Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-6403

(7.1.0) When JASPIC's register session is used, Subject not propagated to EJB

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Major
    • 7.1.0.DR1
    • None
    • Security

    Description

      When the JASPIC 1.1 register session (javax.servlet.http.registerSession) is used, the authenticated identity (via the Subject) is not propagated to the EJB container.

      The problems seems to be with JASPICAuthenticationMechanism.createAccount. When a cached account is re-used, a null is passed for the Subject parameter in the call to jbossSct.getUtil().createSubjectInfo. This will set indeed set a SubjectInfo with subject being null.

      EJBContext#getCallerPrincipal checks exactly this subject, and when seeing a null will consider the user to be unauthenticated, even when the caller is authenticated in the web layer.

      See the code below:

         // SAM handled the same principal found in the cached account: indicates we must use the cached account.
        if (cachedAccount != null && cachedAccount.getPrincipal() == userPrincipal) {
            // populate the security context using the cached account data.
            jbossSct.getUtil().createSubjectInfo(
                userPrincipal, ((AccountImpl) cachedAccount).getCredential(), 
                null); // PROBLEMATIC NULL
            RoleGroup roleGroup = new SimpleRoleGroup(SecurityConstants.ROLES_IDENTIFIER);
            for (String role : cachedAccount.getRoles())
                roleGroup.addRole(new SimpleRole(role));
            jbossSct.getUtil().setRoles(roleGroup);
            return cachedAccount;
        }

      Instead of passing a null, passing the existing subject as set by the JASPIC callback handler seems to work:

      jbossSct.getUtil().createSubjectInfo(
    userPrincipal, ((AccountImpl) cachedAccount).getCredential(), 
    jbossSct.getUtil().getSubject());

      Attachments

        Issue Links

          clones

          Bug - A problem that impairs or prevents the functions of the product. WFLY-6579 When JASPIC's register session is used, Subject not propagated to EJB

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed
          is cloned by

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-6282 [GSS](7.0.z) Security context is not always correctly propagated from web container to EJB container when using a JASPIC security domain

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Verified

          Activity

            People

              spyrkob Bartosz Spyrko-Smietanko
              spyrkob Bartosz Spyrko-Smietanko
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: