-
Bug
-
Resolution: Obsolete
-
Major
-
None
-
PLINK_2.7.0.Final
-
None
-
None
Description
I think Picketlink, when used for SAML authentication using SAML2LoginModule and SPServletExtension, swallow the EJBContext's CallerPrincipal somehow.
The result is that JSF beans cannot call EJBs because of security violations, even if you set @SecurityDomain and @RolesAllowed on the EJB.
How to Reproduce
0. Check out the org.picketlink.quickstarts.picketlink-federation-saml-idp-basic quickstart, and deploy it to Wildfly
1. Check out my fork of the picketlink-federation-saml-sp-post-basic quick start at https://github.com/The-Alchemist/jboss-picketlink-quickstarts/tree/ejb-context-test
2. Run the CLI script to create the sp security domain (no changes from the original)
3. Deploy my fork
Try to access http://localhost:8080/sales-post/alchemist.xhtml (the IDP will ask you to login. Login with tomcat/tomcat as the credentials).
You will get a stack trace:
javax.servlet.ServletException: WFLYEJB0364: Invocation on method: public java.security.Principal alchemist.RandomEJB.getPrincipal() of bean: RandomEJB is not allowed javax.faces.webapp.FacesServlet.service(FacesServlet.java:667) io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:86) io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCacheHandler.java:33) io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:51) io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:56) io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58) io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:72) io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76) io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:282) io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:261) io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:80) io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:172) io.undertow.server.Connectors.executeRootHandler(Connectors.java:199) io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:774) java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) java.lang.Thread.run(Thread.java:745)
The Offending EJB
@SecurityDomain("sp") @RolesAllowed("manager") @Named @Stateless public class RandomEJB { @Inject private Logger logger; @Resource private EJBContext ejbContext; public Principal getPrincipal() { Principal callerPrincipal = this.ejbContext.getCallerPrincipal(); logger.infov("EJB says that the caller principal is: {0}", callerPrincipal); return callerPrincipal; } }
What I Tried
I pulled out all the stops:
- Tried both @SecurityDomain annotations from the two packages (...security.annotation and ...ejb.annotation)
- I created a jboss.xml, jboss-ejb3.xml, jboss-web.xml and set the security-domain
- I tried setting the default-security-domain in the standalone XML
- Tried setting missing-method-permissions-deny-access to false
Nothing has seemed to work...
What's super strange is that everything is fine when you try a "regular" log in module like DatabaseServerLoginModule.