Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Won't Do
Priority: Critical
Fix Version/s: 7.0.10.GA
Affects Version/s: 7.0.6.GA
Component/s: EJB, Security
Labels:
- downstream_dependency

Bugzilla References:
https://bugzilla.redhat.com/show_bug.cgi?id=1460347
Git Pull Request:
https://github.com/jbossas/jboss-eap7/pull/2023
Steps to Reproduce:
Hide

copy "other" security-domain to "jmx-console"

deploy SimpleEAR_EJB3.ear

hit http://localhost:8080/SimpleWar/Hello
Show
copy "other" security-domain to "jmx-console" deploy SimpleEAR_EJB3.ear hit http://localhost:8080/SimpleWar/Hello

SFDC Cases Counter:
SFDC Cases Links:

Description

Having an unsecured EJB in the call stack will cause the RunAs identity to get lost.

An example might look like this:

unsecured web app (RunAs: JBossAdmin) -> unsecured HelloBean EJB -> secured GoodBye EJB (RolesAllowed: JBossAdmin)

This will fail as the unsecured ejb causes the RunAs identity to get dropped/lost.

Attachments

Issue Links

clones

JBEAP-11462 [GSS] (7.1.x) EJB run-as identity gets lost if an unsecured ejb in the call stack

Verified

Activity

People

Assignee:: Bartosz Baranowski

Reporter:: Jiri Ondrusek

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 2017/06/19 3:09 AM

Updated:: 2019/11/05 4:06 PM

Resolved:: 2019/11/05 4:06 PM