Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-10980

@RunAs role authorization does not propagate across deployments backed by different Elytron security domains

    XMLWordPrintable

Details

    • Bug
    • Resolution: Won't Do
    • Blocker
    • None
    • 7.1.0.DR18, 7.1.0.DR19, 7.1.0.ER1
    • EJB, Security
    • None
    • Regression
    • Hide

      1. Download attached reproducer and build both deployments:

      mvn clean install -U

      2. Prepare server and deploy deployments:

      • Elytron security configuration preparation:
        jboss-cli
        /subsystem=ejb3/application-security-domain=sd1:add(security-domain=ApplicationDomain)
/subsystem=ejb3/application-security-domain=sd2:add(security-domain=ManagementDomain)
/subsystem=undertow/application-security-domain=sd1:add(http-authentication-factory=application-http-authentication)
deploy /path/to/reproducer/who-am-i/target/who-am-i.jar
deploy /path/to/reproducer/run-as-dep/target/run-as-dep.war
reload
      • Legacy security configuration preparation:
        jboss-cli
        /subsystem=security/security-domain=sd1:add()
/subsystem=security/security-domain=sd2:add()
deploy /path/to/reproducer/who-am-i/target/who-am-i.jar
deploy /path/to/reproducer/run-as-dep/target/run-as-dep.war
reload

      3. Access http://localhost:8080/run-as-dep/

      Show
      1. Download attached reproducer and build both deployments: mvn clean install -U 2. Prepare server and deploy deployments: Elytron security configuration preparation: jboss-cli /subsystem=ejb3/application-security-domain=sd1:add(security-domain=ApplicationDomain) /subsystem=ejb3/application-security-domain=sd2:add(security-domain=ManagementDomain) /subsystem=undertow/application-security-domain=sd1:add(http-authentication-factory=application-http-authentication) deploy /path/to/reproducer/who-am-i/target/who-am-i.jar deploy /path/to/reproducer/run-as-dep/target/run-as-dep.war reload Legacy security configuration preparation: jboss-cli /subsystem=security/security-domain=sd1:add() /subsystem=security/security-domain=sd2:add() deploy /path/to/reproducer/who-am-i/target/who-am-i.jar deploy /path/to/reproducer/run-as-dep/target/run-as-dep.war reload 3. Access http://localhost:8080/run-as-dep/

    Description

      In a scenario when @RunAs("securityRole") annotated bean invokes bean backed by different security domain, the @RunAs authorization does not propagate over.

      This was not the case with PicketBox security, where the @RunAs authorization propagated.

      Attachments

        Issue Links

          causes

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-11108 Elytron migration: single security domain per deployment

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Closed
          is cloned by

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-11536 [Doc RFE] '@RunAs' role authorization does not propagate across deployments backed by different Elytron security domains

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Closed

          Activity

            People

              darran.lofthouse@redhat.com Darran Lofthouse
              mjurc@redhat.com Michal Jurc
              Bilgehan Ozpeynirci, Brad Maxwell, Chris Dolphy, Derek Horton
              Votes:
              0 Vote for this issue
              Watchers:
              12 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: