Details
-
Analysis
-
Resolution: Duplicate
-
Major
-
None
-
7.3.5.GA
-
None
-
False
-
False
-
Undefined
Description
Issue Description.
When running Jboss EAP 7.35 with web services (CXF) AuthorizationIdentity is null when SecurityIdentity is obtained from a security domain configured with Elytron.
This point was working with JBoss 7.1
Code analysis
When SecurityIdentity is called from SecurityDomain authorizationIdentity and securityRealm are empty.
Problem is with the method org.jboss.as.webservices.util.SubjectUtil.convertToSecurityIdentity(Subject subject,....,...)
called by org.jboss.as.webservices.security.ElytronSecurityDomainContextImpl.pushSubjectContext(Subject subject,..,..).
It always creates a new SecurityIdentity, although one already exists in the passed Subject(PrivateCredentials), which is not returned.
~~~~
https://github.com/wildfly/wildfly/blob/master/webservices/server-integration/src/main/java/org/jbossthe problem is with the method org.jboss.as.webservices.util.SubjectUtil.convertToSecurityIdentity(Subject s
@Override
public void pushSubjectContext(Subject subject, Principal pincipal, Object credential) {
AccessController.doPrivileged(new PrivilegedAction<Void>() {
public Void run() {
if (credential != null)
===> Returning securityIdentity
SecurityIdentity securityIdentity = SubjectUtil.convertToSecurityIdentity(subject, pincipal, securityDomain,
"ejb");
currentIdentity.set(securityIdentity);
return null;
}
});
}
~~~~
public static SecurityIdentity convertToSecurityIdentity(Subject subject, Principal principal, SecurityDomain domain,
String roleCategory) {
===> create a new securityIdentity,
SecurityIdentity identity = domain.createAdHocIdentity(principal);
// convert subject Group
Set<String> roles = new HashSet<>();
for (Principal prin : subject.getPrincipals()) {
if (prin instanceof Group && "Roles".equalsIgnoreCase(prin.getName())) {
Enumeration<? extends Principal> enumeration = ((Group) prin).members();
while (enumeration.hasMoreElements())
}
}
if (!roles.isEmpty())
// convert public credentials
IdentityCredentials publicCredentials = IdentityCredentials.NONE;
for (Object credential : subject.getPublicCredentials()) {
if (credential instanceof PublicKey)
else if (credential instanceof X509Certificate)
{ publicCredentials = publicCredentials.withCredential(new X509CertificateChainPublicCredential( (X509Certificate) credential)); }else if (credential instanceof Credential)
{ publicCredentials = publicCredentials.withCredential((Credential) credential); } }
identity = identity.withPublicCredentials(publicCredentials);
// convert private credentials
IdentityCredentials privateCredentials = IdentityCredentials.NONE;
for (Object credential : subject.getPrivateCredentials()) {
if (credential instanceof Password)
else if (credential instanceof SecretKey)
{ privateCredentials = privateCredentials.withCredential(new SecretKeyCredential((SecretKey) credential)); }else if (credential instanceof KeyPair)
{ privateCredentials = privateCredentials.withCredential(new KeyPairCredential((KeyPair) credential)); }else if (credential instanceof PrivateKey)
{ privateCredentials = privateCredentials.withCredential(new X509CertificateChainPrivateCredential( (PrivateKey) credential)); }else if (credential instanceof Credential)
{ privateCredentials = privateCredentials.withCredential((Credential) credential); } }
identity = identity.withPrivateCredentials(privateCredentials);
return identity;
}
}
~~~~
Attachments
Issue Links
- duplicates
-
JBEAP-21113 [GSS](7.3.z) WFLY-14516 - SecurityIdentity is not re-used when using SubjectCreatingPolicyInterceptor in a CXF endpoint
- Verified