Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-10980

@RunAs role authorization does not propagate across deployments backed by different Elytron security domains

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Won't Do
    • Icon: Blocker Blocker
    • None
    • 7.1.0.DR18, 7.1.0.DR19, 7.1.0.ER1
    • EJB, Security
    • None
    • Regression
    • Hide

      1. Download attached reproducer and build both deployments:

      mvn clean install -U

      2. Prepare server and deploy deployments:

      • Elytron security configuration preparation:
        jboss-cli
        /subsystem=ejb3/application-security-domain=sd1:add(security-domain=ApplicationDomain)
/subsystem=ejb3/application-security-domain=sd2:add(security-domain=ManagementDomain)
/subsystem=undertow/application-security-domain=sd1:add(http-authentication-factory=application-http-authentication)
deploy /path/to/reproducer/who-am-i/target/who-am-i.jar
deploy /path/to/reproducer/run-as-dep/target/run-as-dep.war
reload
      • Legacy security configuration preparation:
        jboss-cli
        /subsystem=security/security-domain=sd1:add()
/subsystem=security/security-domain=sd2:add()
deploy /path/to/reproducer/who-am-i/target/who-am-i.jar
deploy /path/to/reproducer/run-as-dep/target/run-as-dep.war
reload

      3. Access http://localhost:8080/run-as-dep/

      Show
      1. Download attached reproducer and build both deployments: mvn clean install -U 2. Prepare server and deploy deployments: Elytron security configuration preparation: jboss-cli /subsystem=ejb3/application-security-domain=sd1:add(security-domain=ApplicationDomain) /subsystem=ejb3/application-security-domain=sd2:add(security-domain=ManagementDomain) /subsystem=undertow/application-security-domain=sd1:add(http-authentication-factory=application-http-authentication) deploy /path/to/reproducer/who-am-i/target/who-am-i.jar deploy /path/to/reproducer/run-as-dep/target/run-as-dep.war reload Legacy security configuration preparation: jboss-cli /subsystem=security/security-domain=sd1:add() /subsystem=security/security-domain=sd2:add() deploy /path/to/reproducer/who-am-i/target/who-am-i.jar deploy /path/to/reproducer/run-as-dep/target/run-as-dep.war reload 3. Access http://localhost:8080/run-as-dep/

      In a scenario when @RunAs("securityRole") annotated bean invokes bean backed by different security domain, the @RunAs authorization does not propagate over.

      This was not the case with PicketBox security, where the @RunAs authorization propagated.

        1. ejb-run-as-two-domains.zip
          373 kB

            darran.lofthouse@redhat.com Darran Lofthouse
            mjurc@redhat.com Michal Jurc
            Bilgehan Ozpeynirci, Brad Maxwell, Chris Dolphy, Derek Horton
            Votes:
            0 Vote for this issue
            Watchers:
            12 Start watching this issue

              Created:
              Updated:
              Resolved: