Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-2847

Caller's security identity doesn't get propagated by default

    XMLWordPrintable

Details

    • Bug
    • Status: Closed (View Workflow)
    • Major
    • Resolution: Obsolete
    • 8.0.0.CR1, 8.1.0.CR2
    • 11.0.0.Alpha1
    • EJB, Security
    • None

    Description

      3 session beans: @RunAs("printer") Printer, which calls HelperBean (no security annotations), which calls @RolesAllowed("printer") Toner. The last invocation results in
      javax.ejb.EJBAccessException: JBAS014502: Invocation on method: public void org.jboss.as.test.integration.ejb.security.runas.propagation.Toner.spill() of bean: Toner is not allowed

      Printer calling Toner (directly) works just fine. And if the HelperBean is a CDI managed bean, it works just fine too.

      According to EJB spec, 12 Security management, 12.1 Overview:

      "By default, the caller principal will be propagated as the caller identity. The Bean Provider can use the RunAs annotation to specify that a security principal that has been assigned to a specified security role be used instead. See Section 12.3.4."

      12.3.4 Specification of Security Identities in the Deployment Descriptor:

      "The Bean Provider or Application Assembler typically specifies whether the caller’s security identity should be used for the execution of the methods of an enterprise bean or whether a specific run-as identity should be used. By default the caller’s security identity is used."

      etc.

      @Stateless
      @RunAs("printer")
      @PermitAll
      public class Printer {
          @EJB
          HelperBean hb;
      
          public void invokeHelperBean() {
              hb.invokeToner();
          }
      }
      
      @Stateful
      public class HelperBean {
          @EJB
          Toner toner;
      
          public void invokeToner() {
              toner.spill();
          }
      }
      
      @Stateless
      @RolesAllowed("printer")
      public class Toner {
          public void spill() {}
      }
      

      A bit sophisticated test available at: https://github.com/bafco/wildfly/commits/securityContext

      Attachments

        Issue Links

          Activity

            People

              darran.lofthouse@redhat.com Darran Lofthouse
              bafco Matus Abaffy (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: