Uploaded image for project: 'PicketLink'
  1. PicketLink
  2. PLINK-793

EJB Security Context Propagation in Service Provider

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Major Major
    • None
    • None
    • None
    • None
    • Hide

      How to reproduce:

      Follow our documentation:

      [1] https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.2/html-single/how_to_set_up_sso_with_saml_v2/index#idp_and_sp_setup_and_configuration

      In summary in a clean server:

      setup the two security-domain:

      =========================
      SP Security-Domain:

      /subsystem=security/security-domain=sp:add(cache-type=default)

      /subsystem=security/security-domain=sp/authentication=classic:add

      /subsystem=security/security-domain=sp/authentication=classic/login-module=org.picketlink.identity.federation.bindings.jboss.auth.SAML2LoginModule:add(code=org.picketlink.identity.federation.bindings.jboss.auth.SAML2LoginModule,flag=required)

      reload

      =========================
      IDP Security Domain:

      /subsystem=security/security-domain=idp:add(cache-type=default)

      /subsystem=security/security-domain=idp/authentication=classic:add

      /subsystem=security/security-domain=idp/authentication=classic/login-module=UsersRoles:add(code=UsersRoles,flag=required,module-options=[usersProperties=${jboss.server.config.dir}/idp-users.properties,rolesProperties=${jboss.server.config.dir}/idp-roles.properties])

      reload
      =========================

      Create a user in idp-users.properties and set its role in idp-roles.properties under ${jboss.server.config.dir}

      idp-users.properties

      Eric=samplePass
      Alan=samplePass

      idp-roles.properties

      Eric=All
      Alan=

      ========================

      Deploy both applications EJBSecurityTestIDP and EJBSecurityTestSP

      Access http://localhost:8080/sales-post/rest/test
      Insert Eric/samplePass

      It should reproduce the issue.

      Show
      How to reproduce: Follow our documentation: [1] https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.2/html-single/how_to_set_up_sso_with_saml_v2/index#idp_and_sp_setup_and_configuration In summary in a clean server: setup the two security-domain: ========================= SP Security-Domain: /subsystem=security/security-domain=sp:add(cache-type=default) /subsystem=security/security-domain=sp/authentication=classic:add /subsystem=security/security-domain=sp/authentication=classic/login-module=org.picketlink.identity.federation.bindings.jboss.auth.SAML2LoginModule:add(code=org.picketlink.identity.federation.bindings.jboss.auth.SAML2LoginModule,flag=required) reload ========================= IDP Security Domain: /subsystem=security/security-domain=idp:add(cache-type=default) /subsystem=security/security-domain=idp/authentication=classic:add /subsystem=security/security-domain=idp/authentication=classic/login-module=UsersRoles:add(code=UsersRoles,flag=required,module-options= [usersProperties=${jboss.server.config.dir}/idp-users.properties,rolesProperties=${jboss.server.config.dir}/idp-roles.properties] ) reload ========================= Create a user in idp-users.properties and set its role in idp-roles.properties under ${jboss.server.config.dir} idp-users.properties Eric=samplePass Alan=samplePass idp-roles.properties Eric=All Alan= ======================== Deploy both applications EJBSecurityTestIDP and EJBSecurityTestSP Access http://localhost:8080/sales-post/rest/test Insert Eric/samplePass It should reproduce the issue.
    • Workaround Exists
    • Hide

      In the SP domain add a UsersPasswordLoginModule that loads the roles for the users (same as done in the IDP, you could even point to the same roles.properties file). Add <module-option name="password-stacking">useFirstPass</module-option> to both login modules. This way the EJB JAAS login would retrieve the roles from there and you would be able to access protected methods.

      Show
      In the SP domain add a UsersPasswordLoginModule that loads the roles for the users (same as done in the IDP, you could even point to the same roles.properties file). Add <module-option name="password-stacking">useFirstPass</module-option> to both login modules. This way the EJB JAAS login would retrieve the roles from there and you would be able to access protected methods.

      I set up an application to reproduce following our documentation First I tried with IDP only and got success, then I tried with SP and it failed. This is an application that has a form to authenticate and a restful endpoint that invokes a local EJB method that can only be executed by a specific role.

      What happens is that I'm able to authenticate but even though my user contains the role, I receive this error when the EJB is invoked:

      "2019-05-17 13:37:35,618 ERROR [org.jboss.as.ejb3.invocation] (default task-2) WFLYEJB0034: EJB Invocation failed on component SecuredStatelessBean for method public void testapp.ejb.SecuredStatelessBean.testMethod(): javax.ejb.EJBAccessException: WFLYEJB0364: Invocation on method: public void testapp.ejb.SecuredStatelessBean.testMethod() of bean: SecuredStatelessBean is not allowed"

      If I use @PermitAll and read the context in EJB side, there is no evidence of the role, but the user is retrieved correctly.

      Attached the applications and its source code.

        1. EJBSecurity.tar.xz
          137 kB
          Teresa Miyar Gil
        2. server.log
          1.45 MB
          Teresa Miyar Gil

              psilva@redhat.com Pedro Igor Craveiro
              rhn-support-tmiyargi Teresa Miyar Gil (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated: