Suppose an environment with a chain of three bean invocations:
@Stateless @Remote(WhoAmI.class) @RunAs("Admin") @SecurityDomain("other") public class Bean1 implements WhoAmI { @EJB(beanName = "Bean2") private WhoAmI singleton; public String getCallerPrincipal() { return singleton.getCallerPrincipal(); } }
@Singleton @Remote(WhoAmI.class) @SecurityDomain("other") public class Bean2 implements WhoAmI { @EJB(beanName = "Bean3") private WhoAmI bean3; private String principal; @PostConstruct public void init() { principal = bean3.getCallerPrincipal(); } public String getCallerPrincipal() { return principal; } }
@Stateless @Local(WhoAmI.class) @RolesAllowed("Admin") @SecurityDomain("other") public class Bean3 implements WhoAmI { @Resource private SessionContext ctx; public String getCallerPrincipal() { return ctx.getCallerPrincipal().getName(); } }
The @RunAs("Admin") is propagated from Bean1 through Bean2.init() to Bean3 with Elytron. The EJB3.1 specification does not specify security context of @PostConstruct method for @Singleton beans, however with this approach the @RunAs authorization of initialization of any @Singleton bean will be determined by its first invoker with Elytron. With legacy security, the @RunAs authorization of @PostConstruct method for @Singleton beans was undefined.
This is covered by org.jboss.as.test.integration.ejb.security.RunAsPrincipalTestCase#testSingletonPostconstructSecurityNotPropagating in WildFly Integration/Basic Test Suite module.
- causes
-
JBEAP-9080 EJB security tests are failing in AS TS with Elytron profile
-
- Closed
-
- is cloned by
-
-
- Closed
-
- relates to
-
-
- Closed
-
