Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-11454

In-VM calls with authenticated SecurityIdentity.runAs(Callable c) fail to authorise for asynchronous EJB calls

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Critical
    • 7.1.0.ER3
    • 7.1.0.DR17, 7.1.0.DR18, 7.1.0.DR19
    • EJB, Security
    • None
    • Blocks Testing
    • Hide

      Run the following command in WildFly Test Suite Integration/Basic module with Elytron profile:

      mvn clean test -Dtest=AsynchronousSecurityTestCase#testAsynchSecurityMethod -Delytron -Dwildfly.tmp.enable.elytron.profile.tests
      Show
      Run the following command in WildFly Test Suite Integration/Basic module with Elytron profile: mvn clean test -Dtest=AsynchronousSecurityTestCase#testAsynchSecurityMethod -Delytron -Dwildfly.tmp.enable.elytron.profile.tests

    Description

      Upon attempt to Future.get of asynchronous method from EJB with authenticated SecurityIdentity in same VM as EJB, the method fails:

      asynchronous in-VM invocation
              Callable<Boolean> callable = () -> {
            Future<Boolean> future = securedBean.method();
            SecuredStatelessBean.startLatch.countDown();
            return future.get();
        };
        result = Util.switchIdentity("somebody", "password", callable);
        Assert.assertTrue(result);
      Util.switchIdentity
      final SecurityDomain securityDomain = SecurityDomain.getCurrent();
                if (securityDomain != null) {
                    // elytron is enabled, use the new way to switch the identity
                    final SecurityIdentity securityIdentity = securityDomain.authenticate(username, new PasswordGuessEvidence(password.toCharArray()));
                    initialAuthSucceeded = true;
                    return securityIdentity.runAs(callable);
                }
      exception
      javax.ejb.EJBAccessException: WFLYEJB0364: Invocation on method: public abstract java.util.concurrent.Future org.jboss.as.test.integration.ejb.security.asynchronous.SecuredStatelessRemote.method() throws java.lang.InterruptedException,java.util.concurrent.ExecutionException of bean: SecuredStatelessBean is not allowed
	at org.jboss.as.ejb3.security.RolesAllowedInterceptor.processInvocation(RolesAllowedInterceptor.java:67)
	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:240)
	at org.jboss.as.ejb3.security.SecurityDomainInterceptor.processInvocation(SecurityDomainInterceptor.java:44)
	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:240)
	at org.jboss.as.ejb3.deployment.processors.StartupAwaitInterceptor.processInvocation(StartupAwaitInterceptor.java:22)
	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:240)
	at org.jboss.as.ejb3.component.interceptors.ShutDownInterceptorFactory$1.processInvocation(ShutDownInterceptorFactory.java:64)
	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:240)
	at org.jboss.as.ejb3.deployment.processors.EjbSuspendInterceptor.processInvocation(EjbSuspendInterceptor.java:45)
	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:240)
	at org.jboss.as.ejb3.component.interceptors.LoggingInterceptor.processInvocation(LoggingInterceptor.java:67)
	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:240)
	at org.jboss.as.ee.component.NamespaceContextInterceptor.processInvocation(NamespaceContextInterceptor.java:50)
	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:240)
	at org.jboss.as.ejb3.component.interceptors.AdditionalSetupInterceptor.processInvocation(AdditionalSetupInterceptor.java:54)
	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:240)
	at org.jboss.invocation.ContextClassLoaderInterceptor.processInvocation(ContextClassLoaderInterceptor.java:60)
	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:240)
	at org.jboss.invocation.InterceptorContext.run(InterceptorContext.java:256)
	at org.wildfly.security.manager.WildFlySecurityManager.doChecked(WildFlySecurityManager.java:609)
	at org.jboss.invocation.AccessCheckingInterceptor.processInvocation(AccessCheckingInterceptor.java:57)
	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:240)
	at org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:53)
	at org.jboss.as.ee.component.ViewService$View.invoke(ViewService.java:198)
	at org.jboss.as.ejb3.remote.LocalEjbReceiver.lambda$processInvocation$0(LocalEjbReceiver.java:201)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
	at java.lang.Thread.run(Thread.java:748)
	at org.jboss.threads.JBossThread.run(JBossThread.java:320)

      Invocation of synchronous method in the same bean with same credentials in Util.switchIdentity method will be successfully authorised.

      Attachments

        Issue Links

          causes

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-9080 EJB security tests are failing in AS TS with Elytron profile

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Verified
          is caused by

          Bug - A problem that impairs or prevents the functions of the product. ELY-1281 SecurityDomain.authenticate() propagates credentials inappropriately

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Resolved

          Bug - A problem that impairs or prevents the functions of the product. ELY-1212 The forward identity should be captured in AuthenticationContextConfigurationClient.getAuthenticationConfiguration()

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Resolved

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-11933 Security identity not propagated into asynchronous task (elytron)

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Closed
          is incorporated by

          Component Upgrade - A task tracking an update to a bundled component or revision of component upstream of the project. JBEAP-12265 Upgrade WildFly Elytron to 1.1.0.CR3

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Verified

          Component Upgrade - A task tracking an update to a bundled component or revision of component upstream of the project. JBEAP-11459 Upgrade WildFly Elytron to 1.1.0.Beta54

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Verified

          Component Upgrade - A task tracking an update to a bundled component or revision of component upstream of the project. JBEAP-11931 (7.1.0) Upgrade to WildFly Core to 3.0.0.Beta30

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Verified
          is related to

          Task - Represents a small unit of work that is not end-user facing. JBEAP-11560 Fix tests which currently fail with -Dwildfly.tmp.enable.elytron.profile.tests

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Closed
          relates to

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-9752 ClientLoginModule does not work with Elytron secured EJBs for In-VM Calls e.g. Servlet to Bean or Bean to Bean

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Verified

          Activity

            People

              dlloyd@redhat.com David Lloyd
              mjurc@redhat.com Michal Jurc
              Michal Jurc Michal Jurc
              Michal Jurc Michal Jurc
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: