Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-10320

Elytron outflow-security-domains doesn't work for Servlet-to-EJB calls

    Details

    • Target Release:
    • Steps to Reproduce:
      Hide

      => EJBAccessException (see attached server.log)

      When I try to call the same EJB but rather from the same deployment (`second`), it works correctly:
      http://localhost:8080/second/SecuredCallEjbServlet?jndiName=java:global/second/HelloBean

      Show
      use attached CLI script to configure Elytron realms and security domains deploy attached web applications open in browser http://localhost:8080/second/SecuredCallEjbServlet and authenticate as admin/admin => EJBAccessException (see attached server.log) When I try to call the same EJB but rather from the same deployment (`second`), it works correctly: http://localhost:8080/second/SecuredCallEjbServlet?jndiName=java:global/second/HelloBean

      Description

      Security context propagation with using Elytron outflow-security-domains attribute in security domain doesn't work for Servlet-to-EJB calls.

      This could also be a test configuration issue, but as there is not yet documentation covering this area, I can't guess what could be wrong in the scenario.

      1. I have 2 similar web applications with servlets and EJBs:

      • the `secured-webapp` is mapped to `web-tests` security domain
      • the `second` application is mapped to `second-domain` security domain

      2. Undertow and EJB subsystems maps the application domains `web-tests` and `second-domain` to Elytron domains with the same name.

      3. trust between the domains is defined in following way:

      /subsystem=elytron/security-domain=second-domain:write-attribute(name=outflow-security-domains,value=[web-tests])
      /subsystem=elytron/security-domain=second-domain:write-attribute(name=trusted-security-domains, value=[web-tests])
      /subsystem=elytron/security-domain=web-tests:write-attribute(name=trusted-security-domains, value=[second-domain])
      

      4. the test itself calls servlet from the `second` web application and it calls protected EJB from the `secured-webapp`.

      The EJB call fails with EJBAccessException

      14:30:04,631 ERROR [org.jboss.as.ejb3.invocation] (default task-3) WFLYEJB0034: EJB Invocation failed on component HelloBean for method public abstract java.lang.String org.jboss.test.ejb.Hello.sayHello(): javax.ejb.EJBAccessException: WFLYEJB0364: Invocation on method: public abstract java.lang.String org.jboss.test.ejb.Hello.sayHello() of bean: HelloBean is not allowed
      

        Gliffy Diagrams

          Attachments

          1. outflow-config.cli
            4 kB
          2. second.war
            76 kB
          3. secured-webapp.war
            44 kB
          4. server.log
            111 kB

            Issue Links

              Activity

                People

                • Assignee:
                  Unassigned
                  Reporter:
                  jcacek Josef Cacek
                  Tester:
                  Martin Svehla
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  6 Start watching this issue

                  Dates

                  • Created:
                    Updated: