Uploaded image for project: 'WildFly Core'
  1. WildFly Core
  2. WFCORE-3658

Security context propagation using Elytron API doesn't work for EJB to protected Servlet scenario


    • Icon: Enhancement Enhancement
    • Resolution: Won't Do
    • Icon: Critical Critical
    • 5.0.0.Alpha1
    • None
    • Security
    • None

      One of the scenarios which are expected to work in Elytron is a Security context propagation from a protected EJB to a protected Servlet using HttpUrlConnection (details in RFE EAP7-284).

      The scenario doesn't work for me. My configuration:

      EJB client ->  protected EJB on server-1 -> protected Servlet on server-2 (BASIC authn)

      The EJB contains following code:

      final Callable<String> callable = () -> {
          URLConnection conn = url.openConnection();
          try (InputStream is = conn.getInputStream()) {
              return IOUtils.toString(is, StandardCharsets.UTF_8);
      AuthenticationContext.empty().with(MatchRule.ALL, AuthenticationConfiguration.empty()

      The server-2 returns 401:

      java.io.IOException: Server returned HTTP response code: 401 for URL:
      	at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1876)
      	at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1474)
      	at org.wildfly.test.manual.elytron.seccontext.EntryBean.lambda$readUrl$1(EntryBean.java:69)

      There is still a chance, the problem is in the scenario configuration, but the documentation is silent about this topic.

      The problem could be in a missing integration of ElytronAuthenticator within the AuthenticationContext. I don't see it used when I debug the scenario. When I register the authenticator manually, I see another problem which will be reported in a separate JIRA.

            jkalina@redhat.com Jan Kalina (Inactive)
            olukas Ondrej Lukas (Inactive)
            Martin Svehla Martin Svehla
            0 Vote for this issue
            3 Start watching this issue