Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-6579

When JASPIC's register session is used, Subject not propagated to EJB

    Details

      Description

      When the JASPIC 1.1 register session (javax.servlet.http.registerSession) is used, the authenticated identity (via the Subject) is not propagated to the EJB container.

      The problems seems to be with JASPICAuthenticationMechanism.createAccount. When a cached account is re-used, a null is passed for the Subject parameter in the call to jbossSct.getUtil().createSubjectInfo. This will set indeed set a SubjectInfo with subject being null.

      EJBContext#getCallerPrincipal checks exactly this subject, and when seeing a null will consider the user to be unauthenticated, even when the caller is authenticated in the web layer.

      See the code below:

         // SAM handled the same principal found in the cached account: indicates we must use the cached account.
              if (cachedAccount != null && cachedAccount.getPrincipal() == userPrincipal) {
                  // populate the security context using the cached account data.
                  jbossSct.getUtil().createSubjectInfo(
                      userPrincipal, ((AccountImpl) cachedAccount).getCredential(), 
                      null); // PROBLEMATIC NULL
                  RoleGroup roleGroup = new SimpleRoleGroup(SecurityConstants.ROLES_IDENTIFIER);
                  for (String role : cachedAccount.getRoles())
                      roleGroup.addRole(new SimpleRole(role));
                  jbossSct.getUtil().setRoles(roleGroup);
                  return cachedAccount;
              }
      

      Instead of passing a null, passing the existing subject as set by the JASPIC callback handler seems to work:

      jbossSct.getUtil().createSubjectInfo(
          userPrincipal, ((AccountImpl) cachedAccount).getCredential(), 
          jbossSct.getUtil().getSubject());
      

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  dlofthouse Darran Lofthouse
                  Reporter:
                  atijms arjan tijms
                • Votes:
                  2 Vote for this issue
                  Watchers:
                  4 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: