Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Done
Priority: Major
Fix Version/s: 9.0.0.CR2, 10.0.0.Alpha1
Affects Version/s: 9.0.0.CR1
Component/s: Web (Undertow)
Labels:

Steps to Reproduce:

Hide

A reproducer for this issue is available at: https://github.com/arjantijms/javaee7-samples/blob/master/jaspic/ejb-propagation/src/main/java/org/javaee7/jaspic/ejbpropagation/servlet/PublicServletPublicEJBLogout.java

Show
A reproducer for this issue is available at: https://github.com/arjantijms/javaee7-samples/blob/master/jaspic/ejb-propagation/src/main/java/org/javaee7/jaspic/ejbpropagation/servlet/PublicServletPublicEJBLogout.java
Git Pull Request:
https://github.com/wildfly/wildfly/pull/7431, https://github.com/wildfly/wildfly/pull/7432

Description

After having authenticated (via JASPIC or otherwise), calling HttpServletRequest#logout and then requesting the caller/user principal (all within the same request), Undertow (via e.g. WildFly 8.2 or 9.0rc1) will correctly clear out the principal for the web context, but will NOT clear out the principal for the EJB context.

The problem seems to be that io.undertow.security.impl.SecurityContextImpl.logout() doesn't do anything with the security context that is used by the EJB container among others.

It now just contains the following:

this.account = null;
this.mechanismName = null;
this.authenticationState = AuthenticationState.NOT_ATTEMPTED;

Added the following code just before this seems to work:

// Clear old context
SecurityContextAssociation.clearSecurityContext();
SecurityRolesAssociation.setSecurityRoles(null);
	            		
// Set a new one in case re-authentication is done within the same thread
SecurityContext securityContext = SecurityContextFactory.createSecurityContext("other");
exchange.putAttachment(SECURITY_CONTEXT_ATTACHMENT, securityContext);

SecurityContextAssociation.setSecurityContext(securityContext);

// (existing clearing code)
this.account = null;
this.mechanismName = null;
this.authenticationState = AuthenticationState.NOT_ATTEMPTED;

Do note that this code uses the hardcoded domain "other". Except by using reflection I couldn't obtain the actual domain name at this point. The reflective code I used was:

String securityDomain = "other";

if (identityManager instanceof JAASIdentityManagerImpl) {
    try {
        Field securityDomainContextField = JAASIdentityManagerImpl.class.getDeclaredField("securityDomainContext");
        securityDomainContextField.setAccessible(true);
        SecurityDomainContext securityDomainContext = (SecurityDomainContext) securityDomainContextField.get(identityManager);

        securityDomain = securityDomainContext.getAuthenticationManager().getSecurityDomain();

    } catch (NoSuchFieldException | SecurityException | IllegalArgumentException | IllegalAccessException e) {
        logger.log(Level.SEVERE, "Can't obtain name of security domain, using 'other' now", e);
    }
}

Attachments

Activity

People

Assignee:: Stuart Douglas

Reporter:: Arjan t (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 2015/05/06 10:14 AM

Updated:: 2017/12/06 11:19 AM

Resolved:: 2015/05/08 3:10 PM