[jboss-jira] [JBoss JIRA] (WFCORE-4668) Transaction recovery of remote ejb calls should not be using static Default AuthenticationContext
Darran Lofthouse (Jira)
issues at jboss.org
Tue Sep 24 13:32:00 EDT 2019
[ https://issues.jboss.org/browse/WFCORE-4668?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Darran Lofthouse reassigned WFCORE-4668:
----------------------------------------
Assignee: (was: Darran Lofthouse)
> Transaction recovery of remote ejb calls should not be using static Default AuthenticationContext
> -------------------------------------------------------------------------------------------------
>
> Key: WFCORE-4668
> URL: https://issues.jboss.org/browse/WFCORE-4668
> Project: WildFly Core
> Issue Type: Bug
> Components: Security
> Affects Versions: 10.0.0.Beta9
> Reporter: Ondrej Chaloupka
> Priority: Critical
>
> The issue WFCORE-4599 removed the `AuthenticationContext` would be static. This started to cause troubles for transaction recovery processing when remote ejb calls are invoked.
> The configuration that was used earlier for server to server ejb calls[1] (used with `-Dwildfly.config.url`) stopped working.
> It was possible to configure the default authentication context in the `standalone.xml` for the whole elytron subsystem (in way like [2]). But this change started to cause threads being stuck on execution of remote ejb calls in WFTC (somewhere here [3]).
> Because of that the WFCORE-4659 reverted back the functionality of static global authentication context. This was rather a bit workaround as the functionality should be rather working as Stuart pointed out
> {quote}
> - Add an explicit config to specify the authentication context used by transaction recovery
> - If this is not set fall back to the default authentication context that is used by deployments
> - If none of the above are set then the auth context should be empty
> {quote}
> [1]
> {code}
> <configuration>
> <authentication-client xmlns="urn:elytron:1.0">
> <authentication-rules>
> <rule use-configuration="jta">
> <match-abstract-type name="jta" authority="jboss"/>
> </rule>
> </authentication-rules>
> <authentication-configurations>
> <configuration name="jta">
> <sasl-mechanism-selector selector="DIGEST-MD5"/>
> <providers>
> <use-service-loader />
> </providers>
> <set-user-name name="ejb"/>
> <credentials>
> <clear-password password="ejb"/>
> </credentials>
> <set-mechanism-realm name="ApplicationRealm" />
> </configuration>
> </authentication-configurations>
> </authentication-client>
> </configuration>
> {code}
> [2]
> {code}
> <subsystem xmlns="urn:wildfly:elytron:8.0" final-providers="combined-providers" disallowed-providers="OracleUcrypto" default-authentication-context="jta">
> <authentication-client>
> <authentication-configuration name="jta" authentication-name="ejb" realm="ApplicationRealm" sasl-mechanism-selector="DIGEST-MD5">
> <credential-reference clear-text="ejb"/>
> </authentication-configuration>
> <authentication-context name="jta">
> <match-rule match-abstract-type-authority="jboss" authentication-configuration="jta"/>
> </authentication-context>
> </authentication-client>
> {code}
> [3] https://github.com/wildfly/wildfly-transaction-client/blob/master/src/main/java/org/wildfly/transaction/client/provider/remoting/RemotingRemoteTransactionPeer.java#L84
--
This message was sent by Atlassian Jira
(v7.13.8#713008)
More information about the jboss-jira
mailing list