Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-10049

Principal from @RunAsPrincipal bean annotation does not get authorised with role from @RunAs bean annotation unless the user exists in backing security realm

    Details

    • Target Release:
    • Steps to Reproduce:
      Hide

      1. Add Elytron application security domain to EJB subsystem:

      /subsystem=ejb3/application-security-domain=other:add(security-domain=ApplicationDomain)

      2. Attempt to deploy the bean deployment to server:

      deploy /path/to/startup-runas-beans.jar

      The following error is produced:

      10:14:25,221 ERROR [org.jboss.as.server] (management-handler-thread - 1) WFLYSRV0021: Deploy of deployment "startup-runas-beans.jar" was rolled back with the following failure message: 
      {
          "WFLYCTL0080: Failed services" => {"jboss.deployment.unit.\"startup-runas-beans.jar\".component.SingletonStartupBean.START" => "org.jboss.msc.service.StartException in service jboss.deployment.unit.\"startup-runas-beans.jar\".component.SingletonStartupBean.START: java.lang.IllegalStateException: WFLYEE0042: Failed to construct component instance
          Caused by: java.lang.IllegalStateException: WFLYEE0042: Failed to construct component instance
          Caused by: org.wildfly.security.authz.AuthorizationFailureException: ELY01088: Attempting to run as \"testuser\" authorization operation failed"},
          "WFLYCTL0412: Required services that are not installed:" => ["jboss.deployment.unit.\"startup-runas-beans.jar\".component.SingletonStartupBean.START"]
      }
      

      3. Add the testuser user to application-users.properties that the default Elytron ApplicationRealm uses with any password and deploy again. The deployment will work, and the SingletonStartupBean's @RunAs and @RunAsPrincipal will be both correctly set as SingletonStartupBean.init method will invoke StatelessBean.getCallerPrincipal method and log a concise message with the principal:

      10:53:29,800 INFO  [mock.ejb.SingletonStartupBean] (ServerService Thread Pool -- 74) ===================================================
      10:53:29,801 INFO  [mock.ejb.SingletonStartupBean] (ServerService Thread Pool -- 74) SingletonStartupBean invoked StatelessBean with principal testuser
      10:53:29,801 INFO  [mock.ejb.SingletonStartupBean] (ServerService Thread Pool -- 74) ===================================================
      Show
      1. Add Elytron application security domain to EJB subsystem: /subsystem=ejb3/application-security-domain=other:add(security-domain=ApplicationDomain) 2. Attempt to deploy the bean deployment to server: deploy /path/to/startup-runas-beans.jar The following error is produced: 10:14:25,221 ERROR [org.jboss.as.server] (management-handler-thread - 1) WFLYSRV0021: Deploy of deployment "startup-runas-beans.jar" was rolled back with the following failure message: { "WFLYCTL0080: Failed services" => { "jboss.deployment.unit.\" startup-runas-beans.jar\ ".component.SingletonStartupBean.START" => "org.jboss.msc.service.StartException in service jboss.deployment.unit.\" startup-runas-beans.jar\".component.SingletonStartupBean.START: java.lang.IllegalStateException: WFLYEE0042: Failed to construct component instance Caused by: java.lang.IllegalStateException: WFLYEE0042: Failed to construct component instance Caused by: org.wildfly.security.authz.AuthorizationFailureException: ELY01088: Attempting to run as \ "testuser\" authorization operation failed"}, "WFLYCTL0412: Required services that are not installed:" => [ "jboss.deployment.unit.\" startup-runas-beans.jar\ ".component.SingletonStartupBean.START" ] } 3. Add the testuser user to application-users.properties that the default Elytron ApplicationRealm uses with any password and deploy again. The deployment will work, and the SingletonStartupBean 's @RunAs and @RunAsPrincipal will be both correctly set as SingletonStartupBean.init method will invoke StatelessBean.getCallerPrincipal method and log a concise message with the principal: 10:53:29,800 INFO [mock.ejb.SingletonStartupBean] (ServerService Thread Pool -- 74) =================================================== 10:53:29,801 INFO [mock.ejb.SingletonStartupBean] (ServerService Thread Pool -- 74) SingletonStartupBean invoked StatelessBean with principal testuser 10:53:29,801 INFO [mock.ejb.SingletonStartupBean] (ServerService Thread Pool -- 74) ===================================================

      Description

      If a bean is annotated with both @RunAs and @RunAsPrincipal annotations, the principal will not get authorised unless the user with such principal exists in security realm that the bean is backed by.

      This was not the case with PicketBox. Since the existing EJB-Elytron integration analyses and documentation does not mention such a modification and the change makes an AS TS test case fail, this is an unexpected change of behavior.

      Reproducer and sources attached.

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  fjuma Farah Juma
                  Reporter:
                  mjurc Michal Jurc
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  2 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: