Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-17541

EESecurityAnnotationProcessor does not detect injections

XMLWordPrintable

    • Hide

      See the custom-principal-elytron demo in elytron-examples (Note that the server's Elytron subsystem must implement the fixes from ELY-2468). In summary:

      1. Create an application which makes use of a custom principal within the Elytron authentication framework.
      2. Within the app, attempt to retrieve the custom principal by invoking SecurityContext.getCallerPrincipal (see line 73)
      3. Follow the instructions in the README to setup the necessary modules and configuration. 
      4. The application fails to deploy, as it neither uses a Jakarta Security annotation, or implements one of the classes.
      Show
      See the custom-principal-elytron demo in elytron-examples (Note that the server's Elytron subsystem must implement the fixes from ELY-2468 ). In summary: Create an application which makes use of a custom principal within the Elytron authentication framework. Within the app, attempt to retrieve the custom principal by invoking SecurityContext.getCallerPrincipal ( see line 73 ) Follow the instructions in the README to setup the necessary modules and configuration.  The application fails to deploy, as it neither uses a Jakarta Security annotation, or implements one of the classes.
    • Hide

      The solution involves checking for injection annotations, and determining if an injected object is from Jakarta Security. A basic PoC is attached as a patch applied to commit a9cd4c444b872ed84a919671a63dcb68e0f77218

      51689add8d44c65afab78459e0e8520fb8d3a1fd.patch

      Show
      The solution involves checking for injection annotations, and determining if an injected object is from Jakarta Security. A basic PoC is attached as a patch applied to commit a9cd4c444b872ed84a919671a63dcb68e0f77218 51689add8d44c65afab78459e0e8520fb8d3a1fd.patch
    • ---
    • ---

      EESecurityAnnotationProcessor does not enable the ee-security subsystem if a Jakarta Security interface is being injected. This can cause issues when a full implementation is not used (ex. jakarta.security.enterprise.SecurityContext).

      Currently, the subsystem can be activate when Jakarta Security annotations are used, or if interfaces are implemented. The subsystem should also be enabled if one of those interfaces are injected. 

            rh-ee-jrodri Jessica Rodriguez
            rh-ee-jrodri Jessica Rodriguez
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: