[jboss-jira] [JBoss JIRA] (WFLY-11604) Non-anonymous principal is not propagated from EJB context to CDI bean
Diana Vilkolakova (Jira)
issues at jboss.org
Wed Sep 4 09:47:00 EDT 2019
[ https://issues.jboss.org/browse/WFLY-11604?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13778976#comment-13778976 ]
Diana Vilkolakova edited comment on WFLY-11604 at 9/4/19 9:46 AM:
------------------------------------------------------------------
{quote}In scenario #1 however the call does not pass to another EJB, instead it passes directly to an injected CDI bean. As this bean is directly injected it is running using the SecurityContext of the CallerWithIdentity bean so it is correct that this is returning 'anonymous' instead of 'non-anonymous'.{quote}
[~dlofthouse] [~fjuma] This holds true for legacy, but when Elytron is enabled the scenario #1 is returning non-anonymous principal. The difference is in [this method|https://github.com/wildfly/wildfly/blob/master/weld/subsystem/src/main/java/org/jboss/as/weld/services/bootstrap/WeldSecurityServices.java#L73-L85]. For elytron the line `elytronDomain.getCurrentSecurityIdentity().getPrincipal();` returns non-anonymous, but legacy returns anonymous. So both scenarios (CallerWithIdentity->BeanWithInjectedPrincipal and also CallerWithIdentity->BeanWithPrincipalFromEJBContext ) are behaving differently than legacy.
was (Author: dvilkola):
{quote}In scenario #1 however the call does not pass to another EJB, instead it passes directly to an injected CDI bean. As this bean is directly injected it is running using the SecurityContext of the CallerWithIdentity bean so it is correct that this is returning 'anonymous' instead of 'non-anonymous'.{quote}
[~dlofthouse] [~fjuma] This holds true for legacy, but when Elytron is enabled the scenario #1 is returning non-anonymous principal. The difference is in [this method|https://github.com/wildfly/wildfly/blob/master/weld/subsystem/src/main/java/org/jboss/as/weld/services/bootstrap/WeldSecurityServices.java#L73-L85]. For elytron `elytronDomain.getCurrentSecurityIdentity().getPrincipal();` returns non-anonymous but legacy returns anonymous.
> Non-anonymous principal is not propagated from EJB context to CDI bean
> ----------------------------------------------------------------------
>
> Key: WFLY-11604
> URL: https://issues.jboss.org/browse/WFLY-11604
> Project: WildFly
> Issue Type: Bug
> Components: CDI / Weld, Security
> Affects Versions: 14.0.1.Final, 15.0.1.Final
> Reporter: Nikoleta Ziakova
> Priority: Critical
>
> This is a follow-up on WFLY-11587 which only dealt with being able to inject the principal.
> However, during testing I have tried a scenario when the caller principal was not anonymous (run-as-principal setting in jboss-ejb3.xml). See the test case in this [commit|https://github.com/nziakova/wildfly/commit/9ae586ad0159e6399f65103e049b06ccd8356135].
> The principal is not propagated from the EJB context. The result is that injected principal in the CDI bean is always anonymous, although {{ctx.getCallerPrincipal()}} in the EJB returns correct principal.
--
This message was sent by Atlassian Jira
(v7.13.5#713005)
More information about the jboss-jira
mailing list