Uploaded image for project: 'WildFly Core'
  1. WildFly Core
  2. WFCORE-4076

EJB using legacy security order of SASL mechanism matters

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Won't Do
    • Icon: Major Major
    • None
    • 6.0.0.Final
    • Remoting, Security
    • None
    • Hide

      I have attached my reproducer (secured ejb, unsecured ejb, client that calls both) and my 7.1.4 configuration files.

      To build the reproducer, modify the jboss.home property in build.xml and run "ant ear". Deploy the dist/SimpleEAR_EJB3.ear. Run "ant run" to run the client.

      A successful test should look like the following:

      [java] *** Anonymous EJB Client API ***
      [java] Hello anonymous!
      [java] *** Anonymous EJB Client API ***
      [java] *** Secured EJB Client API ***
      [java] GoodBye admin!
      [java] *** Secured EJB Client API ***

      The test fails if "ANONYMOUS" is before "PLAIN" in the SASL_MECHANISMS list.

      Show
      I have attached my reproducer (secured ejb, unsecured ejb, client that calls both) and my 7.1.4 configuration files. To build the reproducer, modify the jboss.home property in build.xml and run "ant ear". Deploy the dist/SimpleEAR_EJB3.ear. Run "ant run" to run the client. A successful test should look like the following: [java] *** Anonymous EJB Client API *** [java] Hello anonymous! [java] *** Anonymous EJB Client API *** [java] *** Secured EJB Client API *** [java] GoodBye admin! [java] *** Secured EJB Client API *** The test fails if "ANONYMOUS" is before "PLAIN" in the SASL_MECHANISMS list.

      Having configuration like this EJB call following reproducer works

              <subsystem xmlns="urn:jboss:domain:remoting:4.0">
                  <endpoint/>
                  <http-connector name="http-remoting-connector" connector-ref="default" security-realm="ApplicationRealm">
                      <properties>
                          <property name="SASL_MECHANISMS" value="PLAIN,ANONYMOUS"/>
                          <property name="SASL_POLICY_NOANONYMOUS" value="false"/>
                      </properties>
                  </http-connector>
              </subsystem>
      

      Switching mechanisms to <property name="SASL_MECHANISMS" value="ANONYMOUS,PLAIN"/> causes error

      17:52:50,441 ERROR [org.jboss.as.ejb3.invocation] (default task-1) WFLYEJB0034: EJB Invocation failed on component GoodBye for method public abstract java.lang.String jboss.example.ejb.GoodBye.sayGoodBye(): javax.ejb.EJBAccessException: WFLYSEC0027: Invalid User
      	at org.jboss.as.ejb3.security.SecurityContextInterceptor$1.run(SecurityContextInterceptor.java:69)
      	at org.jboss.as.ejb3.security.SecurityContextInterceptor$1.run(SecurityContextInterceptor.java:49)
      	at org.jboss.as.ejb3.security.SecurityContextInterceptor.processInvocation(SecurityContextInterceptor.java:97)
      	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
      	at org.jboss.as.ejb3.deployment.processors.StartupAwaitInterceptor.processInvocation(StartupAwaitInterceptor.java:22)
      	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
      	at org.jboss.as.ejb3.component.interceptors.ShutDownInterceptorFactory$1.processInvocation(ShutDownInterceptorFactory.java:64)
      	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
      	at org.jboss.as.ejb3.deployment.processors.EjbSuspendInterceptor.processInvocation(EjbSuspendInterceptor.java:57)
      	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
      	at org.jboss.as.ejb3.component.interceptors.LoggingInterceptor.processInvocation(LoggingInterceptor.java:67)
      	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
      	at org.jboss.as.ee.component.NamespaceContextInterceptor.processInvocation(NamespaceContextInterceptor.java:50)
      	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
      	at org.jboss.invocation.ContextClassLoaderInterceptor.processInvocation(ContextClassLoaderInterceptor.java:60)
      	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
      	at org.jboss.invocation.InterceptorContext.run(InterceptorContext.java:438)
      	at org.wildfly.security.manager.WildFlySecurityManager.doChecked(WildFlySecurityManager.java:619)
      	at org.jboss.invocation.AccessCheckingInterceptor.processInvocation(AccessCheckingInterceptor.java:57)
      	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
      	at org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:53)
      	at org.jboss.as.ee.component.ViewService$View.invoke(ViewService.java:198)
      	at org.wildfly.security.auth.server.SecurityIdentity.runAsFunctionEx(SecurityIdentity.java:382)
      	at org.jboss.as.ejb3.remote.AssociationImpl.invokeWithIdentity(AssociationImpl.java:556)
      	at org.jboss.as.ejb3.remote.AssociationImpl.invokeMethod(AssociationImpl.java:537)
      	at org.jboss.as.ejb3.remote.AssociationImpl.lambda$receiveInvocationRequest$0(AssociationImpl.java:195)
      	at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
      	at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)
      	at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)
      	at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378)
      	at java.lang.Thread.run(Thread.java:748)
      

        1. jbeap-15260-reproducer-config.tar.gz
          5 kB
          Martin Choma
        2. SimpleEAR_EJB3.tar.gz
          7 kB
          Martin Choma

              jondruse@redhat.com Jiri Ondrusek
              mchoma@redhat.com Martin Choma
              Michal Jurc Michal Jurc
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: