Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-24520

EESecurityAnnotationProcessor does not detect injections

    XMLWordPrintable

Details

    • False
    • None
    • False
    • Hide

      The solution involves checking for injection annotations, and determining if an injected object is from Jakarta Security. A basic PoC is attached as a patch applied to commit a9cd4c444b872ed84a919671a63dcb68e0f77218

      [^51689add8d44c65afab78459e0e8520fb8d3a1fd.patch]

      Show
      The solution involves checking for injection annotations, and determining if an injected object is from Jakarta Security. A basic PoC is attached as a patch applied to commit a9cd4c444b872ed84a919671a63dcb68e0f77218 [^51689add8d44c65afab78459e0e8520fb8d3a1fd.patch]
    • Hide

      See the custom-principal-elytron demo in elytron-examples (Note that the server's Elytron subsystem must implement the fixes from ELY-2468). In summary:

      1. Create an application which makes use of a custom principal within the Elytron authentication framework.
      2. Within the app, attempt to retrieve the custom principal by invoking SecurityContext.getCallerPrincipal (see line 73)
      3. Follow the instructions in the README to setup the necessary modules and configuration. 
      4. The application fails to deploy, as it neither uses a Jakarta Security annotation, or implements one of the classes.
      Show
      See the custom-principal-elytron demo in elytron-examples (Note that the server's Elytron subsystem must implement the fixes from ELY-2468 ). In summary: Create an application which makes use of a custom principal within the Elytron authentication framework. Within the app, attempt to retrieve the custom principal by invoking SecurityContext.getCallerPrincipal ( see line 73 ) Follow the instructions in the README to setup the necessary modules and configuration.  The application fails to deploy, as it neither uses a Jakarta Security annotation, or implements one of the classes.

    Description

      EESecurityAnnotationProcessor does not enable the ee-security subsystem if a Jakarta Security interface is being injected. This can cause issues when a full implementation is not used (ex. jakarta.security.enterprise.SecurityContext).

      Currently, the subsystem can be activate when Jakarta Security annotations are used, or if interfaces are implemented. The subsystem should also be enabled if one of those interfaces are injected. 

      Attachments

        Issue Links

          clones

          Bug - A problem that impairs or prevents the functions of the product. WFLY-17541 EESecurityAnnotationProcessor does not detect injections

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed
          depends on

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-24521 Update getRealmIdentity so that it attempts to convert the given Principal to NamePrincipal if necessary

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Closed
          relates to

          Feature Request - Feature requests from customers and/or users WFCORE-5809 Add possibility to obtain custom principal from Elytron

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Activity

            People

              rh-ee-carodrig Cameron Rodriguez (Inactive)
              fjuma1@redhat.com Farah Juma
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: