Details
-
Bug
-
Resolution: Done
-
Blocker
-
7.1.0.ER2
-
None
Description
Wrong Elytron private credentials are used for forwarded identity, when re-authentication is used before forwarding.
Scenario:
Client --calls--> EJB (EntryBean) on server 1 --calls--> EJB (WhoAmIBean) on server 2
Both EJBs are protected. The Client uses valid username/password for the server 1.
The EntryBean uses Elytron client API to re-authenticate as another user and then calls the WhoAmIBean on server 2.
As a result the correct (re-authenticated) username is used for the call on server 2, but the private credential (PasswordCredential) from the original Client call is used. This is IMO not only wrong but also a security leak.
The code of the EntryBean looks like:
// Callable which calls WhoAmI bean on server 2 final Callable<String> callable = () -> { WhoAmI whoAmIBean = doRemoteJndiLookup(); return whoAmIBean.whoAmI(); }; // Callable which uses forwardedIdentity to authenticate on server 2 - and call the action (WhoAmI) final Callable<String> forwardIdentityCallable = () -> { return AuthenticationContext.empty() .with(MatchRule.ALL, AuthenticationConfiguration.empty().useForwardedIdentity(SecurityDomain.getCurrent()) .setSaslMechanismSelector(SaslMechanismSelector.ALL)) .runCallable(callable); }; // Re-authenticate as another user and use the forwardedIdentity to call WhoAmI bean on server 2 return SecurityDomain.getCurrent().authenticate("anotherUser", new PasswordGuessEvidence("anotherPassword".toCharArray())) .runAs(forwardIdentityCallable);
This issue was discovered in ER2, after the issues hiding this one (JBEAP-11377, JBEAP-11453) were fixed.
Attachments
Issue Links
- is caused by
-
-
- Resolved
-
- is incorporated by
-
JBEAP-12265 Upgrade WildFly Elytron to 1.1.0.CR3
-
- Verified
-
- is related to
-
-
- Verified
-
-
-
- Verified
-
