-
Bug
-
Resolution: Done
-
Major
-
None
When the JASPIC 1.1 register session (javax.servlet.http.registerSession) is used, the authenticated identity (via the Subject) is not propagated to the EJB container.
The problems seems to be with JASPICAuthenticationMechanism.createAccount. When a cached account is re-used, a null is passed for the Subject parameter in the call to jbossSct.getUtil().createSubjectInfo. This will set indeed set a SubjectInfo with subject being null.
EJBContext#getCallerPrincipal checks exactly this subject, and when seeing a null will consider the user to be unauthenticated, even when the caller is authenticated in the web layer.
See the code below:
// SAM handled the same principal found in the cached account: indicates we must use the cached account. if (cachedAccount != null && cachedAccount.getPrincipal() == userPrincipal) { // populate the security context using the cached account data. jbossSct.getUtil().createSubjectInfo( userPrincipal, ((AccountImpl) cachedAccount).getCredential(), null); // PROBLEMATIC NULL RoleGroup roleGroup = new SimpleRoleGroup(SecurityConstants.ROLES_IDENTIFIER); for (String role : cachedAccount.getRoles()) roleGroup.addRole(new SimpleRole(role)); jbossSct.getUtil().setRoles(roleGroup); return cachedAccount; }
Instead of passing a null, passing the existing subject as set by the JASPIC callback handler seems to work:
jbossSct.getUtil().createSubjectInfo(
userPrincipal, ((AccountImpl) cachedAccount).getCredential(),
jbossSct.getUtil().getSubject());
- clones
-
-
- Closed
-
- is cloned by
-
-
- Verified
-
