[jboss-jira] [JBoss JIRA] (WFLY-12794) Elytron/JACC: Inconsistent EjbMethodPermissions

Farah Juma (Jira) issues at jboss.org
Tue Dec 17 15:50:35 EST 2019 

    [ https://issues.redhat.com/browse/WFLY-12794?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13936592#comment-13936592 ] 

Farah Juma commented on WFLY-12794:
-----------------------------------

{{JaccInterceptor}} creates {{EJBMethodPermission}} instances as follows:

https://github.com/wildfly/wildfly/blob/master/ejb3/src/main/java/org/jboss/as/ejb3/security/JaccInterceptor.java#L111

Since no method params are provided above, when {{EJBMethodPermission#setMethodSpec}} gets called by the {{EJBMethodPermission}} constructor, it determines the method params and canonicalizes any array parameters.

{{EjbJaccConfigurator}} creates {{EJBMethodPermission}} instances as follows:

https://github.com/wildfly/wildfly/blob/master/ejb3/src/main/java/org/jboss/as/ejb3/security/EjbJaccConfigurator.java#L180

Notice that method params are provided above via {{methodIdentifier.getParameterTypes()}}. However, this is not correct since these params are not in the canonical form, as required by the {{EJBMethodPermission}} constructor.

{{EjbJaccConfigurator}} should create {{EJBMethodPermission}} instances the same way {{JaccInterceptor}} does to ensure that we canonicalize any array parameters.

The following PR fixes this:

https://github.com/wildfly/wildfly/pull/12855

> Elytron/JACC: Inconsistent EjbMethodPermissions
> -----------------------------------------------
>
>                 Key: WFLY-12794
>                 URL: https://issues.redhat.com/browse/WFLY-12794
>             Project: WildFly
>          Issue Type: Bug
>          Components: EJB, Security
>    Affects Versions: 18.0.0.Final
>            Reporter: Ulf Brosziewski
>            Assignee: Farah Juma
>            Priority: Critical
>         Attachments: quickstart-ejb-sec.diff
>
>
> When JACC is enabled in an elytron application domain, calling a secured ejb method that has an array parameter causes an EjbAccessException.
> The reason for the failure is that the EjbMethodPermissions created by the EjbJaccConfigurator and the JaccInterceptor do not agree in the format of the type names for method parameters. According to the JACC specification and API documentation, names for array types should have the "canonical" form: component-type + "[]". The permission objects built by the JaccInterceptor conform to that, but the EjbJaccConfigurator builds them with type names obtained from a "MethodIdentifier", and these names have the internal format as returned by Class.getName().



--
This message was sent by Atlassian Jira
(v7.13.8#713008)

More information about the jboss-jira mailing list