Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-8568

Elytron outflow-security-domains doesn't work for Servlet-to-EJB calls

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Major Major
    • None
    • None
    • EJB, Security, Web (Undertow)
    • None
    • Hide

      => EJBAccessException (see attached server.log)

      When I try to call the same EJB but rather from the same deployment (`second`), it works correctly:
      http://localhost:8080/second/SecuredCallEjbServlet?jndiName=java:global/second/HelloBean

      Show
      use attached CLI script to configure Elytron realms and security domains deploy attached web applications open in browser http://localhost:8080/second/SecuredCallEjbServlet and authenticate as admin/admin => EJBAccessException (see attached server.log) When I try to call the same EJB but rather from the same deployment (`second`), it works correctly: http://localhost:8080/second/SecuredCallEjbServlet?jndiName=java:global/second/HelloBean

      Security context propagation with using Elytron outflow-security-domains attribute in security domain doesn't work for Servlet-to-EJB calls.

      This could also be a test configuration issue, but as there is not yet documentation covering this area, I can't guess what could be wrong in the scenario.

      1. I have 2 similar web applications with servlets and EJBs:

      • the `secured-webapp` is mapped to `web-tests` security domain
      • the `second` application is mapped to `second-domain` security domain

      2. Undertow and EJB subsystems maps the application domains `web-tests` and `second-domain` to Elytron domains with the same name.

      3. trust between the domains is defined in following way:

      /subsystem=elytron/security-domain=second-domain:write-attribute(name=outflow-security-domains,value=[web-tests])
      /subsystem=elytron/security-domain=second-domain:write-attribute(name=trusted-security-domains, value=[web-tests])
      /subsystem=elytron/security-domain=web-tests:write-attribute(name=trusted-security-domains, value=[second-domain])
      

      4. the test itself calls servlet from the `second` web application and it calls protected EJB from the `secured-webapp`.

      The EJB call fails with EJBAccessException

      14:30:04,631 ERROR [org.jboss.as.ejb3.invocation] (default task-3) WFLYEJB0034: EJB Invocation failed on component HelloBean for method public abstract java.lang.String org.jboss.test.ejb.Hello.sayHello(): javax.ejb.EJBAccessException: WFLYEJB0364: Invocation on method: public abstract java.lang.String org.jboss.test.ejb.Hello.sayHello() of bean: HelloBean is not allowed
      

              Unassigned Unassigned
              josef.cacek@gmail.com Josef Cacek (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated: