Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-6403

(7.1.0) When JASPIC's register session is used, Subject not propagated to EJB

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major Major
    • 7.1.0.DR1
    • None
    • Security

      When the JASPIC 1.1 register session (javax.servlet.http.registerSession) is used, the authenticated identity (via the Subject) is not propagated to the EJB container.

      The problems seems to be with JASPICAuthenticationMechanism.createAccount. When a cached account is re-used, a null is passed for the Subject parameter in the call to jbossSct.getUtil().createSubjectInfo. This will set indeed set a SubjectInfo with subject being null.

      EJBContext#getCallerPrincipal checks exactly this subject, and when seeing a null will consider the user to be unauthenticated, even when the caller is authenticated in the web layer.

      See the code below:

         // SAM handled the same principal found in the cached account: indicates we must use the cached account.
              if (cachedAccount != null && cachedAccount.getPrincipal() == userPrincipal) {
                  // populate the security context using the cached account data.
                  jbossSct.getUtil().createSubjectInfo(
                      userPrincipal, ((AccountImpl) cachedAccount).getCredential(), 
                      null); // PROBLEMATIC NULL
                  RoleGroup roleGroup = new SimpleRoleGroup(SecurityConstants.ROLES_IDENTIFIER);
                  for (String role : cachedAccount.getRoles())
                      roleGroup.addRole(new SimpleRole(role));
                  jbossSct.getUtil().setRoles(roleGroup);
                  return cachedAccount;
              }
      

      Instead of passing a null, passing the existing subject as set by the JASPIC callback handler seems to work:

      jbossSct.getUtil().createSubjectInfo(
          userPrincipal, ((AccountImpl) cachedAccount).getCredential(), 
          jbossSct.getUtil().getSubject());
      

              spyrkob Bartosz Spyrko-Smietanko
              spyrkob Bartosz Spyrko-Smietanko
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: