Uploaded image for project: 'WildFly Core'
  1. WildFly Core
  2. WFCORE-3658

Security context propagation using Elytron API doesn't work for EJB to protected Servlet scenario

    XMLWordPrintable

Details

    • Enhancement
    • Resolution: Won't Do
    • Critical
    • 5.0.0.Alpha1
    • None
    • Security
    • None

    Description

      One of the scenarios which are expected to work in Elytron is a Security context propagation from a protected EJB to a protected Servlet using HttpUrlConnection (details in RFE EAP7-284).

      The scenario doesn't work for me. My configuration:

      EJB client ->  protected EJB on server-1 -> protected Servlet on server-2 (BASIC authn)

      The EJB contains following code:

      final Callable<String> callable = () -> {
    URLConnection conn = url.openConnection();
    conn.connect();
    try (InputStream is = conn.getInputStream()) {
        return IOUtils.toString(is, StandardCharsets.UTF_8);
    }
};

AuthenticationContext.empty().with(MatchRule.ALL, AuthenticationConfiguration.empty()
    .useForwardedIdentity(SecurityDomain.getCurrent())
    .setSaslMechanismSelector(SaslMechanismSelector.ALL))
    .runCallable(callable);

      The server-2 returns 401:

      java.io.IOException: Server returned HTTP response code: 401 for URL: http://127.0.0.1:8180/seccontext-server2/whoAmI
	at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1876)
	at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1474)
	at org.wildfly.test.manual.elytron.seccontext.EntryBean.lambda$readUrl$1(EntryBean.java:69)

      There is still a chance, the problem is in the scenario configuration, but the documentation is silent about this topic.

      The problem could be in a missing integration of ElytronAuthenticator within the AuthenticationContext. I don't see it used when I debug the scenario. When I register the authenticator manually, I see another problem which will be reported in a separate JIRA.

      Attachments

        Issue Links

          causes

          Bug - A problem that impairs or prevents the functions of the product. JBWS-4109 Failures of response headers checking tests with latest wildfly

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed
          clones

          Enhancement - An enhancement to or refactoring of existing functionality that is not configurable by an end user (typically a change made by an internal team that affects users) JBEAP-12340 Security context propagation using Elytron API doesn't work for EJB to protected Servlet scenario

          • Critical - To be worked on immediately following BLOCKER issues.
          • Closed
          is blocked by

          Bug - A problem that impairs or prevents the functions of the product. ELY-1311 Translate password before obtaining clear password spec

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Resolved
          is related to

          Bug - A problem that impairs or prevents the functions of the product. JBTM-3002 XTS integration tests fails on: SoapFault11: Callback wasn't triggered

          • Critical - To be worked on immediately following BLOCKER issues.
          • Closed

          Task - Represents a small unit of work that is not end-user facing. WFLY-10004 Removing modules moved into wildfly-core for wildfly-url-http integration

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Activity

            People

              jkalina@redhat.com Jan Kalina (Inactive)
              olukas Ondrej Lukas (Inactive)
              Martin Svehla Martin Svehla
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: