed along successfully if they are storing something besides the username (SSN, CustomerID, etc).
It looks like this is happening due to a change (introduced in 6.4.6) in the org.jboss.as.security.service.SimpleSecurityManager.authenticate method
@@ -445,8 +408,11 @@ public class SimpleSecurityManager implements ServerSecurityManager
{ auditPrincipal = unauthenticatedIdentity.asPrincipal(); subject.getPrincipals().add(auditPrincipal); authenticated = true; + }
else
{ + subject.getPrincipals().add(principal); }
This change was associated with bz-921217.
This only happens when the EJB is accessed from a remote standalone client. If the EJB is accessed from a secured web app (locally), then the custom principal is not lost.
--
This message was sent by Atlassian JIRA
(v6.4.11#64026)
More information about the jboss-jira
mailing list