Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-12445

EJB client from EAP 7.0 is sometimes authenticated as $local even when it is forbidden

    XMLWordPrintable

Details

    Description

      when running EJB client from EAP 7.0 (EJB client 2.1.x) or the 7.1 legacy client (3.0.x), against EAP 7.1.0.ER3 (and newer) server on the same machine (with the same standalone.xml), even when the client has explicitly forbidden LOCAL authentication, he is sometimes (intermittently) authenticated as the user $local.
      This does not happen when the server is EAP 7.1.0.ER2, or when using EJB client 4.x.

      Impact: the client is intermittently authenticated as a different user than expected, this also makes invocations randomly fail, because the $local user typically isn't assigned to authorization roles which are typically required for invocations of some methods. Or the other way around, this could actually elevate the user's privileges in some cases.

      Attachments

        1. client-log-correct
          70 kB
        2. client-log-incorrect
          71 kB
        3. jbeap12445reproducer.zip
          28 kB
        4. server-log-correct
          80 kB
        5. server-log-incorrect
          82 kB

        Issue Links

          blocks

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-12290 7.0.x ejb-security-interceptors quickstart does not work on 7.1

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Verified
          causes

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-12882 EJB client from 7.1 doesn't work at all against EAP 7.0

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Verified
          is cloned by

          Bug - A problem that impairs or prevents the functions of the product. WFLY-9170 EJB client from EAP 7.0 is sometimes authenticated as $local even when it is forbidden

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Closed

          Activity

            People

              pferraro@redhat.com Paul Ferraro
              jmartisk@redhat.com Jan Martiska
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: