Uploaded image for project: 'WildFly Core'
  1. WildFly Core
  2. WFCORE-4076

EJB using legacy security order of SASL mechanism matters

    Details

    • Type: Bug
    • Status: Resolved (View Workflow)
    • Priority: Major
    • Resolution: Rejected
    • Affects Version/s: 6.0.0.Final
    • Fix Version/s: None
    • Component/s: Remoting, Security
    • Labels:
      None
    • Steps to Reproduce:
      Hide

      I have attached my reproducer (secured ejb, unsecured ejb, client that calls both) and my 7.1.4 configuration files.

      To build the reproducer, modify the jboss.home property in build.xml and run "ant ear". Deploy the dist/SimpleEAR_EJB3.ear. Run "ant run" to run the client.

      A successful test should look like the following:

      [java] *** Anonymous EJB Client API ***
      [java] Hello anonymous!
      [java] *** Anonymous EJB Client API ***
      [java] *** Secured EJB Client API ***
      [java] GoodBye admin!
      [java] *** Secured EJB Client API ***

      The test fails if "ANONYMOUS" is before "PLAIN" in the SASL_MECHANISMS list.

      Show
      I have attached my reproducer (secured ejb, unsecured ejb, client that calls both) and my 7.1.4 configuration files. To build the reproducer, modify the jboss.home property in build.xml and run "ant ear". Deploy the dist/SimpleEAR_EJB3.ear. Run "ant run" to run the client. A successful test should look like the following: [java] *** Anonymous EJB Client API *** [java] Hello anonymous! [java] *** Anonymous EJB Client API *** [java] *** Secured EJB Client API *** [java] GoodBye admin! [java] *** Secured EJB Client API *** The test fails if "ANONYMOUS" is before "PLAIN" in the SASL_MECHANISMS list.

      Description

      Having configuration like this EJB call following reproducer works

              <subsystem xmlns="urn:jboss:domain:remoting:4.0">
                  <endpoint/>
                  <http-connector name="http-remoting-connector" connector-ref="default" security-realm="ApplicationRealm">
                      <properties>
                          <property name="SASL_MECHANISMS" value="PLAIN,ANONYMOUS"/>
                          <property name="SASL_POLICY_NOANONYMOUS" value="false"/>
                      </properties>
                  </http-connector>
              </subsystem>
      

      Switching mechanisms to <property name="SASL_MECHANISMS" value="ANONYMOUS,PLAIN"/> causes error

      17:52:50,441 ERROR [org.jboss.as.ejb3.invocation] (default task-1) WFLYEJB0034: EJB Invocation failed on component GoodBye for method public abstract java.lang.String jboss.example.ejb.GoodBye.sayGoodBye(): javax.ejb.EJBAccessException: WFLYSEC0027: Invalid User
      	at org.jboss.as.ejb3.security.SecurityContextInterceptor$1.run(SecurityContextInterceptor.java:69)
      	at org.jboss.as.ejb3.security.SecurityContextInterceptor$1.run(SecurityContextInterceptor.java:49)
      	at org.jboss.as.ejb3.security.SecurityContextInterceptor.processInvocation(SecurityContextInterceptor.java:97)
      	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
      	at org.jboss.as.ejb3.deployment.processors.StartupAwaitInterceptor.processInvocation(StartupAwaitInterceptor.java:22)
      	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
      	at org.jboss.as.ejb3.component.interceptors.ShutDownInterceptorFactory$1.processInvocation(ShutDownInterceptorFactory.java:64)
      	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
      	at org.jboss.as.ejb3.deployment.processors.EjbSuspendInterceptor.processInvocation(EjbSuspendInterceptor.java:57)
      	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
      	at org.jboss.as.ejb3.component.interceptors.LoggingInterceptor.processInvocation(LoggingInterceptor.java:67)
      	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
      	at org.jboss.as.ee.component.NamespaceContextInterceptor.processInvocation(NamespaceContextInterceptor.java:50)
      	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
      	at org.jboss.invocation.ContextClassLoaderInterceptor.processInvocation(ContextClassLoaderInterceptor.java:60)
      	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
      	at org.jboss.invocation.InterceptorContext.run(InterceptorContext.java:438)
      	at org.wildfly.security.manager.WildFlySecurityManager.doChecked(WildFlySecurityManager.java:619)
      	at org.jboss.invocation.AccessCheckingInterceptor.processInvocation(AccessCheckingInterceptor.java:57)
      	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
      	at org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:53)
      	at org.jboss.as.ee.component.ViewService$View.invoke(ViewService.java:198)
      	at org.wildfly.security.auth.server.SecurityIdentity.runAsFunctionEx(SecurityIdentity.java:382)
      	at org.jboss.as.ejb3.remote.AssociationImpl.invokeWithIdentity(AssociationImpl.java:556)
      	at org.jboss.as.ejb3.remote.AssociationImpl.invokeMethod(AssociationImpl.java:537)
      	at org.jboss.as.ejb3.remote.AssociationImpl.lambda$receiveInvocationRequest$0(AssociationImpl.java:195)
      	at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
      	at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)
      	at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)
      	at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378)
      	at java.lang.Thread.run(Thread.java:748)
      

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  jondruse Jiri Ondrusek
                  Reporter:
                  mchoma Martin Choma
                  Tester:
                  Michal Jurc
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  3 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: