Details
-
Bug
-
Resolution: Done
-
Major
-
None
-
None
Description
Description of problem:
Switching users between ejb calls does not work when the call originates
from a remote client. In this case, both ejbs are on the same JBoss instance.
The use case looks like the following:
remote standalone client ---> unsecured ejb3 (switch user here) -> secured ejb3
I tried to use both approaches outlined in Q10/A10 of the JBoss
Security FAQ [1] in order to establish a security context in
the unsecured ejb that should be used to invoke the secured ejb.
Neither approach worked in my testing.
When the same unsecured ejb is called from a web application (secured
or unsecured), then the user switching works correctly.
The ejb security code appears to work differently based on the client
type (standalone remote ejb client vs a web application).
I believe this is happening because the
org.jboss.as.security.service.SimpleSecurityManager.push method (called
by the SecurityContextInterceptor) is checking for an existing
RemotingContext and grabbing the security context from there even
though the security context that should be used appears to be getting
propagated correctly.
The following area of the code appears to be causing the issue. This
section of code is executed which causes the newly established security
context to be ignored:
if (RemotingContext.isSet()) {
// In this case the principal and credential will not have been set to set some random values.
SecurityContextUtil util = current.getUtil();
Steps to Reproduce:
Create a test application that looks like the following:
remote client ---> unsecured ejb3 (switch user here) -> secured ejb3
Actual results:
If the unsecured ejb is invoked from a remote client, the user switching that takes place in the first ejb is ignored. Replace the remote standalone client with a web application and the user switching works.
Expected results:
User switching should work if the client is a standalone remote client or a web application.
Additional info:
