[jboss-jira] [JBoss JIRA] (WFLY-9072) @RunAs role authorization from the first invoker of @Singleton bean is propagated through the @PostConstruct method of @Singleton bean with Elytron
David Lloyd (JIRA)
issues at jboss.org
Tue Jul 11 10:13:02 EDT 2017
[ https://issues.jboss.org/browse/WFLY-9072?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
David Lloyd moved JBEAP-12062 to WFLY-9072:
-------------------------------------------
Project: WildFly (was: JBoss Enterprise Application Platform)
Key: WFLY-9072 (was: JBEAP-12062)
Workflow: GIT Pull Request workflow (was: CDW with loose statuses v1)
Component/s: EJB
Security
(was: EJB)
(was: Security)
Affects Version/s: (was: 7.1.0.DR19)
(was: 7.1.0.ER1)
> @RunAs role authorization from the first invoker of @Singleton bean is propagated through the @PostConstruct method of @Singleton bean with Elytron
> ---------------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: WFLY-9072
> URL: https://issues.jboss.org/browse/WFLY-9072
> Project: WildFly
> Issue Type: Bug
> Components: EJB, Security
> Reporter: Michal Jurc
> Assignee: David Lloyd
> Priority: Critical
>
> Suppose an environment with a chain of three bean invocations:
> {code:java|title=Bean1.java}
> @Stateless
> @Remote(WhoAmI.class)
> @RunAs("Admin")
> @SecurityDomain("other")
> public class Bean1 implements WhoAmI {
> @EJB(beanName = "Bean2")
> private WhoAmI singleton;
> public String getCallerPrincipal() {
> return singleton.getCallerPrincipal();
> }
> }{code}
> {code:java|title=Bean2.java}@Singleton
> @Remote(WhoAmI.class)
> @SecurityDomain("other")
> public class Bean2 implements WhoAmI {
> @EJB(beanName = "Bean3")
> private WhoAmI bean3;
> private String principal;
> @PostConstruct
> public void init() {
> principal = bean3.getCallerPrincipal();
> }
> public String getCallerPrincipal() {
> return principal;
> }
> }
> {code}
> {code:java|title=Bean3.java}@Stateless
> @Local(WhoAmI.class)
> @RolesAllowed("Admin")
> @SecurityDomain("other")
> public class Bean3 implements WhoAmI {
> @Resource
> private SessionContext ctx;
> public String getCallerPrincipal() {
> return ctx.getCallerPrincipal().getName();
> }
> }{code}
> The {{@RunAs("Admin")}} is propagated from {{Bean1}} through {{Bean2.init()}} to {{Bean3}} with Elytron. The EJB3.1 specification does not specify security context of {{@PostConstruct}} method for {{@Singleton}} beans, however with this approach the {{@RunAs}} authorization of initialization of any {{@Singleton}} bean will be determined by its first invoker with Elytron. With legacy security, the {{@RunAs}} authorization of {{@PostConstruct}} method for {{@Singleton}} beans was undefined.
> This is covered by {{org.jboss.as.test.integration.ejb.security.RunAsPrincipalTestCase#testSingletonPostconstructSecurityNotPropagating}} in WildFly Integration/Basic Test Suite module.
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
More information about the jboss-jira
mailing list