Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-6282

[GSS](7.0.z) Security context is not always correctly propagated from web container to EJB container when using a JASPIC security domain

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Major
    • 7.0.4.CR1, 7.0.4.GA
    • 7.0.1.GA
    • Security
    • None
    • Hide

      [SETUP]
      1. Build the the test project (cfr. attached)
      2. Start the EAP7 instance
      3. Add the module to the EAP7 instance using CLI:
      module add --name=be.smals.jaspic.sam --slot=main --resources=C:\dev\sources\spike-jaspic-ejb\jaspic-ejb-sam\target\jaspic-ejb-sam-1.0-SNAPSHOT.jar --dependencies=[javax.api,javax.security.auth.message.api, org.slf4j,javaee.api]
      4. Add the JASPI security domain:
      /subsystem=security/security-domain=jaspi-test:add(cache-type=default)
      /subsystem=security/security-domain=jaspi-test/authentication=jaspi:add(auth-modules=[

      {"code"=>"be.smals.jaspic.DemoServerAuthModule", "flag"=>"required", "module"=>"be.smals.jaspic.sam"}

      ])
      5. Deploy the test webapp to the application server

      [REPRODUCE]
      1. Open a browser and go to http://localhost:8080/jaspic-web/protected?authtoken=testuser|admin.
      2. The browser should show a page displaying the "testuser" username and the fact that you have an "admin" role.
      3. on the console of the application server, the PrincipalDumper EJB should have generated the following output:
      13:41:52,821 INFO [be.smals.PrincipalDumper] (default task-8) principal calling EJB: testuser
      4. refresh the page - you now get the following stacktrace:

      Show
      [SETUP] 1. Build the the test project (cfr. attached) 2. Start the EAP7 instance 3. Add the module to the EAP7 instance using CLI: module add --name=be.smals.jaspic.sam --slot=main --resources=C:\dev\sources\spike-jaspic-ejb\jaspic-ejb-sam\target\jaspic-ejb-sam-1.0-SNAPSHOT.jar --dependencies= [javax.api,javax.security.auth.message.api, org.slf4j,javaee.api] 4. Add the JASPI security domain: /subsystem=security/security-domain=jaspi-test:add(cache-type=default) /subsystem=security/security-domain=jaspi-test/authentication=jaspi:add(auth-modules=[ {"code"=>"be.smals.jaspic.DemoServerAuthModule", "flag"=>"required", "module"=>"be.smals.jaspic.sam"} ]) 5. Deploy the test webapp to the application server [REPRODUCE] 1. Open a browser and go to http://localhost:8080/jaspic-web/protected?authtoken=testuser |admin. 2. The browser should show a page displaying the "testuser" username and the fact that you have an "admin" role. 3. on the console of the application server, the PrincipalDumper EJB should have generated the following output: 13:41:52,821 INFO [be.smals.PrincipalDumper] (default task-8) principal calling EJB: testuser 4. refresh the page - you now get the following stacktrace:
    • EAP 7.0.4

    Description

      It seems that the security context is not always correctly propagated from web container to EJB container when using a JASPIC security domain (custom JASPI SAM).
      We have developed a simple security module to validate if a JASPI SAM could help us integrate web applications that are deployed on our JBoss instances with our IDP over a custom protocol.
      When accessing a protected web page which is in turn calling an EJB that has some security defined on a method that is called (@RolesAllowed("admin")):
      1. for the first call: the user is authenticated, he is attributed the correct roles and can access the JSP and the EJB without any problems.
      2. for subsequent calls, the user is authenticated, has the correct roles to access the JSP, but when calling the EJB, a stack trace is thown with error message "WFLYEJB0034: EJB Invocation failed on component PrincipalDumper for method public void be.smals.PrincipalDumper.logPrincipal(): javax.ejb.EJBAccessException: WFLYSEC0027: Invalid User"

      This seems to be very similar to the problem described in https://issues.jboss.org/browse/WFLY-4626.
      The included source code is simply using HTTP request parameters to pass the credentials to the JASPI login module. It is clear that this is only for prototyping / testing purposes.

      2016-09-08 13:46:43,602 ERROR [org.jboss.as.ejb3.invocation] (default task-12) WFLYEJB0034: EJB Invocation failed on component PrincipalDumper for method public void be.smals.PrincipalDumper.logPrincipal(): javax.ejb.EJBAccessException: WFLYSEC0027: Invalid User
      at org.jboss.as.ejb3.security.SecurityContextInterceptor$1.run(SecurityContextInterceptor.java:69)
      at org.jboss.as.ejb3.security.SecurityContextInterceptor$1.run(SecurityContextInterceptor.java:49)
      at org.jboss.as.ejb3.security.SecurityContextInterceptor.processInvocation(SecurityContextInterceptor.java:97)
      at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:340)

      Attachments

        Issue Links

          clones

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-6403 (7.1.0) When JASPIC's register session is used, Subject not propagated to EJB

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Verified

          Activity

            People

              spyrkob Bartosz Spyrko-Smietanko
              rhn-support-dehort Derek Horton
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Time Tracking

                  Estimated:
                  Original Estimate - 2 days, 4 hours
                  2d 4h
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 2 hours Time Not Required
                  2h