Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-10049

Principal from @RunAsPrincipal bean annotation does not get authorised with role from @RunAs bean annotation unless the user exists in backing security realm

XMLWordPrintable

    • Hide

      1. Add Elytron application security domain to EJB subsystem:

      /subsystem=ejb3/application-security-domain=other:add(security-domain=ApplicationDomain)

      2. Attempt to deploy the bean deployment to server:

      deploy /path/to/startup-runas-beans.jar

      The following error is produced:

      10:14:25,221 ERROR [org.jboss.as.server] (management-handler-thread - 1) WFLYSRV0021: Deploy of deployment "startup-runas-beans.jar" was rolled back with the following failure message: 
      {
          "WFLYCTL0080: Failed services" => {"jboss.deployment.unit.\"startup-runas-beans.jar\".component.SingletonStartupBean.START" => "org.jboss.msc.service.StartException in service jboss.deployment.unit.\"startup-runas-beans.jar\".component.SingletonStartupBean.START: java.lang.IllegalStateException: WFLYEE0042: Failed to construct component instance
          Caused by: java.lang.IllegalStateException: WFLYEE0042: Failed to construct component instance
          Caused by: org.wildfly.security.authz.AuthorizationFailureException: ELY01088: Attempting to run as \"testuser\" authorization operation failed"},
          "WFLYCTL0412: Required services that are not installed:" => ["jboss.deployment.unit.\"startup-runas-beans.jar\".component.SingletonStartupBean.START"]
      }
      

      3. Add the testuser user to application-users.properties that the default Elytron ApplicationRealm uses with any password and deploy again. The deployment will work, and the SingletonStartupBean's @RunAs and @RunAsPrincipal will be both correctly set as SingletonStartupBean.init method will invoke StatelessBean.getCallerPrincipal method and log a concise message with the principal:

      10:53:29,800 INFO  [mock.ejb.SingletonStartupBean] (ServerService Thread Pool -- 74) ===================================================
      10:53:29,801 INFO  [mock.ejb.SingletonStartupBean] (ServerService Thread Pool -- 74) SingletonStartupBean invoked StatelessBean with principal testuser
      10:53:29,801 INFO  [mock.ejb.SingletonStartupBean] (ServerService Thread Pool -- 74) ===================================================
      Show
      1. Add Elytron application security domain to EJB subsystem: /subsystem=ejb3/application-security-domain=other:add(security-domain=ApplicationDomain) 2. Attempt to deploy the bean deployment to server: deploy /path/to/startup-runas-beans.jar The following error is produced: 10:14:25,221 ERROR [org.jboss.as.server] (management-handler-thread - 1) WFLYSRV0021: Deploy of deployment "startup-runas-beans.jar" was rolled back with the following failure message: { "WFLYCTL0080: Failed services" => { "jboss.deployment.unit.\" startup-runas-beans.jar\ ".component.SingletonStartupBean.START" => "org.jboss.msc.service.StartException in service jboss.deployment.unit.\" startup-runas-beans.jar\".component.SingletonStartupBean.START: java.lang.IllegalStateException: WFLYEE0042: Failed to construct component instance Caused by: java.lang.IllegalStateException: WFLYEE0042: Failed to construct component instance Caused by: org.wildfly.security.authz.AuthorizationFailureException: ELY01088: Attempting to run as \ "testuser\" authorization operation failed"}, "WFLYCTL0412: Required services that are not installed:" => [ "jboss.deployment.unit.\" startup-runas-beans.jar\ ".component.SingletonStartupBean.START" ] } 3. Add the testuser user to application-users.properties that the default Elytron ApplicationRealm uses with any password and deploy again. The deployment will work, and the SingletonStartupBean 's @RunAs and @RunAsPrincipal will be both correctly set as SingletonStartupBean.init method will invoke StatelessBean.getCallerPrincipal method and log a concise message with the principal: 10:53:29,800 INFO [mock.ejb.SingletonStartupBean] (ServerService Thread Pool -- 74) =================================================== 10:53:29,801 INFO [mock.ejb.SingletonStartupBean] (ServerService Thread Pool -- 74) SingletonStartupBean invoked StatelessBean with principal testuser 10:53:29,801 INFO [mock.ejb.SingletonStartupBean] (ServerService Thread Pool -- 74) ===================================================

      If a bean is annotated with both @RunAs and @RunAsPrincipal annotations, the principal will not get authorised unless the user with such principal exists in security realm that the bean is backed by.

      This was not the case with PicketBox. Since the existing EJB-Elytron integration analyses and documentation does not mention such a modification and the change makes an AS TS test case fail, this is an unexpected change of behavior.

      Reproducer and sources attached.

            fjuma1@redhat.com Farah Juma
            mjurc@redhat.com Michal Jurc
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: