[jboss-jira] [JBoss JIRA] (WFLY-2847) Caller's security identity doesn't get propagated by default

Darran Lofthouse (JIRA) issues at jboss.org
Thu Nov 10 07:14:00 EST 2016 

     [ https://issues.jboss.org/browse/WFLY-2847?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Darran Lofthouse resolved WFLY-2847.
------------------------------------
    Fix Version/s: 11.0.0.Alpha1
         Assignee: Darran Lofthouse
       Resolution: Out of Date


Application server security is migrating to WildFly Elytron

> Caller's security identity doesn't get propagated by default
> ------------------------------------------------------------
>
>                 Key: WFLY-2847
>                 URL: https://issues.jboss.org/browse/WFLY-2847
>             Project: WildFly
>          Issue Type: Bug
>          Components: EJB, Security
>    Affects Versions: 8.0.0.CR1, 8.1.0.CR2
>            Reporter: Matus Abaffy
>            Assignee: Darran Lofthouse
>             Fix For: 11.0.0.Alpha1
>
>
> 3 session beans: @RunAs("printer") Printer, which calls HelperBean (no security annotations), which calls @RolesAllowed("printer") Toner. The last invocation results in
> {{javax.ejb.EJBAccessException: JBAS014502: Invocation on method: public void org.jboss.as.test.integration.ejb.security.runas.propagation.Toner.spill() of bean: Toner is not allowed}}
> Printer calling Toner (directly) works just fine. And if the HelperBean is a CDI managed bean, it works just fine too.
> According to EJB spec, 12 Security management, 12.1 Overview:
> bq. "By default, the caller principal will be propagated as the caller identity. The Bean Provider can use the RunAs annotation to specify that a security principal that has been assigned to a specified security role be used instead. See Section 12.3.4."
> 12.3.4 Specification of Security Identities in the Deployment Descriptor:
> bq. "The Bean Provider or Application Assembler typically specifies whether the caller’s security identity should be used for the execution of the methods of an enterprise bean or whether a specific run-as identity should be used. By default the caller’s security identity is used."
> etc.
> {code}
> @Stateless
> @RunAs("printer")
> @PermitAll
> public class Printer {
>     @EJB
>     HelperBean hb;
>     public void invokeHelperBean() {
>         hb.invokeToner();
>     }
> }
> {code}
> {code}
> @Stateful
> public class HelperBean {
>     @EJB
>     Toner toner;
>     public void invokeToner() {
>         toner.spill();
>     }
> }
> {code}
> {code}
> @Stateless
> @RolesAllowed("printer")
> public class Toner {
>     public void spill() {}
> }
> {code}
> A bit sophisticated test available at: https://github.com/bafco/wildfly/commits/securityContext



--
This message was sent by Atlassian JIRA
(v7.2.3#72005)

More information about the jboss-jira mailing list