Loading...

Details

Type: Bug
Resolution: Done
Priority: Major
Fix Version/s: 23.0.0.Final
Affects Version/s: 23.0.0.Beta1
Component/s: Web Services
Labels:
None

Steps to Reproduce:
Hide

Install wildfly 23 and configure it to use elytron (for example using the enable-elytron.cli cli file).

Create a user for the endpoint.

./add-user.sh -a -u sample -p password123 -g users,extras

Compile and package the attached cxf-ws-auth project.

mvn clean package

Deploy in wildfly the resulting war.

Execute the sample:

mvn exec:java

In the log look for the messages, you will see that attributes or roles are empty:

10:33:29,374 ERROR [stderr] (default task-1) CXF user=sample 10:33:29,375 ERROR [stderr] (default task-1) JavaEE user=sample 10:33:29,375 ERROR [stderr] (default task-1) SecurityIdentity=SecurityIdentity{principal=sample, securityDomain=org.wildfly.security.auth.server.SecurityDomain@3156e141, authorizationIdentity=EMPTY, realmInfo=RealmInfo{name='default', securityRealm=EMPTY_REALM}, creationTime=2021-03-04T09:33:29.350Z} 10:33:29,376 ERROR [stderr] (default task-1) attributes={} 10:33:29,376 ERROR [stderr] (default task-1) private-credentials=0 10:33:29,376 ERROR [stderr] (default task-1) public-credentials=0 10:33:29,376 ERROR [stderr] (default task-1) created-time=2021-03-04T09:33:29.350Z 10:33:29,377 ERROR [stderr] (default task-1) roles=[]
Show
Install wildfly 23 and configure it to use elytron (for example using the enable-elytron.cli cli file). Create a user for the endpoint. ./add-user.sh -a -u sample -p password123 -g users,extras Compile and package the attached cxf-ws-auth project. mvn clean package Deploy in wildfly the resulting war. Execute the sample: mvn exec:java In the log look for the messages, you will see that attributes or roles are empty: 10:33:29,374 ERROR [stderr] (default task-1) CXF user=sample 10:33:29,375 ERROR [stderr] (default task-1) JavaEE user=sample 10:33:29,375 ERROR [stderr] (default task-1) SecurityIdentity=SecurityIdentity{principal=sample, securityDomain=org.wildfly.security.auth.server.SecurityDomain@3156e141, authorizationIdentity=EMPTY, realmInfo=RealmInfo{name='default', securityRealm=EMPTY_REALM}, creationTime=2021-03-04T09:33:29.350Z} 10:33:29,376 ERROR [stderr] (default task-1) attributes={} 10:33:29,376 ERROR [stderr] (default task-1) private-credentials=0 10:33:29,376 ERROR [stderr] (default task-1) public-credentials=0 10:33:29,376 ERROR [stderr] (default task-1) created-time=2021-03-04T09:33:29.350Z 10:33:29,377 ERROR [stderr] (default task-1) roles=[]
Release Note Text:
Undefined
Git Pull Request:
https://github.com/wildfly/wildfly/pull/14080
[QE] How to address?:
---
[QE] Why QE missed?:
---

Description

After ~~WFLY-10480~~ the method pushSubjectContext unconditionally creates a new SecurityIdentity from the subject passed. See here.

Therefore an endpoint that uses a SubjectCreatingPolicyInterceptor with elytron performs the login and there the SecurityIdentity is correctly executed but when the pushSubjectContext is called after that the original identity is lost (any extra attributes or other internal data).

The endpoint is something like the following:

@Stateless
@WebService(name = "echo",
        targetNamespace = "http://com.sample.redhat/ws",
        serviceName = "echo-service")
@Policy(placement = Policy.Placement.BINDING, uri = "WssUsernameToken10.xml")
@SOAPBinding(style = SOAPBinding.Style.RPC)
@EndpointProperties(value = {
    @EndpointProperty(key = "ws-security.validate.token", value = "false")
})
@InInterceptors(interceptors = {
    "org.jboss.wsf.stack.cxf.security.authentication.SubjectCreatingPolicyInterceptor"
})
public class Echo {

    @Resource SessionContext ctx;
    
    @WebMethod
    @PermitAll
    public String echo(String input) {
        Message message = PhaseInterceptorChain.getCurrentMessage();
        SecurityContext context = message.get(SecurityContext.class);
        System.err.println("CXF user=" + context.getUserPrincipal().getName()); // CXF user
        System.err.println("JavaEE user=" + ctx.getCallerPrincipal().getName()); // JavaEE user

        SecurityDomain sd = SecurityDomain.getCurrent();
        if (sd != null && sd.getCurrentSecurityIdentity() != null) {
            SecurityIdentity si = sd.getCurrentSecurityIdentity();
            System.err.println("SecurityIdentity=" + si);
            System.err.println("attributes=" + StreamSupport.stream(si.getAttributes().entries().spliterator(), false).collect(Collectors.toMap(Attributes.Entry::getKey, Function.identity())));
            System.err.println("private-credentials=" + si.getPrivateCredentials().size());
            System.err.println("public-credentials=" + si.getPublicCredentials().size());
            System.err.println("created-time=" + si.getCreationTime());
            System.err.println("roles=" + StreamSupport.stream(si.getRoles().spliterator(), false).collect(Collectors.toList()));
        }

        String userName = ctx.getCallerPrincipal().getName();
        return userName + " -> " +  input;
    }
}

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

cxf-ws-auth.zip
17 kB
2021/03/04 4:35 AM

Issue Links

is cloned by

JBEAP-21113 [GSS](7.3.z) WFLY-14516 - SecurityIdentity is not re-used when using SubjectCreatingPolicyInterceptor in a CXF endpoint

Verified

SecurityIdentity is not re-used when using SubjectCreatingPolicyInterceptor in a CXF endpoint

Details

Description

Attachments

Attachments

Issue Links

Activity

People

Dates