[jboss-jira] [JBoss JIRA] (WFLY-12301) CallerPrincipal will be anonymous (randomly) if EJB2 is called

Cheng Fang (Jira) issues at jboss.org
Fri Jul 19 05:40:01 EDT 2019 

    [ https://issues.jboss.org/browse/WFLY-12301?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13761052#comment-13761052 ] 

Cheng Fang commented on WFLY-12301:
-----------------------------------

By following the steps and running the test.sh script included in reproducer, I was able to reproduce it with the recent WildFly build.  If I replace jboss-ejb-client in the reproducer to be 4.0.21.Final (the current latest), the test still failed, but takes more rounds to reproduce than running with the original jboss-ejb-client (version 4.0.12.Final-redhat-00001).  Not sure if this is significant data point.  

One of the bug fixes in 4.0.21.Final is EJBCLIENT-340 (Ensure any AuthenticationContext associated with the invocation is propagated to the transaction call.), not sure if it's related.

>From various symptom described here (e.g., slight difference between running server vs restarted server, passed with default security config vs failed with elytron), I suspect the problem is at server side security context intake, rather than at the client side propagation.  [~dlofthouse] can you take a look?

> CallerPrincipal will be anonymous (randomly) if EJB2 is called
> --------------------------------------------------------------
>
>                 Key: WFLY-12301
>                 URL: https://issues.jboss.org/browse/WFLY-12301
>             Project: WildFly
>          Issue Type: Bug
>          Components: EJB, Security
>    Affects Versions: 17.0.1.Final
>            Reporter: Wolf-Dieter Fink
>            Assignee: Cheng Fang
>            Priority: Major
>              Labels: EJB2, security
>         Attachments: reproducer.zip
>
>
> An EJB application which call an EJB2 SLSB will fail (randomly) to show the correct user if getCallerPrincipal is used inside. Also the roles are not set.
> The EJB2 Bean is secured by ejb-jar.xml so it is not expected that it will be called without role
>   <assembly-descriptor>
>     <method-permission>
>       <role-name>testRole</role-name>
>       <method>
>         <ejb-name>simpleejb.server.SomeEJB2Bean</ejb-name>
>         <method-intf>Remote</method-intf>
>         <method-name>*</method-name>
>       </method>
>     </method-permission>
> This error is constant seen if the server is up and running but each restart will change the behaviour randomly.
> Note that an EJB3 bean of the same EAR file will work always correctly.



--
This message was sent by Atlassian Jira
(v7.12.1#712002)

More information about the jboss-jira mailing list