Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-11452

@RunAs role authorization from the first invoker of @Singleton bean is propagated through the @PostConstruct method of @Singleton bean with Elytron

    XMLWordPrintable

Details

    • Bug
    • Resolution: Obsolete
    • Critical
    • None
    • 7.1.0.DR19, 7.1.0.ER1
    • EJB, Security
    • None

    Description

      Suppose an environment with a chain of three bean invocations:

      Bean1.java
      @Stateless
@Remote(WhoAmI.class)
@RunAs("Admin")
@SecurityDomain("other")
public class Bean1 implements WhoAmI {

    @EJB(beanName = "Bean2")
    private WhoAmI singleton;

    public String getCallerPrincipal() {
        return singleton.getCallerPrincipal();
    }

}
      Bean2.java
      @Singleton
@Remote(WhoAmI.class)
@SecurityDomain("other")
public class Bean2 implements WhoAmI {

    @EJB(beanName = "Bean3")
    private WhoAmI bean3;

    private String principal;

    @PostConstruct
    public void init() {
        principal = bean3.getCallerPrincipal();
    }

    public String getCallerPrincipal() {
        return principal;
    }

}
      Bean3.java
      @Stateless
@Local(WhoAmI.class)
@RolesAllowed("Admin")
@SecurityDomain("other")
public class Bean3 implements WhoAmI {

    @Resource
    private SessionContext ctx;

    public String getCallerPrincipal() {
        return ctx.getCallerPrincipal().getName();
    }

}

      The @RunAs("Admin") is propagated from Bean1 through Bean2.init() to Bean3 with Elytron. The EJB3.1 specification does not specify security context of @PostConstruct method for @Singleton beans, however with this approach the @RunAs authorization of initialization of any @Singleton bean will be determined by its first invoker with Elytron. With legacy security, the @RunAs authorization of @PostConstruct method for @Singleton beans was undefined.

      This is covered by org.jboss.as.test.integration.ejb.security.RunAsPrincipalTestCase#testSingletonPostconstructSecurityNotPropagating in WildFly Integration/Basic Test Suite module.

      Attachments

        Issue Links

          causes

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-9080 EJB security tests are failing in AS TS with Elytron profile

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Verified
          is cloned by

          Bug - A problem that impairs or prevents the functions of the product. WFLY-9072 @RunAs role authorization from the first invoker of @Singleton bean is propagated through the @PostConstruct method of @Singleton bean with Elytron

          • Critical - To be worked on immediately following BLOCKER issues.
          • Closed
          relates to

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-14307 [GSS](7.1.z) @RunAs/@RunAsPrincipal are ignored for @Startup/@Singleton bean

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Activity

            People

              dlloyd@redhat.com David Lloyd
              mjurc@redhat.com Michal Jurc
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: