[jboss-jira] [JBoss JIRA] (WFCORE-4668) Transaction recovery of remote ejb calls should not be using static Default AuthenticationContext

Ondrej Chaloupka (Jira) issues at jboss.org
Mon Sep 16 08:36:00 EDT 2019 

Ondrej Chaloupka created WFCORE-4668:
----------------------------------------

             Summary: Transaction recovery of remote ejb calls should not be using static Default AuthenticationContext
                 Key: WFCORE-4668
                 URL: https://issues.jboss.org/browse/WFCORE-4668
             Project: WildFly Core
          Issue Type: Bug
          Components: Security
    Affects Versions: 10.0.0.Beta9
            Reporter: Ondrej Chaloupka
            Assignee: Darran Lofthouse


The issue WFCORE-4599 removed the `AuthenticationContext` would be static. This started to cause troubles for transaction recovery processing when remote ejb calls are invoked.
The configuration that was used earlier for server to server ejb calls[1] (used with `-Dwildfly.config.url`) stopped working.
It was possible to configure the default authentication context in the `standalone.xml` for the whole elytron subsystem (in way like [2]). But this change started to cause threads being stuck on execution of remote ejb calls in WFTC (somewhere here [3]).
Because of that the WFCORE-4659 reverted back the functionality of static global authentication context. This was rather a bit workaround as the functionality should be rather working as Stuart pointed out
{quote}
- Add an explicit config to specify the authentication context used by transaction recovery
- If this is not set fall back to the default authentication context that is used by deployments
- If none of the above are set then the auth context should be empty
{quote}

[1]
{code}
<configuration>
    <authentication-client xmlns="urn:elytron:1.0">
	<authentication-rules>
            <rule use-configuration="jta">
                <match-abstract-type name="jta" authority="jboss"/>
	    </rule>
        </authentication-rules>
        <authentication-configurations>
	     <configuration name="jta">
                 <sasl-mechanism-selector selector="DIGEST-MD5"/>
                 <providers>
                     <use-service-loader />
	         </providers>
		 <set-user-name name="ejb"/>
	         <credentials>
                      <clear-password password="ejb"/>
	         </credentials>
                 <set-mechanism-realm name="ApplicationRealm" />
             </configuration>
        </authentication-configurations>
    </authentication-client>
</configuration>
{code}
[2]
{code}
<subsystem xmlns="urn:wildfly:elytron:8.0" final-providers="combined-providers" disallowed-providers="OracleUcrypto" default-authentication-context="jta">
    <authentication-client>
        <authentication-configuration name="jta" authentication-name="ejb" realm="ApplicationRealm" sasl-mechanism-selector="DIGEST-MD5">
            <credential-reference clear-text="ejb"/>
        </authentication-configuration>
        <authentication-context name="jta">
            <match-rule match-abstract-type-authority="jboss" authentication-configuration="jta"/>
        </authentication-context>
    </authentication-client>
{code}
[3] https://github.com/wildfly/wildfly-transaction-client/blob/master/src/main/java/org/wildfly/transaction/client/provider/remoting/RemotingRemoteTransactionPeer.java#L84



--
This message was sent by Atlassian Jira
(v7.13.5#713005)

More information about the jboss-jira mailing list