Uploaded image for project: 'PicketLink'
  1. PicketLink
  2. PLINK-793

EJB Security Context Propagation in Service Provider

    XMLWordPrintable

Details

    • Bug
    • Resolution: Unresolved
    • Major
    • None
    • None
    • None
    • None
    • Hide

      How to reproduce:

      Follow our documentation:

      [1] https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.2/html-single/how_to_set_up_sso_with_saml_v2/index#idp_and_sp_setup_and_configuration

      In summary in a clean server:

      setup the two security-domain:

      =========================
      SP Security-Domain:

      /subsystem=security/security-domain=sp:add(cache-type=default)

      /subsystem=security/security-domain=sp/authentication=classic:add

      /subsystem=security/security-domain=sp/authentication=classic/login-module=org.picketlink.identity.federation.bindings.jboss.auth.SAML2LoginModule:add(code=org.picketlink.identity.federation.bindings.jboss.auth.SAML2LoginModule,flag=required)

      reload

      =========================
      IDP Security Domain:

      /subsystem=security/security-domain=idp:add(cache-type=default)

      /subsystem=security/security-domain=idp/authentication=classic:add

      /subsystem=security/security-domain=idp/authentication=classic/login-module=UsersRoles:add(code=UsersRoles,flag=required,module-options=[usersProperties=${jboss.server.config.dir}/idp-users.properties,rolesProperties=${jboss.server.config.dir}/idp-roles.properties])

      reload
      =========================

      Create a user in idp-users.properties and set its role in idp-roles.properties under ${jboss.server.config.dir}

      idp-users.properties

      Eric=samplePass
      Alan=samplePass

      idp-roles.properties

      Eric=All
      Alan=

      ========================

      Deploy both applications EJBSecurityTestIDP and EJBSecurityTestSP

      Access http://localhost:8080/sales-post/rest/test
      Insert Eric/samplePass

      It should reproduce the issue.

      Show
      How to reproduce: Follow our documentation: [1] https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.2/html-single/how_to_set_up_sso_with_saml_v2/index#idp_and_sp_setup_and_configuration In summary in a clean server: setup the two security-domain: ========================= SP Security-Domain: /subsystem=security/security-domain=sp:add(cache-type=default) /subsystem=security/security-domain=sp/authentication=classic:add /subsystem=security/security-domain=sp/authentication=classic/login-module=org.picketlink.identity.federation.bindings.jboss.auth.SAML2LoginModule:add(code=org.picketlink.identity.federation.bindings.jboss.auth.SAML2LoginModule,flag=required) reload ========================= IDP Security Domain: /subsystem=security/security-domain=idp:add(cache-type=default) /subsystem=security/security-domain=idp/authentication=classic:add /subsystem=security/security-domain=idp/authentication=classic/login-module=UsersRoles:add(code=UsersRoles,flag=required,module-options= [usersProperties=${jboss.server.config.dir}/idp-users.properties,rolesProperties=${jboss.server.config.dir}/idp-roles.properties] ) reload ========================= Create a user in idp-users.properties and set its role in idp-roles.properties under ${jboss.server.config.dir} idp-users.properties Eric=samplePass Alan=samplePass idp-roles.properties Eric=All Alan= ======================== Deploy both applications EJBSecurityTestIDP and EJBSecurityTestSP Access http://localhost:8080/sales-post/rest/test Insert Eric/samplePass It should reproduce the issue.
    • Workaround Exists
    • Hide

      In the SP domain add a UsersPasswordLoginModule that loads the roles for the users (same as done in the IDP, you could even point to the same roles.properties file). Add <module-option name="password-stacking">useFirstPass</module-option> to both login modules. This way the EJB JAAS login would retrieve the roles from there and you would be able to access protected methods.

      Show
      In the SP domain add a UsersPasswordLoginModule that loads the roles for the users (same as done in the IDP, you could even point to the same roles.properties file). Add <module-option name="password-stacking">useFirstPass</module-option> to both login modules. This way the EJB JAAS login would retrieve the roles from there and you would be able to access protected methods.

    Description

      I set up an application to reproduce following our documentation First I tried with IDP only and got success, then I tried with SP and it failed. This is an application that has a form to authenticate and a restful endpoint that invokes a local EJB method that can only be executed by a specific role.

      What happens is that I'm able to authenticate but even though my user contains the role, I receive this error when the EJB is invoked:

      "2019-05-17 13:37:35,618 ERROR [org.jboss.as.ejb3.invocation] (default task-2) WFLYEJB0034: EJB Invocation failed on component SecuredStatelessBean for method public void testapp.ejb.SecuredStatelessBean.testMethod(): javax.ejb.EJBAccessException: WFLYEJB0364: Invocation on method: public void testapp.ejb.SecuredStatelessBean.testMethod() of bean: SecuredStatelessBean is not allowed"

      If I use @PermitAll and read the context in EJB side, there is no evidence of the role, but the user is retrieved correctly.

      Attached the applications and its source code.

      Attachments

        1. EJBSecurity.tar.xz
          137 kB
        2. server.log
          1.45 MB

        Issue Links

          is cloned by

          Bug - A problem which impairs or prevents the functions of the product. JBEAP-16924 [GSS](7.2.z) PLINK-793 [picketlink part]- EJB Security Context Propagation in Service Provider

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Verified
          is incorporated by

          Component Upgrade - A task tracking an update to a bundled component WFLY-12111 Upgrade picketlink to 2.5.5.SP13

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed
          is related to

          Task - A task that needs to be done. WFLY-12125 Integration test for PLINK-793

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Activity

            People

              psilva@redhat.com Pedro Igor Craveiro
              rhn-support-tmiyargi Teresa Miyar Gil (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated: