Loading...

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Blocker
Fix Version/s: 8.0.0.GA-CR1, 8.0.0.GA
Affects Version/s: None
Component/s: EE, Security
Labels:
None

Blocked:
False
Blocked Reason:
None
Ready:
False
CDW devel_ack:
CDW docs_ack:
CDW pm_ack:
CDW qa_ack:
CDW release:
Target Release:

8.0.0.GA
Workaround Description:

Hide

The solution involves checking for injection annotations, and determining if an injected object is from Jakarta Security. A basic PoC is attached as a patch applied to commit a9cd4c444b872ed84a919671a63dcb68e0f77218

[^51689add8d44c65afab78459e0e8520fb8d3a1fd.patch]

Show
The solution involves checking for injection annotations, and determining if an injected object is from Jakarta Security. A basic PoC is attached as a patch applied to commit a9cd4c444b872ed84a919671a63dcb68e0f77218 [^51689add8d44c65afab78459e0e8520fb8d3a1fd.patch]
Git Pull Request:
https://github.com/wildfly/wildfly/pull/16492
Steps to Reproduce:
Hide

See the custom-principal-elytron demo in elytron-examples (Note that the server's Elytron subsystem must implement the fixes from ~~ELY-2468~~). In summary:

Create an application which makes use of a custom principal within the Elytron authentication framework.

Within the app, attempt to retrieve the custom principal by invoking SecurityContext.getCallerPrincipal (see line 73)

Follow the instructions in the README to setup the necessary modules and configuration.

The application fails to deploy, as it neither uses a Jakarta Security annotation, or implements one of the classes.
Show
See the custom-principal-elytron demo in elytron-examples (Note that the server's Elytron subsystem must implement the fixes from ELY-2468 ). In summary: Create an application which makes use of a custom principal within the Elytron authentication framework. Within the app, attempt to retrieve the custom principal by invoking SecurityContext.getCallerPrincipal ( see line 73 ) Follow the instructions in the README to setup the necessary modules and configuration. The application fails to deploy, as it neither uses a Jakarta Security annotation, or implements one of the classes.
Intelligence Requested:
Market:

SFDC Cases Counter:
SFDC Cases Links:

EESecurityAnnotationProcessor does not enable the ee-security subsystem if a Jakarta Security interface is being injected. This can cause issues when a full implementation is not used (ex. jakarta.security.enterprise.SecurityContext).

Currently, the subsystem can be activate when Jakarta Security annotations are used, or if interfaces are implemented. The subsystem should also be enabled if one of those interfaces are injected.

clones

WFLY-17541 EESecurityAnnotationProcessor does not detect injections

Closed

depends on

JBEAP-24521 Update getRealmIdentity so that it attempts to convert the given Principal to NamePrincipal if necessary

Closed

relates to

WFCORE-5809 Add possibility to obtain custom principal from Elytron

Closed

Assignee:: Cameron Rodriguez (Inactive)

Reporter:: Farah Juma

Votes:: 0 Vote for this issue

Watchers:: 6 Start watching this issue

Created:: 2023/02/01 5:17 PM

Updated:: 2024/02/26 1:53 PM

Resolved:: 2023/04/04 12:55 PM

Details

Description

Attachments

Issue Links

Activity

People

Dates