Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Obsolete
Priority: Major
Fix Version/s: None
Affects Version/s: 7.1.0.DR16
Component/s: EJB, Security, Undertow
Labels:
- eap7.1.0-defer
- eap72
- ejb
- identity-propagation
- outflow
- servlet

Target Release:

7.2.0.GA
Steps to Reproduce:
Hide

use attached CLI script to configure Elytron realms and security domains

deploy attached web applications

open in browser http://localhost:8080/second/SecuredCallEjbServlet and authenticate as admin/admin

=> EJBAccessException (see attached server.log)

When I try to call the same EJB but rather from the same deployment (`second`), it works correctly:
http://localhost:8080/second/SecuredCallEjbServlet?jndiName=java:global/second/HelloBean
Show
use attached CLI script to configure Elytron realms and security domains deploy attached web applications open in browser http://localhost:8080/second/SecuredCallEjbServlet and authenticate as admin/admin => EJBAccessException (see attached server.log) When I try to call the same EJB but rather from the same deployment (`second`), it works correctly: http://localhost:8080/second/SecuredCallEjbServlet?jndiName=java:global/second/HelloBean

SFDC Cases Counter:
SFDC Cases Links:

Description

Security context propagation with using Elytron outflow-security-domains attribute in security domain doesn't work for Servlet-to-EJB calls.

This could also be a test configuration issue, but as there is not yet documentation covering this area, I can't guess what could be wrong in the scenario.

1. I have 2 similar web applications with servlets and EJBs:

the `secured-webapp` is mapped to `web-tests` security domain
the `second` application is mapped to `second-domain` security domain

2. Undertow and EJB subsystems maps the application domains `web-tests` and `second-domain` to Elytron domains with the same name.

3. trust between the domains is defined in following way:

/subsystem=elytron/security-domain=second-domain:write-attribute(name=outflow-security-domains,value=[web-tests])
/subsystem=elytron/security-domain=second-domain:write-attribute(name=trusted-security-domains, value=[web-tests])
/subsystem=elytron/security-domain=web-tests:write-attribute(name=trusted-security-domains, value=[second-domain])

4. the test itself calls servlet from the `second` web application and it calls protected EJB from the `secured-webapp`.

The EJB call fails with EJBAccessException

14:30:04,631 ERROR [org.jboss.as.ejb3.invocation] (default task-3) WFLYEJB0034: EJB Invocation failed on component HelloBean for method public abstract java.lang.String org.jboss.test.ejb.Hello.sayHello(): javax.ejb.EJBAccessException: WFLYEJB0364: Invocation on method: public abstract java.lang.String org.jboss.test.ejb.Hello.sayHello() of bean: HelloBean is not allowed

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

outflow-config.cli
2017/04/12 9:15 AM
4 kB
Josef Cacek
second.war
2017/04/12 9:15 AM
76 kB
Josef Cacek
secured-webapp.war
2017/04/12 9:15 AM
44 kB
Josef Cacek
server.log
2017/04/12 9:20 AM
111 kB
Josef Cacek

Issue Links

is cloned by

WFLY-8568 Elytron outflow-security-domains doesn't work for Servlet-to-EJB calls

Open

relates to

JBEAP-15394 [GSS](7.2.z) WildFlyInitialContextFactory EJB proxy security behavior inconsistent with different context lookups

Verified

JBEAP-15279 [GSS](7.1.z) WildFlyInitialContextFactory EJB proxy security behavior inconsistent with different context lookups

Closed

Activity

People

Assignee:: Unassigned

Reporter:: Josef Cacek (Inactive)

Tester:: Martin Svehla

QA Contact:: Martin Svehla

Votes:: 0 Vote for this issue

Watchers:: 7 Start watching this issue

Dates

Created:: 2017/04/12 9:32 AM

Updated:: 2021/10/24 6:26 AM

Resolved:: 2021/08/04 3:00 AM