Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-11454

In-VM calls with authenticated SecurityIdentity.runAs(Callable c) fail to authorise for asynchronous EJB calls

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Verified (View Workflow)
    • Priority: Critical
    • Resolution: Done
    • Affects Version/s: 7.1.0.DR17, 7.1.0.DR18, 7.1.0.DR19
    • Fix Version/s: 7.1.0.ER3
    • Component/s: EJB, Security
    • Labels:
      None
    • Target Release:
    • Steps to Reproduce:
      Hide

      Run the following command in WildFly Test Suite Integration/Basic module with Elytron profile:

      mvn clean test -Dtest=AsynchronousSecurityTestCase#testAsynchSecurityMethod -Delytron -Dwildfly.tmp.enable.elytron.profile.tests
      Show
      Run the following command in WildFly Test Suite Integration/Basic module with Elytron profile: mvn clean test -Dtest=AsynchronousSecurityTestCase#testAsynchSecurityMethod -Delytron -Dwildfly.tmp.enable.elytron.profile.tests
    • Affects Testing:
      Blocks Testing

      Description

      Upon attempt to Future.get of asynchronous method from EJB with authenticated SecurityIdentity in same VM as EJB, the method fails:

      asynchronous in-VM invocation
              Callable<Boolean> callable = () -> {
                  Future<Boolean> future = securedBean.method();
                  SecuredStatelessBean.startLatch.countDown();
                  return future.get();
              };
              result = Util.switchIdentity("somebody", "password", callable);
              Assert.assertTrue(result);
      Util.switchIdentity
      final SecurityDomain securityDomain = SecurityDomain.getCurrent();
                      if (securityDomain != null) {
                          // elytron is enabled, use the new way to switch the identity
                          final SecurityIdentity securityIdentity = securityDomain.authenticate(username, new PasswordGuessEvidence(password.toCharArray()));
                          initialAuthSucceeded = true;
                          return securityIdentity.runAs(callable);
                      }
      exception
      javax.ejb.EJBAccessException: WFLYEJB0364: Invocation on method: public abstract java.util.concurrent.Future org.jboss.as.test.integration.ejb.security.asynchronous.SecuredStatelessRemote.method() throws java.lang.InterruptedException,java.util.concurrent.ExecutionException of bean: SecuredStatelessBean is not allowed
      	at org.jboss.as.ejb3.security.RolesAllowedInterceptor.processInvocation(RolesAllowedInterceptor.java:67)
      	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:240)
      	at org.jboss.as.ejb3.security.SecurityDomainInterceptor.processInvocation(SecurityDomainInterceptor.java:44)
      	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:240)
      	at org.jboss.as.ejb3.deployment.processors.StartupAwaitInterceptor.processInvocation(StartupAwaitInterceptor.java:22)
      	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:240)
      	at org.jboss.as.ejb3.component.interceptors.ShutDownInterceptorFactory$1.processInvocation(ShutDownInterceptorFactory.java:64)
      	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:240)
      	at org.jboss.as.ejb3.deployment.processors.EjbSuspendInterceptor.processInvocation(EjbSuspendInterceptor.java:45)
      	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:240)
      	at org.jboss.as.ejb3.component.interceptors.LoggingInterceptor.processInvocation(LoggingInterceptor.java:67)
      	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:240)
      	at org.jboss.as.ee.component.NamespaceContextInterceptor.processInvocation(NamespaceContextInterceptor.java:50)
      	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:240)
      	at org.jboss.as.ejb3.component.interceptors.AdditionalSetupInterceptor.processInvocation(AdditionalSetupInterceptor.java:54)
      	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:240)
      	at org.jboss.invocation.ContextClassLoaderInterceptor.processInvocation(ContextClassLoaderInterceptor.java:60)
      	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:240)
      	at org.jboss.invocation.InterceptorContext.run(InterceptorContext.java:256)
      	at org.wildfly.security.manager.WildFlySecurityManager.doChecked(WildFlySecurityManager.java:609)
      	at org.jboss.invocation.AccessCheckingInterceptor.processInvocation(AccessCheckingInterceptor.java:57)
      	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:240)
      	at org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:53)
      	at org.jboss.as.ee.component.ViewService$View.invoke(ViewService.java:198)
      	at org.jboss.as.ejb3.remote.LocalEjbReceiver.lambda$processInvocation$0(LocalEjbReceiver.java:201)
      	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
      	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
      	at java.lang.Thread.run(Thread.java:748)
      	at org.jboss.threads.JBossThread.run(JBossThread.java:320)
      

      Invocation of synchronous method in the same bean with same credentials in Util.switchIdentity method will be successfully authorised.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              dmlloyd David Lloyd
              Reporter:
              mjurc Michal Jurc
              Tester:
              Michal Jurc Michal Jurc
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: