Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-19398

[GSS](7.3.z) WFLY-13381- Unable to disable security on EJB over Http endpoint

    Details

    • Type: Bug
    • Status: Verified (View Workflow)
    • Priority: Major
    • Resolution: Done
    • Affects Version/s: 7.3.0.GA
    • Fix Version/s: 7.3.2.CR1, 7.3.2.GA
    • Component/s: EJB
    • Labels:
      None
    • Target Release:
    • Steps to Reproduce:
      Hide

      unzip -d $JBOSS_HOME/ reproducer-overlay.zip

      Starting with this system property set will reproduce the error:
      ./bin/standalone.sh -DuseHttp

      Starting without the system property set, will use remote+http will will invoke fine as it works when the security-realm="ApplicationRealm" is removed from the remoting subsystem.

      ./bin/standalone.sh

      Show
      unzip -d $JBOSS_HOME/ reproducer-overlay.zip Starting with this system property set will reproduce the error: ./bin/standalone.sh -DuseHttp Starting without the system property set, will use remote+http will will invoke fine as it works when the security-realm="ApplicationRealm" is removed from the remoting subsystem. ./bin/standalone.sh
    • Workaround Description:
      Hide

      Workaround #1 - create a user that all clients specify user / pass

      Workaround #2

      • configure a security realm / security domain that always returns the same principal / groups on remoting / undertow
      • put a wildfly-config.xml in the standalone or application running in JBoss with config as shown below that configures an arbitrary user/pass (they can be anything they will not be used)
      embed-server
      
      echo "create TestSecurityDomain that will always return principal=guest and roles=guest"
      /subsystem=security/security-domain=TestSecurityDomain:add()
      /subsystem=security/security-domain=TestSecurityDomain/authentication=classic:add(login-modules=[{code=Identity,flag=required, module-options={principal=anonymous,roles=anonymous}}])
      
      echo "Create a TestRealm using TestSecurityDomain"
      /core-service=management/security-realm=TestRealm:add()
      /core-service=management/security-realm=TestRealm/authentication=jaas:add(name=TestSecurityDomain)
      /core-service=management/security-realm=TestRealm/server-identity=ssl:add(keystore-path=application.keystore,keystore-relative-to=jboss.server.config.dir, keystore-password=password, alias=server, key-password=password, generate-self-signed-certificate-host=localhost)
      
      echo "Change Remoting from ApplicationRealm to TestRealm"
      /subsystem=remoting/http-connector=http-remoting-connector:write-attribute(name=security-realm,value=TestRealm)
      
      echo "Configure undertow to use TestRealm"
      /subsystem=undertow/server=default-server/host=default-host/setting=http-invoker:write-attribute(name=security-realm,value=TestRealm)
      /subsystem=undertow/server=default-server/https-listener=https:write-attribute(name=security-realm,value=TestRealm)
      
      echo "Change the default EJB to use TestSecurityDomain which the EJB side will use"
      /subsystem=ejb3:write-attribute(name=default-security-domain,value=TestSecurityDomain)
      
      echo "Remote ApplicationRealm to make sure we are testing TestRealm"
      /core-service=management/security-realm=ApplicationRealm:remove()
      

      wildfly-config.xml :

      <?xml version="1.0" ?>
      <configuration>
          <authentication-client xmlns="urn:elytron:1.0">
              <authentication-rules>
                  <rule use-configuration="all"/>
              </authentication-rules>
              <authentication-configurations>
                  <configuration name="all">
                      <set-user-name name="anonymous"/>
                      <credentials>
                          <clear-password password="anonymous"/>
                      </credentials>
                  </configuration>
              </authentication-configurations>
          </authentication-client>
      </configuration>
      
      Show
      Workaround #1 - create a user that all clients specify user / pass Workaround #2 configure a security realm / security domain that always returns the same principal / groups on remoting / undertow put a wildfly-config.xml in the standalone or application running in JBoss with config as shown below that configures an arbitrary user/pass (they can be anything they will not be used) embed-server echo "create TestSecurityDomain that will always return principal=guest and roles=guest" /subsystem=security/security-domain=TestSecurityDomain:add() /subsystem=security/security-domain=TestSecurityDomain/authentication=classic:add(login-modules=[{code=Identity,flag=required, module-options={principal=anonymous,roles=anonymous}}]) echo "Create a TestRealm using TestSecurityDomain" /core-service=management/security-realm=TestRealm:add() /core-service=management/security-realm=TestRealm/authentication=jaas:add(name=TestSecurityDomain) /core-service=management/security-realm=TestRealm/server-identity=ssl:add(keystore-path=application.keystore,keystore-relative-to=jboss.server.config.dir, keystore-password=password, alias=server, key-password=password, generate-self-signed-certificate-host=localhost) echo "Change Remoting from ApplicationRealm to TestRealm" /subsystem=remoting/http-connector=http-remoting-connector:write-attribute(name=security-realm,value=TestRealm) echo "Configure undertow to use TestRealm" /subsystem=undertow/server= default -server/host= default -host/setting=http-invoker:write-attribute(name=security-realm,value=TestRealm) /subsystem=undertow/server= default -server/https-listener=https:write-attribute(name=security-realm,value=TestRealm) echo "Change the default EJB to use TestSecurityDomain which the EJB side will use" /subsystem=ejb3:write-attribute(name= default -security-domain,value=TestSecurityDomain) echo "Remote ApplicationRealm to make sure we are testing TestRealm" /core-service=management/security-realm=ApplicationRealm:remove() wildfly-config.xml : <?xml version= "1.0" ?> <configuration> <authentication-client xmlns= "urn:elytron:1.0" > <authentication-rules> <rule use-configuration= "all" /> </authentication-rules> <authentication-configurations> <configuration name= "all" > <set-user-name name= "anonymous" /> <credentials> <clear-password password= "anonymous" /> </credentials> </configuration> </authentication-configurations> </authentication-client> </configuration>
    • QE Test Coverage:
      +

      Description

      For EJB over remote+http / http-remoting , removing the security-realm from the http-connector disables security and allows any remote client to connect to the endpoint without authenticating.

              <subsystem xmlns="urn:jboss:domain:remoting:4.0">
                  <http-connector name="http-remoting-connector" connector-ref="default" security-realm="ApplicationRealm"/>
              </subsystem>
      

      For EJB over Http it goes over the http-invoker in undertow, removing the ApplicationRealm

              <subsystem xmlns="urn:jboss:domain:undertow:7.0" default-server="default-server" default-virtual-host="default-host" default-servlet-container="default" default-security-domain="other">
      ...
                      <host name="default-host" alias="localhost">
                          <location name="/" handler="welcome-content"/>
                          <http-invoker security-realm="ApplicationRealm"/>
                      </host>
                  </server>
      

      It fails with:

      18:10:16,660 ERROR [org.jboss.as.ejb3.invocation] (default task-1) WFLYEJB0034: EJB Invocation failed on component Hello for method public abstract java.lang.String com.jboss.examples.ejb.Hello.sayHello(java.lang.String): java.lang.IllegalArgumentException: Parameter 'identity' may not be null
      	at org.wildfly.common.Assert.checkNotNullParamChecked(Assert.java:71)
      	at org.wildfly.common.Assert.checkNotNullParam(Assert.java:49)
      	at org.wildfly.security.auth.server.SecurityDomain.forIdentity(SecurityDomain.java:187)
      	at org.jboss.as.security.service.SimpleSecurityManager.push(SimpleSecurityManager.java:313)
      	at org.jboss.as.ejb3.security.SecurityContextInterceptor.run(SecurityContextInterceptor.java:52)
      	at org.jboss.as.ejb3.security.SecurityContextInterceptor.run(SecurityContextInterceptor.java:49)
      	at org.jboss.as.ejb3.security.SecurityContextInterceptor.processInvocation(SecurityContextInterceptor.java:97)
      	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
      	at org.jboss.as.ejb3.deployment.processors.StartupAwaitInterceptor.processInvocation(StartupAwaitInterceptor.java:22)
      	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
      	at org.jboss.as.ejb3.component.interceptors.ShutDownInterceptorFactory.processInvocation(ShutDownInterceptorFactory.java:64)
      	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
      	at org.jboss.as.ejb3.deployment.processors.EjbSuspendInterceptor.processInvocation(EjbSuspendInterceptor.java:57)
      	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
      	at org.jboss.as.ejb3.component.interceptors.LoggingInterceptor.processInvocation(LoggingInterceptor.java:67)
      	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
      	at org.jboss.as.ee.component.NamespaceContextInterceptor.processInvocation(NamespaceContextInterceptor.java:50)
      	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
      	at org.jboss.invocation.ContextClassLoaderInterceptor.processInvocation(ContextClassLoaderInterceptor.java:60)
      	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
      	at org.jboss.invocation.InterceptorContext.run(InterceptorContext.java:438)
      	at org.wildfly.security.manager.WildFlySecurityManager.doChecked(WildFlySecurityManager.java:619)
      	at org.jboss.invocation.AccessCheckingInterceptor.processInvocation(AccessCheckingInterceptor.java:57)
      	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
      	at org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:53)
      	at org.jboss.as.ee.component.ViewService$View.invoke(ViewService.java:198)
      	at org.jboss.as.ejb3.remote.AssociationImpl.invokeWithIdentity(AssociationImpl.java:556)
      	at org.jboss.as.ejb3.remote.AssociationImpl.invokeMethod(AssociationImpl.java:537)
      	at org.jboss.as.ejb3.remote.AssociationImpl.lambda$receiveInvocationRequest(AssociationImpl.java:195)
      	at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
      	at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)
      	at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)
      	at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378)
      	at java.lang.Thread.run(Thread.java:748)
      

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  ivassile Ilia Vassilev
                  Reporter:
                  rhn-support-rmartinc Ricardo Martin Camarero
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  3 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: