Details
-
Bug
-
Resolution: Obsolete
-
Major
-
JBossAS-4.2.2.GA, JBossAS-4.2.3.GA
-
None
Description
I configured two EJBs to make use of the run-as security identity tag
The EJBS implement a class called AgentBean
When I use PolicyContext.getContext("javax.security.auth.Subject.container") within and AgentBean method it should return the RunAsIdentity of that method as declared in the run-as tag . it returns anonymous wihch is the current authenticated user.. not the one specified in run-as
When I looked at the source code in org.jboss.security.jacc.SubjectPolicyContexthandler
I saw this method call in lines 55 and 73
RunAsIdentity callerRunAsIdentity = (RunAsIdentity)
SecurityAssociation.peekRunAsIdentity(1);
What I did is to change the parameter from a value of 1 to a value of 0 so it peeks the top element in the stack
I patched Jboss with this modification and the PolicyContext.getContext("javax.security.auth.Subject.container") started returning the right values
So, do you think this is a bug in org.jboss.security.jacc.SubjectPolicyContexthandler
Why SecurityAssociation.peekRunAsIdentity is it being called with a parameter value of 1. That is looking two levels down in the stack isn't it?
Connfiguration of EJB is
ejb-jar.xml
<?xml version="1.0" encoding="UTF-8"?>
<ejb-jar version="3.0" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/ejb-jar_3_0.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee">
<enterprise-beans>
<session>
<ejb-name>editors</ejb-name>
<mapped-name>ejb/assethouse/goya/process/agents/editors</mapped-name>
<business-local>com.assethouse.goya.process.agent.Agent</business-local>
<ejb-class>com.assethouse.goya.process.agent.AgentBean</ejb-class>
<session-type>Stateless</session-type>
<timeout-method>
<method-name>startTask</method-name>
</timeout-method>
<security-identity>
<run-as>
<description>Group for editors Partition</description>
<role-name>editors</role-name>
</run-as>
</security-identity>
</session>
<session>
<ejb-name>publishers</ejb-name>
<mapped-name>ejb/assethouse/goya/process/agents/publishers</mapped-name>
<business-local>com.assethouse.goya.process.agent.Agent</business-local>
<ejb-class>com.assethouse.goya.process.agent.AgentBean</ejb-class>
<session-type>Stateless</session-type>
<timeout-method>
<method-name>startTask</method-name>
</timeout-method>
<security-identity>
<run-as>
<description>Group for publishers Partition</description>
<role-name>publishers</role-name>
</run-as>
</security-identity>
</session>
</enterprise-beans>
<assembly-descriptor>
<security-role>
<role-name>editors</role-name>
</security-role>
<security-role>
<role-name>publisher</role-name>
</security-role>
</assembly-descriptor>
</ejb-jar>
jboss.xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE jboss PUBLIC
"-//JBoss//DTD JBOSS 4_2//EN"
"http://www.jboss.org/j2ee/dtd/jboss_4_2.dtd">
<jboss>
<security-domain>java:/jaas/process</security-domain>
<enterprise-beans>
<session>
<ejb-name>editors</ejb-name>
<security-identity>
<run-as-principal>editor</run-as-principal>
</security-identity>
</session>
<session>
<ejb-name>publishers</ejb-name>
<security-identity>
<run-as-principal>publisher</run-as-principal>
</security-identity>
</session>
</enterprise-beans>
<assembly-descriptor>
<security-role>
<role-name>publishers</role-name>
<principal-name>publisher</principal-name>
</security-role>
<security-role>
<role-name>editors</role-name>
<principal-name>editor</principal-name>
</security-role>
</assembly-descriptor>
</jboss>
Also configured the login-module with a new security domain with an UserRoleLoginModule plugin
roles.properties
publisher=publishers
editor=editors
user.properties
publisher=password
editor=password