[jboss-jira] [JBoss JIRA] (WFLY-11604) Non-anonymous principal is not propagated from EJB context to CDI bean

Farah Juma (Jira) issues at jboss.org
Tue Feb 19 17:31:00 EST 2019 

    [ https://issues.jboss.org/browse/WFLY-11604?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13697869#comment-13697869 ] 

Farah Juma commented on WFLY-11604:
-----------------------------------

{quote}
This does however leave the question once WildFly Elytron is activated regarding why the EJBContext does not report the run as principal when the call reaches the second bean, I suspect this may have been a decision during implementation as these run as scenarios were discussed quite heavily but it is purely an EJB container issue and not a CDI issue.
{quote}

For JBEAP-9744, we updated {{EJBContext.getCallerPrincipal()}} so that when called from an unsecured bean, an anonymous principal is returned. This was done to match PicketBox behaviour for the Remoting -> EJB case.

For the EJB -> EJB case here with Elytron enabled (i.e., {{CallerWithIdentity -> BeanWithPrincipalFromEJBContext}}), notice that {{BeanWithPrincipalFromEJBContext}} is an unsecured bean. So when {{EJBContext.getCallerPrincipal}} is called, the 'anonymous' principal is currently being returned. However, if any security metadata is added to this bean, then the 'non-anonymous' principal will be returned. Since the 'non-anonymous' principal is returned for the legacy case, I think we should get an issue created to see if there is a way to fix this for the Elytron case without breaking the fix for JBEAP-9744.

> Non-anonymous principal is not propagated from EJB context to CDI bean
> ----------------------------------------------------------------------
>
>                 Key: WFLY-11604
>                 URL: https://issues.jboss.org/browse/WFLY-11604
>             Project: WildFly
>          Issue Type: Bug
>          Components: CDI / Weld, Security
>    Affects Versions: 14.0.1.Final, 15.0.1.Final
>            Reporter: Nikoleta Žiaková
>            Assignee: Darran Lofthouse
>            Priority: Critical
>
> This is a follow-up on WFLY-11587 which only dealt with being able to inject the principal. 
> However, during testing I have tried a scenario when the caller principal was not anonymous (run-as-principal setting in jboss-ejb3.xml). See the test case in this [commit|https://github.com/nziakova/wildfly/commit/9ae586ad0159e6399f65103e049b06ccd8356135].
> The principal is not propagated from the EJB context. The result is that injected principal in the CDI bean is always anonymous, although {{ctx.getCallerPrincipal()}} in the EJB returns correct principal.



--
This message was sent by Atlassian Jira
(v7.12.1#712002)

More information about the jboss-jira mailing list