Uploaded image for project: 'WildFly Core'
  1. WildFly Core
  2. WFCORE-3658

Security context propagation using Elytron API doesn't work for EJB to protected Servlet scenario

    XMLWordPrintable

    Details

    • Type: Enhancement
    • Status: Closed (View Workflow)
    • Priority: Critical
    • Resolution: Rejected
    • Affects Version/s: None
    • Fix Version/s: 5.0.0.Alpha1
    • Component/s: Security
    • Labels:
      None

      Description

      One of the scenarios which are expected to work in Elytron is a Security context propagation from a protected EJB to a protected Servlet using HttpUrlConnection (details in RFE EAP7-284).

      The scenario doesn't work for me. My configuration:

      EJB client ->  protected EJB on server-1 -> protected Servlet on server-2 (BASIC authn)
      

      The EJB contains following code:

      final Callable<String> callable = () -> {
          URLConnection conn = url.openConnection();
          conn.connect();
          try (InputStream is = conn.getInputStream()) {
              return IOUtils.toString(is, StandardCharsets.UTF_8);
          }
      };
      
      AuthenticationContext.empty().with(MatchRule.ALL, AuthenticationConfiguration.empty()
          .useForwardedIdentity(SecurityDomain.getCurrent())
          .setSaslMechanismSelector(SaslMechanismSelector.ALL))
          .runCallable(callable);
      

      The server-2 returns 401:

      java.io.IOException: Server returned HTTP response code: 401 for URL: http://127.0.0.1:8180/seccontext-server2/whoAmI
      	at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1876)
      	at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1474)
      	at org.wildfly.test.manual.elytron.seccontext.EntryBean.lambda$readUrl$1(EntryBean.java:69)
      

      There is still a chance, the problem is in the scenario configuration, but the documentation is silent about this topic.

      The problem could be in a missing integration of ElytronAuthenticator within the AuthenticationContext. I don't see it used when I debug the scenario. When I register the authenticator manually, I see another problem which will be reported in a separate JIRA.

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  honza889 Jan Kalina
                  Reporter:
                  olukas Ondrej Lukas
                  Tester:
                  Martin Svehla
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  3 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: