Loading...

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Blocker
Fix Version/s: 1.1.0.CR3
Affects Version/s: None
Component/s: API / SPI, Authentication Server
Labels:
None

Git Pull Request:
https://github.com/wildfly-security/wildfly-elytron/pull/908

The SecurityDomain.authenticate() method creates a SecurityIdentity that inherits its credentials from the calling identity.

The usage of ServerAuthenticationContext is correct (it inherits the current identity as the captured identity). Capturing the identity is necessary to perform run-as authorizations without an authentication step. However the credentials should probably not be propagated from the captured identity in any case.

causes

JBEAP-12034 Elytron - Wrong private credentials used for forwarded identity when SecurityDomain.authenticate() is used

Verified

JBEAP-11454 In-VM calls with authenticated SecurityIdentity.runAs(Callable c) fail to authorise for asynchronous EJB calls

Verified

is incorporated by

JBEAP-12265 Upgrade WildFly Elytron to 1.1.0.CR3

Verified

Assignee:: Pedro Igor Craveiro

Reporter:: David Lloyd

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Created:: 2017/07/11 11:18 AM

Updated:: 2020/09/30 2:20 PM

Resolved:: 2017/07/18 9:24 AM

Details

Description

Attachments

Issue Links

Activity

People

Dates