[jboss-jira] [JBoss JIRA] (WFLY-7296) (7.1.0) When JASPIC's register session is used, Subject not propagated to EJB

Bartosz Spyrko-Śmietanko (JIRA) issues at jboss.org
Wed Oct 12 08:25:00 EDT 2016 

Bartosz Spyrko-Śmietanko created WFLY-7296:
----------------------------------------------

             Summary: (7.1.0) When JASPIC's register session is used, Subject not propagated to EJB
                 Key: WFLY-7296
                 URL: https://issues.jboss.org/browse/WFLY-7296
             Project: WildFly
          Issue Type: Bug
          Components: Security
    Affects Versions: 10.0.0.Final
            Reporter: Bartosz Spyrko-Śmietanko
            Assignee: Darran Lofthouse
             Fix For: 10.1.0.CR1, 10.1.0.Final


When the JASPIC 1.1 register session ({{javax.servlet.http.registerSession}}) is used, the authenticated identity (via the Subject) is not propagated to the EJB container.

The problems seems to be with {{JASPICAuthenticationMechanism.createAccount}}. When a cached account is re-used, a {{null}} is passed for the {{Subject}} parameter in the call to {{jbossSct.getUtil().createSubjectInfo}}. This will set indeed set a {{SubjectInfo}} with subject being null.

{{EJBContext#getCallerPrincipal}} checks exactly this subject, and when seeing a null will consider the user to be unauthenticated, even when the caller is authenticated in the web layer.

See the code below:

{code:java}
   // SAM handled the same principal found in the cached account: indicates we must use the cached account.
        if (cachedAccount != null && cachedAccount.getPrincipal() == userPrincipal) {
            // populate the security context using the cached account data.
            jbossSct.getUtil().createSubjectInfo(
                userPrincipal, ((AccountImpl) cachedAccount).getCredential(), 
                null); // PROBLEMATIC NULL
            RoleGroup roleGroup = new SimpleRoleGroup(SecurityConstants.ROLES_IDENTIFIER);
            for (String role : cachedAccount.getRoles())
                roleGroup.addRole(new SimpleRole(role));
            jbossSct.getUtil().setRoles(roleGroup);
            return cachedAccount;
        }
{code}

Instead of passing a {{null}}, passing the existing subject as set by the JASPIC callback handler seems to work:

{code:java}
jbossSct.getUtil().createSubjectInfo(
    userPrincipal, ((AccountImpl) cachedAccount).getCredential(), 
    jbossSct.getUtil().getSubject());
{code}



--
This message was sent by Atlassian JIRA
(v6.4.11#64026)

More information about the jboss-jira mailing list