Details
-
Bug
-
Resolution: Done
-
Major
-
None
-
None
Description
The ejb-security-interceptors quickstarts should be improved a little bit:
- root element of the jboss-ejb3.xml deployment descriptor should be <ejb-jar> (c.f.
AS7-6452) - DelegationLoginModule doesn't need the callbackHandler member variable, the parrent class holds it (AbstractServerLoginModule)
- possible EJBException from the invocationContext.proceed() call is not correctly propagated in the ServerSecurityInterceptor
The correct part of ServerSecurityInterceptor code should look like:
try { if (desiredUser != null && connectionUser != null && (desiredUser.getName().equals(connectionUser.getName()) == false)) { // The final part of this check is to verify that the change does actually indicate a change in user. try { // We have been requested to switch user and have successfully identified the user from the connection // so now we attempt the switch. cachedSecurityContext = SecurityActions.securityContextSetPrincipalInfo(desiredUser, new OuterUserCredential(connectionUser)); // keep track that we switched the security context contextSet = true; SecurityActions.remotingContextClear(); } catch (Exception e) { logger.error("Failed to switch security context for user", e); // Don't propagate the exception stacktrace back to the client for security reasons throw new EJBAccessException("Unable to attempt switching of user."); } } return invocationContext.proceed(); } finally { // switch back to original security context if (contextSet) { SecurityActions.securityContextSet(cachedSecurityContext); } }
Attachments
Issue Links
- relates to
-
AS7-6346 Create a quickstart demonstrating how container interceptors can be used to request an alternative identity is used for an EJB invocation and identity propagation.
-
- Resolved
-
