Uploaded image for project: 'PicketLink'
  1. PicketLink
  2. PLINK-793

EJB Security Context Propagation in Service Provider

    Details

    • Type: Bug
    • Status: Open (View Workflow)
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: None
    • Labels:
      None
    • Steps to Reproduce:
      Hide

      How to reproduce:

      Follow our documentation:

      [1] https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.2/html-single/how_to_set_up_sso_with_saml_v2/index#idp_and_sp_setup_and_configuration

      In summary in a clean server:

      setup the two security-domain:

      =========================
      SP Security-Domain:

      /subsystem=security/security-domain=sp:add(cache-type=default)

      /subsystem=security/security-domain=sp/authentication=classic:add

      /subsystem=security/security-domain=sp/authentication=classic/login-module=org.picketlink.identity.federation.bindings.jboss.auth.SAML2LoginModule:add(code=org.picketlink.identity.federation.bindings.jboss.auth.SAML2LoginModule,flag=required)

      reload

      =========================
      IDP Security Domain:

      /subsystem=security/security-domain=idp:add(cache-type=default)

      /subsystem=security/security-domain=idp/authentication=classic:add

      /subsystem=security/security-domain=idp/authentication=classic/login-module=UsersRoles:add(code=UsersRoles,flag=required,module-options=[usersProperties=${jboss.server.config.dir}/idp-users.properties,rolesProperties=${jboss.server.config.dir}/idp-roles.properties])

      reload
      =========================

      Create a user in idp-users.properties and set its role in idp-roles.properties under ${jboss.server.config.dir}

      idp-users.properties

      Eric=samplePass
      Alan=samplePass

      idp-roles.properties

      Eric=All
      Alan=

      ========================

      Deploy both applications EJBSecurityTestIDP and EJBSecurityTestSP

      Access http://localhost:8080/sales-post/rest/test
      Insert Eric/samplePass

      It should reproduce the issue.

      Show
      How to reproduce: Follow our documentation: [1] https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.2/html-single/how_to_set_up_sso_with_saml_v2/index#idp_and_sp_setup_and_configuration In summary in a clean server: setup the two security-domain: ========================= SP Security-Domain: /subsystem=security/security-domain=sp:add(cache-type=default) /subsystem=security/security-domain=sp/authentication=classic:add /subsystem=security/security-domain=sp/authentication=classic/login-module=org.picketlink.identity.federation.bindings.jboss.auth.SAML2LoginModule:add(code=org.picketlink.identity.federation.bindings.jboss.auth.SAML2LoginModule,flag=required) reload ========================= IDP Security Domain: /subsystem=security/security-domain=idp:add(cache-type=default) /subsystem=security/security-domain=idp/authentication=classic:add /subsystem=security/security-domain=idp/authentication=classic/login-module=UsersRoles:add(code=UsersRoles,flag=required,module-options= [usersProperties=${jboss.server.config.dir}/idp-users.properties,rolesProperties=${jboss.server.config.dir}/idp-roles.properties] ) reload ========================= Create a user in idp-users.properties and set its role in idp-roles.properties under ${jboss.server.config.dir} idp-users.properties Eric=samplePass Alan=samplePass idp-roles.properties Eric=All Alan= ======================== Deploy both applications EJBSecurityTestIDP and EJBSecurityTestSP Access http://localhost:8080/sales-post/rest/test Insert Eric/samplePass It should reproduce the issue.
    • Workaround:
      Workaround Exists
    • Workaround Description:
      Hide

      In the SP domain add a UsersPasswordLoginModule that loads the roles for the users (same as done in the IDP, you could even point to the same roles.properties file). Add <module-option name="password-stacking">useFirstPass</module-option> to both login modules. This way the EJB JAAS login would retrieve the roles from there and you would be able to access protected methods.

      Show
      In the SP domain add a UsersPasswordLoginModule that loads the roles for the users (same as done in the IDP, you could even point to the same roles.properties file). Add <module-option name="password-stacking">useFirstPass</module-option> to both login modules. This way the EJB JAAS login would retrieve the roles from there and you would be able to access protected methods.

      Description

      I set up an application to reproduce following our documentation First I tried with IDP only and got success, then I tried with SP and it failed. This is an application that has a form to authenticate and a restful endpoint that invokes a local EJB method that can only be executed by a specific role.

      What happens is that I'm able to authenticate but even though my user contains the role, I receive this error when the EJB is invoked:

      "2019-05-17 13:37:35,618 ERROR [org.jboss.as.ejb3.invocation] (default task-2) WFLYEJB0034: EJB Invocation failed on component SecuredStatelessBean for method public void testapp.ejb.SecuredStatelessBean.testMethod(): javax.ejb.EJBAccessException: WFLYEJB0364: Invocation on method: public void testapp.ejb.SecuredStatelessBean.testMethod() of bean: SecuredStatelessBean is not allowed"

      If I use @PermitAll and read the context in EJB side, there is no evidence of the role, but the user is retrieved correctly.

      Attached the applications and its source code.

        Gliffy Diagrams

          Attachments

          1. EJBSecurity.tar.xz
            137 kB
          2. server.log
            1.45 MB

            Issue Links

              Activity

                People

                • Assignee:
                  pcraveiro Pedro Igor Silva
                  Reporter:
                  tmiyar Teresa Miyar Gil
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  1 Start watching this issue

                  Dates

                  • Created:
                    Updated: