Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-10049

Principal from @RunAsPrincipal bean annotation does not get authorised with role from @RunAs bean annotation unless the user exists in backing security realm

    XMLWordPrintable

Details

    • Hide

      1. Add Elytron application security domain to EJB subsystem:

      /subsystem=ejb3/application-security-domain=other:add(security-domain=ApplicationDomain)

      2. Attempt to deploy the bean deployment to server:

      deploy /path/to/startup-runas-beans.jar

      The following error is produced:

      10:14:25,221 ERROR [org.jboss.as.server] (management-handler-thread - 1) WFLYSRV0021: Deploy of deployment "startup-runas-beans.jar" was rolled back with the following failure message: 
{
    "WFLYCTL0080: Failed services" => {"jboss.deployment.unit.\"startup-runas-beans.jar\".component.SingletonStartupBean.START" => "org.jboss.msc.service.StartException in service jboss.deployment.unit.\"startup-runas-beans.jar\".component.SingletonStartupBean.START: java.lang.IllegalStateException: WFLYEE0042: Failed to construct component instance
    Caused by: java.lang.IllegalStateException: WFLYEE0042: Failed to construct component instance
    Caused by: org.wildfly.security.authz.AuthorizationFailureException: ELY01088: Attempting to run as \"testuser\" authorization operation failed"},
    "WFLYCTL0412: Required services that are not installed:" => ["jboss.deployment.unit.\"startup-runas-beans.jar\".component.SingletonStartupBean.START"]
}

      3. Add the testuser user to application-users.properties that the default Elytron ApplicationRealm uses with any password and deploy again. The deployment will work, and the SingletonStartupBean's @RunAs and @RunAsPrincipal will be both correctly set as SingletonStartupBean.init method will invoke StatelessBean.getCallerPrincipal method and log a concise message with the principal:

      10:53:29,800 INFO  [mock.ejb.SingletonStartupBean] (ServerService Thread Pool -- 74) ===================================================
10:53:29,801 INFO  [mock.ejb.SingletonStartupBean] (ServerService Thread Pool -- 74) SingletonStartupBean invoked StatelessBean with principal testuser
10:53:29,801 INFO  [mock.ejb.SingletonStartupBean] (ServerService Thread Pool -- 74) ===================================================
      Show
      1. Add Elytron application security domain to EJB subsystem: /subsystem=ejb3/application-security-domain=other:add(security-domain=ApplicationDomain) 2. Attempt to deploy the bean deployment to server: deploy /path/to/startup-runas-beans.jar The following error is produced: 10:14:25,221 ERROR [org.jboss.as.server] (management-handler-thread - 1) WFLYSRV0021: Deploy of deployment "startup-runas-beans.jar" was rolled back with the following failure message: { "WFLYCTL0080: Failed services" => { "jboss.deployment.unit.\" startup-runas-beans.jar\ ".component.SingletonStartupBean.START" => "org.jboss.msc.service.StartException in service jboss.deployment.unit.\" startup-runas-beans.jar\".component.SingletonStartupBean.START: java.lang.IllegalStateException: WFLYEE0042: Failed to construct component instance Caused by: java.lang.IllegalStateException: WFLYEE0042: Failed to construct component instance Caused by: org.wildfly.security.authz.AuthorizationFailureException: ELY01088: Attempting to run as \ "testuser\" authorization operation failed"}, "WFLYCTL0412: Required services that are not installed:" => [ "jboss.deployment.unit.\" startup-runas-beans.jar\ ".component.SingletonStartupBean.START" ] } 3. Add the testuser user to application-users.properties that the default Elytron ApplicationRealm uses with any password and deploy again. The deployment will work, and the SingletonStartupBean 's @RunAs and @RunAsPrincipal will be both correctly set as SingletonStartupBean.init method will invoke StatelessBean.getCallerPrincipal method and log a concise message with the principal: 10:53:29,800 INFO [mock.ejb.SingletonStartupBean] (ServerService Thread Pool -- 74) =================================================== 10:53:29,801 INFO [mock.ejb.SingletonStartupBean] (ServerService Thread Pool -- 74) SingletonStartupBean invoked StatelessBean with principal testuser 10:53:29,801 INFO [mock.ejb.SingletonStartupBean] (ServerService Thread Pool -- 74) ===================================================

    Description

      If a bean is annotated with both @RunAs and @RunAsPrincipal annotations, the principal will not get authorised unless the user with such principal exists in security realm that the bean is backed by.

      This was not the case with PicketBox. Since the existing EJB-Elytron integration analyses and documentation does not mention such a modification and the change makes an AS TS test case fail, this is an unexpected change of behavior.

      Reproducer and sources attached.

      Attachments

        Issue Links

          causes

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-9198 RunAsPrincipalTestCase fails to deploy when Elytron profile is used

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Verified
          is cloned by

          Bug - A problem that impairs or prevents the functions of the product. WFLY-8674 Principal from @RunAsPrincipal bean annotation does not get authorised with role from @RunAs bean annotation unless the user exists in backing security realm

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Closed
          is incorporated by

          Task - Represents a small unit of work that is not end-user facing. JBEAP-10557 Backport Latest Elytron Integration Changes TO DR18 Step 2

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Verified

          Activity

            People

              fjuma1@redhat.com Farah Juma
              mjurc@redhat.com Michal Jurc
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: