Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-10663

EJB deployments backed by Elytron application security domain are unable to inflow identities from web deployments backed by legacy security

XMLWordPrintable

    • Compatibility/Configuration
    • Hide

      1. Download and build attached deployments.
      2. Start EAP in standalone profile and add the following user:

      {$EAP7_HOME}/bin/add-user.sh -a -u 'quickstartUser' -p 'quickstartPwd1!' -g 'guest'

      3. Deploy the two deployments and access http://localhost:8080/security-ejb-web/SecuredEJBServlet with the aforementioned credentials:

      jboss-cli
      [standalone@localhost:9990 /] deploy {$SECURITY_EJB_REPRODUCER}/security-ejb-jar/target/security-ejb-jar.jar
      [standalone@localhost:9990 /] deploy {$SECURITY_EJB_REPRODUCER}/security-ejb-web/target/security-ejb-web.war
      

      4. Add EJB application security domain and access the aforementioned URL, producing the exception from description:

      jboss-cli
      [standalone@localhost:9990 /] /subsystem=ejb3/application-security-domain=other:add(security-domain=ApplicationDomain)
      {"outcome" => "success"}
      [standalone@localhost:9990 /] reload
      

      5. Add Undertow application security domain, rendering the application usable again:

      jboss-cli
      [standalone@localhost:9990 /] /subsystem=undertow/application-security-domain=other:add(http-authentication-factory=application-http-authentication)
      {"outcome" => "success"}
      [standalone@localhost:9990 /] reload
      
      Show
      1. Download and build attached deployments. 2. Start EAP in standalone profile and add the following user: {$EAP7_HOME}/bin/add-user.sh -a -u 'quickstartUser' -p 'quickstartPwd1!' -g 'guest' 3. Deploy the two deployments and access http://localhost:8080/security-ejb-web/SecuredEJBServlet with the aforementioned credentials: jboss-cli [standalone@localhost:9990 /] deploy {$SECURITY_EJB_REPRODUCER}/security-ejb-jar/target/security-ejb-jar.jar [standalone@localhost:9990 /] deploy {$SECURITY_EJB_REPRODUCER}/security-ejb-web/target/security-ejb-web.war 4. Add EJB application security domain and access the aforementioned URL, producing the exception from description: jboss-cli [standalone@localhost:9990 /] /subsystem=ejb3/application-security-domain=other:add(security-domain=ApplicationDomain) { "outcome" => "success" } [standalone@localhost:9990 /] reload 5. Add Undertow application security domain, rendering the application usable again: jboss-cli [standalone@localhost:9990 /] /subsystem=undertow/application-security-domain=other:add(http-authentication-factory=application-http-authentication) { "outcome" => "success" } [standalone@localhost:9990 /] reload

      Currently, invocation of EJB in deployment backed by Elytron security from web deployment backed by legacy security will produce a javax.ejb.EJBAccessException due to the legacy security identity not being propagated to/recognised by Elytron security. This is in conflict with requirements posed by EAP7-482, which states the following:

      It will subsequently be possible to enable the use of Elytron by mapping to Elytron within the subsystems, when this mapping is applied it will not affect other applications not picked up by the mapping which will continue to use legacy PicketBox. Within the same application server it will be possible to have deployments deployed using PicketBox along side deployments defined to use Elytron.

      The full stack trace produced by such invocation:

      javax.ejb.EJBAccessException: WFLYEJB0364: Invocation on method: public java.lang.String org.jboss.as.quickstarts.ejb_security.SecuredEJB.getSecurityInfo() of bean: SecuredEJB is not allowed
      org.jboss.as.ejb3.security.RolesAllowedInterceptor.processInvocation(RolesAllowedInterceptor.java:67)
      org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:240)
      org.jboss.as.ejb3.security.SecurityDomainInterceptor.processInvocation(SecurityDomainInterceptor.java:44)
      org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:240)
      org.jboss.as.ejb3.deployment.processors.StartupAwaitInterceptor.processInvocation(StartupAwaitInterceptor.java:22)
      org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:240)
      org.jboss.as.ejb3.component.interceptors.ShutDownInterceptorFactory$1.processInvocation(ShutDownInterceptorFactory.java:64)
      org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:240)
      org.jboss.as.ejb3.component.interceptors.LoggingInterceptor.processInvocation(LoggingInterceptor.java:67)
      org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:240)
      org.jboss.as.ee.component.NamespaceContextInterceptor.processInvocation(NamespaceContextInterceptor.java:50)
      org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:240)
      org.jboss.as.ejb3.component.interceptors.AdditionalSetupInterceptor.processInvocation(AdditionalSetupInterceptor.java:54)
      org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:240)
      org.jboss.invocation.ContextClassLoaderInterceptor.processInvocation(ContextClassLoaderInterceptor.java:60)
      org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:240)
      org.jboss.invocation.InterceptorContext.run(InterceptorContext.java:256)
      org.wildfly.security.manager.WildFlySecurityManager.doChecked(WildFlySecurityManager.java:609)
      org.jboss.invocation.AccessCheckingInterceptor.processInvocation(AccessCheckingInterceptor.java:57)
      org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:240)
      org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:53)
      org.jboss.as.ee.component.ViewService$View.invoke(ViewService.java:198)
      org.jboss.as.ee.component.ViewDescription$1.processInvocation(ViewDescription.java:185)
      org.jboss.as.ee.component.ProxyInvocationHandler.invoke(ProxyInvocationHandler.java:74)
      org.jboss.as.quickstarts.ejb_security.SecuredEJB$$$view2.getSecurityInfo(Unknown Source)
      org.jboss.as.quickstarts.ejb_security.SecuredEJBServlet.doGet(SecuredEJBServlet.java:61)
      javax.servlet.http.HttpServlet.service(HttpServlet.java:687)
      javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
      io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
      io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
      io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
      org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
      io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
      io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
      io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
      io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCacheHandler.java:33)
      io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
      io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:53)
      io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
      io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
      io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:59)
      io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
      io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
      io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
      io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
      io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
      org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
      io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
      org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
      io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
      io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
      io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
      io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
      io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
      io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
      io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
      org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
      org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1704)
      org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1704)
      org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1704)
      org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1704)
      io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
      io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
      io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
      io.undertow.server.Connectors.executeRootHandler(Connectors.java:211)
      io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:809)
      java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
      java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
      java.lang.Thread.run(Thread.java:748)

              Unassigned Unassigned
              mjurc@redhat.com Michal Jurc
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: