Loading...

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Blocker
Fix Version/s: 7.1.0.DR18
Affects Version/s: 7.1.0.DR12, 7.1.0.DR13, 7.1.0.DR14, 7.1.0.DR15, 7.1.0.DR16, 7.1.0.DR17
Component/s: EJB, Security
Labels:

CDW devel_ack:
CDW docs_ack:
CDW pm_ack:
CDW qa_ack:
CDW release:
Target Release:

7.1.0.GA
Git Pull Request:
https://github.com/wildfly-security-incubator/wildfly/pull/198
Steps to Reproduce:
Hide

1. Add Elytron application security domain to EJB subsystem:

/subsystem=ejb3/application-security-domain=other:add(security-domain=ApplicationDomain)

2. Attempt to deploy the bean deployment to server:

deploy /path/to/startup-runas-beans.jar

The following error is produced:

10:14:25,221 ERROR [org.jboss.as.server] (management-handler-thread - 1) WFLYSRV0021: Deploy of deployment "startup-runas-beans.jar" was rolled back with the following failure message: { "WFLYCTL0080: Failed services" => {"jboss.deployment.unit.\"startup-runas-beans.jar\".component.SingletonStartupBean.START" => "org.jboss.msc.service.StartException in service jboss.deployment.unit.\"startup-runas-beans.jar\".component.SingletonStartupBean.START: java.lang.IllegalStateException: WFLYEE0042: Failed to construct component instance Caused by: java.lang.IllegalStateException: WFLYEE0042: Failed to construct component instance Caused by: org.wildfly.security.authz.AuthorizationFailureException: ELY01088: Attempting to run as \"testuser\" authorization operation failed"}, "WFLYCTL0412: Required services that are not installed:" => ["jboss.deployment.unit.\"startup-runas-beans.jar\".component.SingletonStartupBean.START"] }

3. Add the testuser user to application-users.properties that the default Elytron ApplicationRealm uses with any password and deploy again. The deployment will work, and the SingletonStartupBean's @RunAs and @RunAsPrincipal will be both correctly set as SingletonStartupBean.init method will invoke StatelessBean.getCallerPrincipal method and log a concise message with the principal:

10:53:29,800 INFO [mock.ejb.SingletonStartupBean] (ServerService Thread Pool -- 74) =================================================== 10:53:29,801 INFO [mock.ejb.SingletonStartupBean] (ServerService Thread Pool -- 74) SingletonStartupBean invoked StatelessBean with principal testuser 10:53:29,801 INFO [mock.ejb.SingletonStartupBean] (ServerService Thread Pool -- 74) ===================================================
Show
1. Add Elytron application security domain to EJB subsystem: /subsystem=ejb3/application-security-domain=other:add(security-domain=ApplicationDomain) 2. Attempt to deploy the bean deployment to server: deploy /path/to/startup-runas-beans.jar The following error is produced: 10:14:25,221 ERROR [org.jboss.as.server] (management-handler-thread - 1) WFLYSRV0021: Deploy of deployment "startup-runas-beans.jar" was rolled back with the following failure message: { "WFLYCTL0080: Failed services" => { "jboss.deployment.unit.\" startup-runas-beans.jar\ ".component.SingletonStartupBean.START" => "org.jboss.msc.service.StartException in service jboss.deployment.unit.\" startup-runas-beans.jar\".component.SingletonStartupBean.START: java.lang.IllegalStateException: WFLYEE0042: Failed to construct component instance Caused by: java.lang.IllegalStateException: WFLYEE0042: Failed to construct component instance Caused by: org.wildfly.security.authz.AuthorizationFailureException: ELY01088: Attempting to run as \ "testuser\" authorization operation failed"}, "WFLYCTL0412: Required services that are not installed:" => [ "jboss.deployment.unit.\" startup-runas-beans.jar\ ".component.SingletonStartupBean.START" ] } 3. Add the testuser user to application-users.properties that the default Elytron ApplicationRealm uses with any password and deploy again. The deployment will work, and the SingletonStartupBean 's @RunAs and @RunAsPrincipal will be both correctly set as SingletonStartupBean.init method will invoke StatelessBean.getCallerPrincipal method and log a concise message with the principal: 10:53:29,800 INFO [mock.ejb.SingletonStartupBean] (ServerService Thread Pool -- 74) =================================================== 10:53:29,801 INFO [mock.ejb.SingletonStartupBean] (ServerService Thread Pool -- 74) SingletonStartupBean invoked StatelessBean with principal testuser 10:53:29,801 INFO [mock.ejb.SingletonStartupBean] (ServerService Thread Pool -- 74) ===================================================

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

If a bean is annotated with both @RunAs and @RunAsPrincipal annotations, the principal will not get authorised unless the user with such principal exists in security realm that the bean is backed by.

This was not the case with PicketBox. Since the existing EJB-Elytron integration analyses and documentation does not mention such a modification and the change makes an AS TS test case fail, this is an unexpected change of behavior.

Reproducer and sources attached.

- - Sort By Name
  - Sort By Date
  - Ascending
  - Descending
  - Thumbnails
  - List
  - Download All

startup-runas-beans.jar
4 kB
2017/03/31 4:54 AM
startup-runas-beans.zip
3 kB
2017/03/31 4:57 AM

causes

JBEAP-9198 RunAsPrincipalTestCase fails to deploy when Elytron profile is used

Closed

is cloned by

WFLY-8674 Principal from @RunAsPrincipal bean annotation does not get authorised with role from @RunAs bean annotation unless the user exists in backing security realm

Closed

is incorporated by

JBEAP-10557 Backport Latest Elytron Integration Changes TO DR18 Step 2

Closed

Assignee:: Farah Juma

Reporter:: Michal Jurc

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Created:: 2017/03/31 4:18 AM

Updated:: 2024/09/02 3:57 PM

Resolved:: 2017/05/09 8:53 AM

Details

Description

Attachments

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates