[jboss-jira] [JBoss JIRA] (WFLY-9072) @RunAs role authorization from the first invoker of @Singleton bean is propagated through the @PostConstruct method of @Singleton bean with Elytron

Tue Jan 16 06:41:00 EST 2018

     [ https://issues.jboss.org/browse/WFLY-9072?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Bartosz Baranowski resolved WFLY-9072.
--------------------------------------
    Resolution: Out of Date

Fixes it seems, same indication has been made bu reporter in downstream. Mentioned test case run and pass.

> @RunAs role authorization from the first invoker of @Singleton bean is propagated through the @PostConstruct method of @Singleton bean with Elytron
> ---------------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: WFLY-9072
>                 URL: https://issues.jboss.org/browse/WFLY-9072
>             Project: WildFly
>          Issue Type: Bug
>          Components: EJB, Security
>            Reporter: Michal Jurc
>            Assignee: Bartosz Baranowski
>            Priority: Critical
>
> Suppose an environment with a chain of three bean invocations:
> {code:java|title=Bean1.java}
> @Stateless
> @Remote(WhoAmI.class)
> @RunAs("Admin")
> @SecurityDomain("other")
> public class Bean1 implements WhoAmI {
>     @EJB(beanName = "Bean2")
>     private WhoAmI singleton;
>     public String getCallerPrincipal() {
>         return singleton.getCallerPrincipal();
>     }
> }{code}
> {code:java|title=Bean2.java}@Singleton
> @Remote(WhoAmI.class)
> @SecurityDomain("other")
> public class Bean2 implements WhoAmI {
>     @EJB(beanName = "Bean3")
>     private WhoAmI bean3;
>     private String principal;
>     @PostConstruct
>     public void init() {
>         principal = bean3.getCallerPrincipal();
>     }
>     public String getCallerPrincipal() {
>         return principal;
>     }
> }
> {code}
> {code:java|title=Bean3.java}@Stateless
> @Local(WhoAmI.class)
> @RolesAllowed("Admin")
> @SecurityDomain("other")
> public class Bean3 implements WhoAmI {
>     @Resource
>     private SessionContext ctx;
>     public String getCallerPrincipal() {
>         return ctx.getCallerPrincipal().getName();
>     }
> }{code}
> The {{@RunAs("Admin")}} is propagated from {{Bean1}} through {{Bean2.init()}} to {{Bean3}} with Elytron. The EJB3.1 specification does not specify security context of {{@PostConstruct}} method for {{@Singleton}} beans, however with this approach the {{@RunAs}} authorization of initialization of any {{@Singleton}} bean will be determined by its first invoker with Elytron. With legacy security, the {{@RunAs}} authorization of {{@PostConstruct}} method for {{@Singleton}} beans was undefined.
> This is covered by {{org.jboss.as.test.integration.ejb.security.RunAsPrincipalTestCase#testSingletonPostconstructSecurityNotPropagating}} in WildFly Integration/Basic Test Suite module.

--
This message was sent by Atlassian JIRA
(v7.5.0#75005)