Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-14516

SecurityIdentity is not re-used when using SubjectCreatingPolicyInterceptor in a CXF endpoint

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major Major
    • 23.0.0.Final
    • 23.0.0.Beta1
    • Web Services
    • None
    • Hide
      • Install wildfly 23 and configure it to use elytron (for example using the enable-elytron.cli cli file).
      • Create a user for the endpoint.
      ./add-user.sh -a -u sample -p password123 -g users,extras
      
      • Compile and package the attached cxf-ws-auth project.
      mvn clean package
      
      • Deploy in wildfly the resulting war.
      • Execute the sample:
      mvn exec:java
      
      • In the log look for the messages, you will see that attributes or roles are empty:
      10:33:29,374 ERROR [stderr] (default task-1) CXF user=sample
      10:33:29,375 ERROR [stderr] (default task-1) JavaEE user=sample
      10:33:29,375 ERROR [stderr] (default task-1) SecurityIdentity=SecurityIdentity{principal=sample, securityDomain=org.wildfly.security.auth.server.SecurityDomain@3156e141, authorizationIdentity=EMPTY, realmInfo=RealmInfo{name='default', securityRealm=EMPTY_REALM}, creationTime=2021-03-04T09:33:29.350Z}
      10:33:29,376 ERROR [stderr] (default task-1) attributes={}
      10:33:29,376 ERROR [stderr] (default task-1) private-credentials=0
      10:33:29,376 ERROR [stderr] (default task-1) public-credentials=0
      10:33:29,376 ERROR [stderr] (default task-1) created-time=2021-03-04T09:33:29.350Z
      10:33:29,377 ERROR [stderr] (default task-1) roles=[]
      
      Show
      Install wildfly 23 and configure it to use elytron (for example using the enable-elytron.cli cli file). Create a user for the endpoint. ./add-user.sh -a -u sample -p password123 -g users,extras Compile and package the attached cxf-ws-auth project. mvn clean package Deploy in wildfly the resulting war. Execute the sample: mvn exec:java In the log look for the messages, you will see that attributes or roles are empty: 10:33:29,374 ERROR [stderr] (default task-1) CXF user=sample 10:33:29,375 ERROR [stderr] (default task-1) JavaEE user=sample 10:33:29,375 ERROR [stderr] (default task-1) SecurityIdentity=SecurityIdentity{principal=sample, securityDomain=org.wildfly.security.auth.server.SecurityDomain@3156e141, authorizationIdentity=EMPTY, realmInfo=RealmInfo{name='default', securityRealm=EMPTY_REALM}, creationTime=2021-03-04T09:33:29.350Z} 10:33:29,376 ERROR [stderr] (default task-1) attributes={} 10:33:29,376 ERROR [stderr] (default task-1) private-credentials=0 10:33:29,376 ERROR [stderr] (default task-1) public-credentials=0 10:33:29,376 ERROR [stderr] (default task-1) created-time=2021-03-04T09:33:29.350Z 10:33:29,377 ERROR [stderr] (default task-1) roles=[]
    • Undefined
    • ---
    • ---

      After WFLY-10480 the method pushSubjectContext unconditionally creates a new SecurityIdentity from the subject passed. See here.

      Therefore an endpoint that uses a SubjectCreatingPolicyInterceptor with elytron performs the login and there the SecurityIdentity is correctly executed but when the pushSubjectContext is called after that the original identity is lost (any extra attributes or other internal data).

      The endpoint is something like the following:

      @Stateless
      @WebService(name = "echo",
              targetNamespace = "http://com.sample.redhat/ws",
              serviceName = "echo-service")
      @Policy(placement = Policy.Placement.BINDING, uri = "WssUsernameToken10.xml")
      @SOAPBinding(style = SOAPBinding.Style.RPC)
      @EndpointProperties(value = {
          @EndpointProperty(key = "ws-security.validate.token", value = "false")
      })
      @InInterceptors(interceptors = {
          "org.jboss.wsf.stack.cxf.security.authentication.SubjectCreatingPolicyInterceptor"
      })
      public class Echo {
      
          @Resource SessionContext ctx;
          
          @WebMethod
          @PermitAll
          public String echo(String input) {
              Message message = PhaseInterceptorChain.getCurrentMessage();
              SecurityContext context = message.get(SecurityContext.class);
              System.err.println("CXF user=" + context.getUserPrincipal().getName()); // CXF user
              System.err.println("JavaEE user=" + ctx.getCallerPrincipal().getName()); // JavaEE user
      
              SecurityDomain sd = SecurityDomain.getCurrent();
              if (sd != null && sd.getCurrentSecurityIdentity() != null) {
                  SecurityIdentity si = sd.getCurrentSecurityIdentity();
                  System.err.println("SecurityIdentity=" + si);
                  System.err.println("attributes=" + StreamSupport.stream(si.getAttributes().entries().spliterator(), false).collect(Collectors.toMap(Attributes.Entry::getKey, Function.identity())));
                  System.err.println("private-credentials=" + si.getPrivateCredentials().size());
                  System.err.println("public-credentials=" + si.getPublicCredentials().size());
                  System.err.println("created-time=" + si.getCreationTime());
                  System.err.println("roles=" + StreamSupport.stream(si.getRoles().spliterator(), false).collect(Collectors.toList()));
              }
      
              String userName = ctx.getCallerPrincipal().getName();
              return userName + " -> " +  input;
          }
      }
      

              rhn-engineering-ema Jim Ma
              rhn-support-rmartinc Ricardo Martin Camarero
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: